Guarding personally identifiable information

First, something you have in common with the vast majority of the population is hardly "personal information". Simply guessing that a given individual has a credit card would be correct most of the time. Second, the card number doesn't say anything about any its owner by itself; if all you have is a card number then all you can say is that _someone_ has a credit card, which isn't personal at all.

> And besides, the number also contains the Issuer Identification Number, i.e. it identifies the bank or other provider that gave you the card -- which will narrow down where you live, etc.

That is a bit closer to personal data, but the same caveat applies: by itself that doesn't say anything about any particular individual, only the issuing bank. To make inferences about "where you live" one would first need to link the card to _you_. Otherwise all they can say is that _someone_ has a card from that bank.

The problem isn't a special class of "personal data", with a few obvious exceptions like name and address which are always filtered out anyway. Even a credit card number is not an issue in isolation (or wouldn't be given a reasonable minimum standard of security in payments). The problem is data sets which allow one to correlate _multiple_ types of otherwise _non-personal_ data in order to identify specific individuals. The data becomes personal only when aggregated together: the Latino Netflix subscriber, age 18-25, with a zip code starting with 407 and a credit card from Springfield Credit Union. No one part of that data is "personal", but taken together it can potentially single out a specific individual. The key is that almost any sort of data can be used for that sort of "fingerprinting", even data which no one considers personal.