Luhn Check to Retrieve card details
I don't understand how they say credit card details are safe if they have only masked 6 digits. It would be relatively trivial to work out valid remaining numbers by simple luhn checking. Find a particular card that has relatively few valid luhn options (using the existing details) and reverse the encryption based on that. I believe PCI-DSS should be much more restrictive than it currently is and not allow masked details to be included in the same detail as the encrypted card number as you are basically making breaking the encryption easier.