Attackers have 16-digit card numbers, expiry dates, but not names. Should org get 500k fine?