<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=YOUR_ID&amp;fmt=gif">

How to Redact PCI Data: Credit Card and Bank Account Numbers

by Ali Rind, Last updated: May 4, 2026

a person redacting bank account numbers using redactor

How to Redact PCI Data for: Bank Accounts for PCI DSS Compliance
10:49

PCI data is one of the most heavily regulated categories of information any business handles. Card numbers, security codes, expiration dates, and cardholder names sit in documents, call recordings, emails, and scanned files across the typical company. Releasing or storing any of it without proper handling violates the Payment Card Industry Data Security Standard (PCI DSS), and the consequences arrive on multiple fronts: card brand fines, acquiring bank penalties, increased processing rates, mandatory forensic investigation, and direct civil liability when affected customers pursue claims.

The PCI requirement is specific. Cardholder data cannot be retained beyond authorization unless there is a documented business or legal need. Where it does need to be retained, it has to be protected by encryption, tokenization, or truncation. Where it appears in records that will be shared, archived for non-PCI purposes, or used outside the original transaction context, it has to be redacted. Permanent removal, not visual covering. This guide covers what PCI data is, where it appears, the difference between masking and redaction, and how to remove it defensibly.

What is PCI Data and What Needs to be Redacted

PCI DSS defines cardholder data and sensitive authentication data as the categories in scope.

Cardholder data covers the Primary Account Number (PAN), the cardholder name, the card expiration date, and the service code. The PAN is the 13 to 19 digit number on the front of the card. Permitted storage of full PAN requires strong protection (encryption at rest, key management, restricted access). Where storage is not necessary, the PAN is the most critical element to redact.

Sensitive authentication data covers the full card verification value (CVV, CVC2, CID, the 3 or 4 digit code on the back of most cards), the full track data from the magnetic stripe or chip, and any PIN or PIN block. Sensitive authentication data must not be stored after authorization under any circumstance, regardless of encryption.

Bank account numbers and routing numbers fall outside PCI DSS technically but are typically treated as equivalent in practice because the same regulatory frameworks (GLBA, state financial privacy law) and the same operational controls apply. Most organizations redact bank account and routing numbers using the same workflow as PAN. For the relationship between PCI, NPI, and other regulated data categories, see PII vs PHI: NPI and PCI explained.

The full PCI Security Standards Council documentation and the latest PCI DSS v4 requirements cover the official scope and definitions in detail.

Redaction vs Masking Under PCI DSS Requirement 3.4

These two are often confused, and the confusion creates compliance gaps.

Masking is a display-time control. Under PCI DSS Requirement 3.4, the PAN can be displayed in a masked form (typically the first six and last four digits visible, with the middle digits hidden behind X or asterisks) when full PAN does not need to be shown. Masking is a presentation choice, not a data transformation. The underlying full PAN often still exists in the database and may be visible in reports, exports, or other system contexts.

Redaction is a data transformation. The original sensitive content is removed from the file or record. There is no underlying value to recover. A redacted document or recording cannot expose the data even if every access control fails.

PCI DSS uses both. Masking covers display contexts where full PAN is not needed. Redaction is required when records containing PAN, CVV, or related sensitive authentication data are shared outside the cardholder data environment, archived for non-payment purposes, used for QA or training, produced for legal discovery, or otherwise leave the boundary of authorized PCI handling.

Confusing the two is a common failure mode. A team applies a black-box overlay in a PDF (visual masking) and treats it as redaction. The underlying text remains in the file. A copy-paste recovers the data. The PCI assessment finds it. The company fails the audit.

Where Credit Card and Bank Account Numbers Appear in Business Records

PCI data does not stay neatly in a payment system. It spreads across the organization in predictable places.

Documents. Customer correspondence, invoice copies, receipts, refund requests, fraud claim files, and signed credit applications all carry PAN and related fields. Word and PDF files sent to internal teams, external counsel, or auditors often retain this content unless redacted.

Scanned files. Older paper-based records that have been scanned for archive sit as image PDFs. PAN appears as image content rather than searchable text, which is why OCR (optical character recognition) is required to detect and redact it.

Call recordings. Customers read card numbers aloud during phone payments, refund requests, and account verification. The full PAN and the CVV both appear in the audio track. Call center recordings retained beyond authorization for QA, training, or compliance purposes have to have these segments redacted.

Screen recordings and screenshots. Support ticket attachments, training materials, and software demo recordings sometimes capture PAN visible on a screen. Even when the screen content is incidental, the recording carries the PAN. For the broader category of risks that show up in screen capture, see hidden PII risks in screen recordings.

Email and chat logs. Customers occasionally send PAN by email or in chat messages despite policy. The email and chat archives retain it. PCI redaction sweeps usually have to address message archives along with documents.

Internal trackers. Excel spreadsheets, ticketing system attachments, and shared drives accumulate copies of customer correspondence with PAN embedded. The original may have been processed correctly; the secondary copies often were not.

Each location requires the same redaction analysis applied to the format-specific content.

How to Redact PCI Data: A Step-by-Step Compliance Workflow

A defensible PCI redaction workflow has five components.

Identify the locations. Before redaction can run, the organization needs an inventory of where PCI data appears: which document repositories, which call recording archives, which email systems, which scanned archives. PCI scope creep is a common audit finding; redaction effort is wasted if the inventory is incomplete.

Pattern-based detection. PAN follows specific format patterns: 13 to 19 digits, with brand-specific prefixes (4 for Visa, 5 for Mastercard, 34/37 for Amex, 6 for Discover) and a Luhn checksum that validates structural correctness. A redaction tool should detect PAN by structure, not by manual highlighting. CVV and expiration dates appear near PAN in typical contexts and can be flagged with rule-based patterns. Bank account and routing numbers follow similar pattern conventions and can be detected the same way. For the closely related financial document case, see how to redact bank statements.

