BR-51
EN 16931-1 layer: en16931
Checked against Peppol BIS Billing 3.0 2026.5
What does BR-51 mean? In accordance with card payments security standards an invoice should never include a full card primary account number (BT-87). At the moment PCI Security Standards Council has defined that the first 6 digits and last 4 digits are the maximum number of digits to be shown.
Why did my invoice fail BR-51?
For card payments the invoice must never contain the full card primary account number (BT-87); per PCI DSS at most the first 6 and last 4 digits may be shown, so the PAN must be masked. This prevents leaking sensitive cardholder data through the invoice document.
Official rule text
In accordance with card payments security standards an invoice should never include a full card primary account number (BT-87). At the moment PCI Security Standards Council has defined that the first 6 digits and last 4 digits are the maximum number of digits to be shown.
Common causes
- The full 16-digit PAN was written into cac:CardAccount/cbc:PrimaryAccountNumberID.
- Masking logic was missing, exposing more than the permitted 6+4 digits.
- Card data was copied verbatim from a payment gateway response into the invoice.
How do I fix it?
Mask the PAN in cac:CardAccount, e.g. <cbc:PrimaryAccountNumberID>123456******7890</cbc:PrimaryAccountNumberID>, showing at most the first 6 and last 4 digits.
Related rules
BR-01 · BR-02 · BR-03 · BR-04 · BR-05 · BR-06 · BR-07 · BR-08
Paste it into the live demo, or call POST /v1/validate. See the quickstart.