Actually PCI DSS (Payment Card Industry Data Security Standards), while not being a "law", but is a standard adopted by the credit card companies, requires an even stricter requirement, of only the last four digits or the, I believe, first 5 digits of the credit card. Furthermore, no other information shall be retained like the expiration date, name, or "card Identifier" - sometimes called the CVV, shall be retained in an non-encrypted format. Obviously this violation cannot be used as a basis of suit, but it can be used as a threat to report the vendor to the credit card company. The credit card company has been very good about enforcing compliance, to the threat of pulling the merchant's ability to accept credit card payments, and in at least one case, when this ability had been pulled, the merchant went out of business within a year. I, also make the merchants black out all but the last 4 digits, and remind them that it violates the PCI DSS standards. When you tell them this, they will usually comply. Of particular frustration is that many of the older credit card printer machines, will print an original for you to sign which is the merchant's copy with the full credit card number printer, and your copy which has all but the last 4 digits xxx'd out. Since you are the holder of the credit card, it is certainly within your rights to have the whole credit card number printed out if you want on your copy (and if you mishandle it, then it is your fault), but if you look at your copy, you would think that the number is actually xxxx'd out on both copies, which is not the case. This is a result of the merchant not spending the few bucks to update their software, which is unforgivable. Perhaps if enough of us complain, the will start to get the message and fix this problem. After all, it is our credit cards and identity that we are trying to protect.
Mens ability to see the future is limited by their horizons of today!