In accordance with card payments security standards an invoice should never include a full card primary account number (BT-87). At the moment PCI Security Standards Council has defined that the first 6 digits and last 4 digits are the maximum number of digits to be shown.
cac:PaymentMeans/cac:CardAccountstring-length(cbc:PrimaryAccountNumberID)<=10