OCR for scanned content. Scanned PDFs, image attachments, and faxed records hold PAN as image pixels. OCR extracts the text from the images, runs detection across the extracted text, and applies redaction at the pixel level of the source image. Without OCR, scanned PCI data cannot be redacted reliably.

Spoken PII redaction for audio. Call recordings need transcription, then PII detection across the transcript, then audio redaction (mute or bleep) on the timestamped segments where PAN, CVV, or other PCI content appears. Speaker diarization helps because customer-spoken card numbers can be targeted while leaving agent-spoken non-PCI content audible.

Audit trail per redaction. Every action logged with operator, timestamp, basis (which rule or policy), and the file or recording affected. Stored in tamper-proof storage. The audit log is what supports a PCI QSA assessment if the redaction is challenged. For the entity-level configuration that supports this kind of policy work, see selective PII redaction.

Common PCI Redaction Mistakes that Fail Audits

Five recurring failures show up in PCI redaction work.

  • Visual blackouts that do not remove the underlying text. Black fill in a PDF or a black box drawn over a screen capture leaves the PAN intact in the file. Anyone who copies the cell or the page text recovers it.

  • Metadata layers. Document properties, tracked changes, embedded objects, and email header fields carry PAN where it appeared in earlier versions of the file. Redacting the visible content while leaving metadata intact is a common audit miss.

  • Manual redaction at scale. A reviewer marking PAN in a queue of files runs into consistency problems. The PAN on page 3 gets caught; the PAN on page 47 gets missed. At any meaningful PCI volume, manual is the bottleneck against which audit failures are produced.

  • Missed CVVs. CVV is sensitive authentication data and cannot be stored after authorization under any circumstance. CVV captures in call recordings, in fraud claim files, and in customer email correspondence are common findings. Redaction sweeps have to specifically target CVV alongside PAN.

  • Inconsistent treatment across formats. The PAN in a PDF gets redacted; the same PAN appearing in a related call recording does not. The audit finds the inconsistency. A unified workflow that handles documents and audio together avoids this.

How VIDIZMO Redactor Handles PAN, CVV & Account Numbers

VIDIZMO Redactor detects PAN, CVV, expiration dates, bank account numbers, and routing numbers as part of its 40+ PII type set on documents and 33+ spoken PII categories on audio. Pattern detection uses regex with context-word matching, including PAN format detection with Luhn validation to reduce false positives. OCR processes scanned PDFs and image attachments, and spoken PII detection in call recordings includes mute and bleep redaction styles.

Administrators can configure custom patterns for organization-specific account number formats. Audit logs record every redaction action with operator, IP address, timestamp, and action type in tamper-proof storage. The platform supports PCI DSS as one of its documented compliance frameworks alongside HIPAA, GDPR, CCPA, and others. For the financial services vertical context, see redaction software for financial services.

Start a free trial and run VIDIZMO Redactor against your own PCI-bearing files.

Contact us now

People Also Ask

What is the difference between masking and redaction in PCI DSS?

Masking hides part of the PAN at display time under PCI DSS Requirement 3.4 (typically first six and last four digits visible). The underlying value still exists in the system. Redaction permanently removes the sensitive content from the record, leaving nothing to recover. Use masking for display. Use redaction when records leave the cardholder data environment for sharing, archive, QA, training, or discovery.

Do bank account and routing numbers need the same redaction treatment as credit card numbers?

Operationally yes. Bank account and routing numbers fall outside PCI DSS strictly but are governed by GLBA and state financial privacy law, which impose similar handling rules. Most organizations apply one workflow to PAN, account numbers, and routing numbers together, since detection patterns and redaction tools treat them as the same financial PII category.

Can call recordings contain PCI data, and how is it redacted?

Yes. Customers read card numbers and CVVs aloud during phone payments and verification calls. Audio redaction requires transcription, PII detection on the transcript, and mute or bleep applied at the timestamps where PCI content appears. Speaker diarization targets customer-spoken card numbers while preserving agent audio. PCI DSS prohibits storing CVV after authorization, so retention policies typically require redaction or deletion within a defined window.

What is the penalty for failing PCI redaction?

Card brand fines (tens of thousands to several hundred thousand dollars depending on volume), acquiring bank penalties, increased processing rates, mandatory PCI Forensic Investigator (PFI) review at the merchant's expense, state breach notification costs, civil claims, and reputational impact. Total cost of a serious failure routinely exceeds the cost of running a defensible redaction workflow by orders of magnitude.

Can AI redaction software handle PCI data in scanned documents?

Yes, when the platform includes OCR. OCR extracts text from image-based PDFs, the tool runs PII detection across the extracted text, and redaction is applied at the pixel level. Without OCR, scanned PCI data cannot be reliably redacted and either has to be re-typed manually or remains exposed.

 
Tags: Redaction Compliance Finance Redaction AI Redaction

About the Author

Ali Rind

Ali Rind

Ali Rind is a Product Marketing Executive at VIDIZMO, where he focuses on digital evidence management, AI redaction, and enterprise video technology. He closely follows how law enforcement agencies, public safety organizations, and government bodies manage and act on video evidence, translating those insights into clear, practical content. Ali writes across Digital Evidence Management System, Redactor, and Intelligence Hub products, covering everything from compliance challenges to real-world deployment across federal, state, and commercial markets.

Jump to

    Previous story
    ← How to Redact Sensitive Data in Excel Spreadsheets

    No Comments Yet

    Let us know what you think

    back to top