In accordance with card payments security standards an invoice should never include a full card primary account number (BT-87). At the moment PCI Security Standards Council has defined that the first 6 digits and last 4 digits are the maximum number of digits to be shown.
cac:PaymentMeans/cac:CardAccount/cbc:PrimaryAccountNumberID
string-length(normalize-space(.))<=10