[batch12]

To your point - Although the post discusses possible PCI implications, I don't think exposing last 4 and PII alone are enough to run afoul of the requirements (at least 3.2 as far as I remember). We would need the full PAN or CVV or evidence that this was being stored improperly, etc. If I recall, a company can store first 6 and last 4 in plaintext. With that said, these problems may indicate bigger issues that would violate the DSS, he may have found more that wasn't written about, or I could just be mistaken.