[photon12]

Since this is specifically related to accepting payment, one would hope this infrastructure has received adequate security testing as required by PCI standards.

In practice, PCI standards compliance is a mess of people selling "point and click compliance solutions," companies being too big to be properly audited, code churn between audits, companies misleading auditors or hiding key data. Security theater is especially pervasive in PCI compliance.

[batch12]

To your point - Although the post discusses possible PCI implications, I don't think exposing last 4 and PII alone are enough to run afoul of the requirements (at least 3.2 as far as I remember). We would need the full PAN or CVV or evidence that this was being stored improperly, etc. If I recall, a company can store first 6 and last 4 in plaintext. With that said, these problems may indicate bigger issues that would violate the DSS, he may have found more that wasn't written about, or I could just be mistaken.