A recent breach exposed how easily a saved credit card can be reconstructed from the limited data shown on e‑commerce sites. The attacker leveraged the PCI DSS‑mandated mask that shows only the first six and last four digits, plus the expiration date, to brute‑force the remaining numbers. The victim, Metin Ozyildirim, experienced a rapid fraud loop.

Within hours, the fraudster triggered multiple 3D Secure challenges, gathering the card holder name, bank code, and a partial PAN. Even without the CVC, the attacker could test 99,999 possible numbers, then iterate the CVV. By pacing requests at six per second across stolen merchant APIs, the loop stayed under detection.

The victim’s bank later blocked the card, but the fraudster had already drained the reduced limit into a market e‑wallet that allowed cash withdrawals. After a chargeback request, the bank returned the funds. The incident highlights that PCI DSS masking, while compliant, still permits a narrow attack surface that can be weaponized.

Compliance alone is insufficient; merchants must enforce full PAN, expiration, and CVV checks, limit API exposure, and monitor for low‑rate brute‑force patterns. Consumers should also use unique passwords and monitor transaction logs. The case underscores that even regulated standards can leave exploitable gaps when implementation stops at minimal requirements.