PDF Mavericks Logo
PDF Tools
India KYC
Privacy
No Upload

Redact PAN Card PDF in Your Browser (No Upload)

87% of Indian citizens believe their personal data is already compromised. 52% of them say their PAN number is one of the leaked elements. Before you send another scan of your PAN card to a landlord, courier, or online seller, redact the parts they don't actually need.

PDF Mavericks·
In this guide
  1. Why redact your PAN card now
  2. What is actually printed on a PAN card
  3. How to redact a PAN card PDF in 5 steps
  4. What to redact and what to leave
  5. Why server-side redaction defeats the purpose
  6. Common situations: rental, gym, courier, bank KYC
  7. Frequently asked questions

Why redact your PAN card now

The numbers are unambiguous. A March 2025 survey of 47,000 Indian citizens by LocalCircles found that 87% believe one or more elements of their personal data is already in the public domain or sitting inside a database that has been breached. Among them, 52% said their PAN card number is one of the leaked items. That is up from 72% total-leakage belief in 2022.

Real-world breaches confirm the survey. India Post's online eKYC portal exposed Aadhaar, PAN, and bank details of millions of citizens through an access-control flaw that left customer documents publicly browsable. The Star Health breach in October 2024 leaked policyholder PAN and Aadhaar data onto Telegram channels. The government has been pulling down individual websites that scrape and republish PAN-Aadhaar combinations, but the data is already mirrored on dark web markets.

The DPDP Act 2023 was meant to put penalties on entities that leak this data. Its rules are still not notified, so there is no enforcement teeth in 2026. Until that changes, the only reliable protection is upstream: control who gets the full scan of your PAN card, and redact it before sharing whenever the counterparty does not legitimately need every field.

Common scenarios where the full PAN scan is asked for but not actually required: rental security deposit verification, gym membership, courier delivery proof, online classifieds (OLX, Quikr), event registration above ₹2 lakh ticket value, and second-hand marketplace seller verification. In all of these, a redacted scan that hides the photo and signature is sufficient evidence of identity without exposing the full document.

What is actually printed on a PAN card

A standard PAN card contains seven distinct pieces of personally identifiable information, plus one machine-readable code that people frequently miss:

  1. Permanent Account Number — the 10-character alphanumeric code. The 4th character is the entity type (P for individual). The 5th character is the first letter of your surname.
  2. Full name — as registered with the Income Tax Department, including surname.
  3. Father's name — printed on older PAN cards; optional on the 2018+ design.
  4. Date of birth — DDMMYYYY format. Also the default password for password-protected e-PANs.
  5. Photograph — biometric identifier; printed on the left of the card.
  6. Signature — specimen signature, can be lifted and reused for forgery if shared in high resolution.
  7. QR code — encodes the full PAN, name, and date of birth in plain text. Decodable by any phone camera.

The QR code is the trap most people miss. You can carefully black out the printed PAN number on the front, but if the back of the card has its QR code visible, anyone with a phone can decode the full PAN, name, and DOB in two seconds. Real redaction means blanking the QR code as well.

How to redact a PAN card PDF in 5 steps

PDF Mavericks runs the entire redaction flow inside your browser. The PAN card PDF never leaves your device. Here is the full sequence:

  1. Unlock the PDF if it is password-protected. An e-PAN downloaded from NSDL or UTIITSL is locked with your date of birth in DDMMYYYY format. Open /unlock-pdf and drop the file. The password is processed locally.
  2. Open the redact tool. Go to /redact-pdf. Drag your PAN card PDF onto the page. The tool loads the document into a canvas inside your browser.
  3. Draw redaction rectangles. Click and drag over each element you want to remove: photograph, signature, father's name, address (if printed), and the QR code on the back. The black rectangles are placed but not yet applied.
  4. Apply the redaction. Click "Apply Redaction". This is the destructive step — the content stream entries under each rectangle are deleted from the PDF, not just hidden. Once applied, the data cannot be recovered.
  5. Download the redacted PDF. The file downloads directly from your browser. Verify by opening the downloaded file, selecting the redacted area, and confirming no hidden text copies out. If anything copies out, the redaction did not apply properly — repeat the step.

Total time: under 60 seconds for a typical two-page PAN PDF. No account creation, no email entry, no upload progress bar — because there is no upload.

What to redact and what to leave

The right level of redaction depends on what the counterparty legitimately needs to verify. Three common tiers:

Tier 1 — Identity proof only (rental, gym, courier)

Redact: photograph, signature, full PAN number, QR code. Leave: name, date of birth. The counterparty sees a name and DOB that matches their other records; they do not need your PAN number for this transaction.

Tier 2 — PAN verification (broker, bank account opening)

Redact: photograph, signature, father's name, QR code. Leave: PAN number, name, date of birth. The entity can verify your PAN against the Income Tax database; they do not need your biometric photo for that lookup.

Tier 3 — Full KYC (employer, mutual fund SEBI KYC)

Most regulated entities require the full unredacted scan. Even here, you can redact the QR code without affecting their verification flow — they read the printed fields, not the machine-encoded ones. This is a small win, but it removes the single biggest data-leakage risk from the document.

