# BR-51

> In accordance with card payments security standards an invoice should never include a full card primary account number (BT-87). At the moment PCI Security Standards Council has defined that the first 6 digits and last 4 digits are the maximum number of digits to be shown.

Checked against Peppol BIS Billing 3.0 2026.5

Canonical: https://einvoicecheck.eu/rules/br-51

## Official rule text

In accordance with card payments security standards an invoice should never include a full card primary account number (BT-87). At the moment PCI Security Standards Council has defined that the first 6 digits and last 4 digits are the maximum number of digits to be shown.

## Why did my invoice fail BR-51?

For card payments the invoice must never contain the full card primary account number (BT-87); per PCI DSS at most the first 6 and last 4 digits may be shown, so the PAN must be masked. This prevents leaking sensitive cardholder data through the invoice document.

## Common causes

- The full 16-digit PAN was written into cac:CardAccount/cbc:PrimaryAccountNumberID.
- Masking logic was missing, exposing more than the permitted 6+4 digits.
- Card data was copied verbatim from a payment gateway response into the invoice.

## How do I fix it?

```
Mask the PAN in cac:CardAccount, e.g. <cbc:PrimaryAccountNumberID>123456******7890</cbc:PrimaryAccountNumberID>, showing at most the first 6 and last 4 digits.
```
