Usually when I enter and save my credit card number in online shop or mobile app, only last four numbers are shown as a reminder. Example (not actual digits):
Your card: **** **** **** 1234
Recently I used an app, where card number was shown as below (not actual digits):
Your card: 1234 56** **** 1234
Are there any good practices or something enforced by Visa/MC or law regulating how to mask card number properly?
The terms you want to look into, provided this is in the US, are PCI Compliance and PA DSS. PCI compliance is for the vendor that you are shopping with and PA DSS applies to the company that produces the software that takes the credit cards (what the vendor uses to sell you things).
According to the PCI Compliance Guide, the maximum digits that can be displayed are the first 6 and last 4 of a card number. Your example shows that maximum allowance. This requirement is different than the requirement for storing the card number in a database.
BobbyScon's answer points you to the industry standard PCI rules but, the anatomy of a credit card number is as follows.
First Digit is major ID number (3 = AMEX/Diners Club, 4 = Visa, 5 = Mastercard, 6 = Discover, etc)
The first 6 digits (including the first digit) are the Bank ID Number (different banks have different systems for assigning these, my Chase cards all have the same first six digits)
The next 9 digits are your account number
The last digit is a checksum (there's a somewhat simple algorithm used to quickly validate a credit card number, you can't simply change a digit of your card number to use it as a fake)
So it looks like your second example felt it sufficient to only block most of your account number but leave the bank number visible. I can't think of a reason to expose more than the last 4 digits of a credit card number. Surely most people have no idea that the first 6 digits are a bank ID that will be common across many many many cards and there's no benefit to the vendor to know the bank IDs.
