PCI data can easily be entered into Task records (e.g. Incidents and Cases) and be maintained, and without Data Discovery it could take sometime for it to be anonymise it.
A business rule checks before an insert or update, to check whether any field has a 16 digit alphanumeric code with spaces or dashes, and then tests these on common Javascript formulas, then Aborts submission, and logs the attempt.
With Work Notes or Comments, it uses an OnChange Client script to remove the entry.
Use at your own risk. This is something I have mocked up on my sandpit and works with the several credit cards that I have.
Also, please look at out of the box features, Data Classification, Data Privacy and Data Privacy.