Why server-side redaction defeats the purpose

Smallpdf, iLovePDF, and Xodo all offer PDF redaction. They are popular, easy to use, and their redaction algorithm is technically correct. They also upload your PAN card PDF to their servers before they can redact it. For a document whose entire point is controlling who sees the original, that is a contradiction.

Their privacy policies say they delete the file after a few hours or 24 hours. That window is what matters. Anyone with access to their infrastructure during that window — an engineer, a misconfigured backup job, a breached log pipeline — sees your unredacted PAN. The 2024 Star Health and 2025 India Post breaches both started from internal access at supposedly trusted entities.

Server upload undoes the redaction

Once the unredacted PDF reaches a third-party server, the privacy benefit is already lost — whatever you redact afterwards only protects the final recipient, not the intermediate processor.

Browser-local processing closes that window. PDF Mavericks uses WebAssembly and pdf-lib to run the redaction algorithm entirely on your device. The page loads, the JavaScript runs, the redaction happens, the file downloads. No network request carries your PDF content. You can verify this in your browser's DevTools Network tab: zero outbound transfers of file data.

Common situations: rental, gym, courier, bank KYC

Rental security deposit: the landlord asks for a PAN scan for the rental agreement registration. They need to verify your identity matches the lease. Tier 1 redaction works: mask the photo, signature, full PAN number, and QR code. Leave your name and DOB visible.

Gym or club membership: ID proof for the registration form. Tier 1 redaction is more than sufficient. Most front-desk staff are not going to validate your PAN against the Income Tax database for a monthly membership.

Courier or delivery: some delivery services require ID for high-value packages. Show the redacted version on your phone, do not send a digital copy. The delivery agent confirms the name on the package matches the name on the ID. Nothing else.

Bank account opening: Tier 2 redaction is the ceiling. The bank legitimately needs your PAN number to file Form 60/Form 61 and report your transactions. They do not need your father's name, your biometric photo, or your specimen signature for the account-opening process. Most banks already have these on file from earlier KYC; sending them again amplifies the leak risk for zero verification gain.

Pairs with Aadhaar masking: if you are sharing both ID proofs together, also mask the first 8 digits of your Aadhaar using /aadhaar-mask. UIDAI explicitly permits this for non-eKYC use cases. The same browser-local processing applies — Aadhaar PDF stays on your device.

Your PAN card never leaves your browser

PDF Mavericks processes everything locally using WebAssembly. No file is uploaded to any server. You can verify this by disconnecting from the internet after the page loads — redaction keeps working.

Frequently asked questions

Is it legal to redact my PAN card before sharing it?

Yes. The Income Tax Department requires you to disclose your PAN to authorised entities like banks, employers, and brokers. It does not require you to share an unredacted scan with every counterparty. For uses where only PAN verification is needed (not the full card image), masking the photo, signature, and address while keeping the PAN number visible is standard practice.

What should I redact on a PAN card PDF?

Redact the photograph and signature for any non-KYC use (landlord deposits, gym registrations, courier addresses, online classifieds). Redact the PAN number itself if the counterparty does not need to verify it. Always leave name and date of birth visible only when the counterparty has a legitimate reason. Most general-purpose forms do not need your full PAN.

Does PDF redaction permanently remove the data?

Yes, when done correctly. True redaction overwrites the underlying text and image data, not just covers it visually. PDF Mavericks performs real redaction by removing the content stream entries under the black boxes, so the redacted information cannot be recovered by copy-paste, OCR, or layer inspection. Drawing a black rectangle over text in a regular PDF editor does not redact — the original data stays embedded.

Will my PAN card PDF be uploaded to any server?

No. PDF Mavericks processes the PDF entirely inside your browser using WebAssembly and pdf-lib. The file never leaves your device. There is no upload step, no server-side storage, and no temporary cache. You can verify this by disconnecting from the internet after the page loads — the redaction tool keeps working because all computation happens locally.

How is this different from using a black marker in a PDF editor?

A black rectangle drawn on top of text is a visual cover, not a redaction. The original text remains in the PDF's content stream and is recoverable by anyone who opens the file in a code editor or runs a basic PDF parser. Real redaction (which PDF Mavericks performs) deletes the text and image data underneath the rectangle. After saving, the redacted content is gone permanently.

Can I redact a password-protected e-PAN downloaded from NSDL or UTIITSL?

Yes, but you must unlock it first. e-PAN PDFs from NSDL/UTIITSL are password-protected with your date of birth in DDMMYYYY format. Use PDF Mavericks' unlock-pdf tool first to remove the password, then run the redaction. Both steps run locally in your browser — the password is never transmitted.

What about the QR code on the back of a PAN card?

The QR code on a PAN card encodes the full PAN number, name, and date of birth in plain text. Anyone with a phone camera can decode it. If you are masking the printed PAN number on the front, you must also redact the QR code on the back, otherwise the redaction is cosmetic. PDF Mavericks redacts text and image regions, so the QR code can be blanked out the same way as any other element.

Related guides

Aadhaar Masking: UIDAI-Compliant Browser ToolAadhaar PDF Password Kaise Hatayen