First six and last four are the limits for display set out by the PCI Security Standards Council. The things you should never store with the PAN are the PIN/PIN block or CVC/CVV.
While it complies with PCI standards, knowing first6+last4, plus contact information, you can be much more successful at phishing against the target.
First6 will give you ability to know the issuing bank of the card (so an email can be crafted to look like those banks emails). Plus last4 tends to be used by banks as a "hey, we know who you are!" when they send emails.
You might need them to reverse or refund the transaction with some payment gateways. Or if you are going to settle the funds at a time after authorization when shipping
How does that work? If you can't store the CVC/CVV, how come I don't have to re-enter it when I re-order form say Amazon or Foodora? Or maybe I do have to enter it? Don't remember :|
Most MSP (merchant service provider) gives you control over the details you personally want to capture to verify someone. The minimum and most insecure is simply approving card based on valid number! (Not even expiration date). Then you can enable EXP, CVV and AV (address verification). Fun tip about AV: your adres doesnt matter. There is so many spellings of "oak harbour drive apartment 2" that industry pretty much gave up on some smart AI knowing them all, it and only verifies the zip code (typical gas station card usage for credit cards: verification is your zip code)
Address line 1 in AVS is still used, however, only the numeric portion of the address is checked. The AVS results will generally tell you the individual match results for the address line and the postal code, so you can have a full match or a partial match. Most merchants will allow you through with a partial match.
They are registering the fact that you knew it and used it to ship to a specific address in a previous transaction in order to reduce fraud risk. They aren't submitting it with every transaction. (Assuming they are following the rules...)
First6 will give you ability to know the issuing bank of the card (so an email can be crafted to look like those banks emails). Plus last4 tends to be used by banks as a "hey, we know who you are!" when they send emails.