Thanks for the much better explanation of the nature of the exposure.
In addition to removing the hash from the public side, I'd suggest removing the "last 5 digits in plaintext" too, or at least cut it to 3.
At the risk of exposing myself to a slight risk, I'll mention that I cancelled my card because of this, and the new card they sent me.. only the last 6 digits differ!
I don't know how widespread this practice is, but exposing the last 5 digits seems unnecessary, especially in light of my new card number, which, once I add it to LL database, will be almost completely exposed to someone who happens to have my old one too.