diff --git a/src/Handler/Utils/Avs.hs b/src/Handler/Utils/Avs.hs
index f0158ccf9..7a7f25084 100644
--- a/src/Handler/Utils/Avs.hs
+++ b/src/Handler/Utils/Avs.hs
@@ -352,7 +352,7 @@ upsertAvsUserById api = do
           mbCompany   = firmAddress ^? _Just . _1 . _Just
           userFirmAddr= plaintextToStoredMarkup . mergeCompanyAddress <$> firmAddress
           pinCard     = Set.lookupMax avsPersonPersonCards
-          userPin     = tshowAvsFullCardNo . getFullCardNo <$> pinCard
+          userPin     = personCard2pin <$> pinCard
           fakeIdent   = CI.mk $ "AVSID:" <> tshow api
           fakeNo      = CI.mk $ "AVSNO:" <> tshow avsPersonPersonNo
           newUsr = AdminUserForm
@@ -391,7 +391,7 @@ upsertAvsUserById api = do
           mbCoFirmAddr= mergeCompanyAddress <$> firmAddress
           userFirmAddr= plaintextToStoredMarkup <$> mbCoFirmAddr
           pinCard     = Set.lookupMax avsPersonPersonCards
-          userPin     = tshowAvsFullCardNo . getFullCardNo <$> pinCard
+          userPin     = personCard2pin <$> pinCard
       runDB $ do
         now <- liftIO getCurrentTime
         oldCards <- selectList [UserAvsCardPersonId ==. api] []
@@ -400,7 +400,7 @@ upsertAvsUserById api = do
           updateWhere [UserId ==. uid] [UserPostAddress =. userFirmAddr]
         whenIsJust pinCard $ \pCard -> -- update pin, but only if it was unset or set to the value of an old card
           unlessM (exists [UserAvsCardCardNo ==. avsDataCardNo pCard]) $ do
-            let oldPins = Just . tshowAvsFullCardNo . getFullCardNo . userAvsCardCard . entityVal <$> oldCards
+            let oldPins = Just . personCard2pin . userAvsCardCard . entityVal <$> oldCards
             updateWhere [UserId ==. uid, UserPinPassword !=. userPin, UserPinPassword <-. Nothing:oldPins]
                         [UserPinPassword =. userPin]
             insert_ $ UserAvsCard api (avsDataCardNo pCard) pCard now
diff --git a/src/Model/Types/Avs.hs b/src/Model/Types/Avs.hs
index 83894ab02..7781081d4 100644
--- a/src/Model/Types/Avs.hs
+++ b/src/Model/Types/Avs.hs
@@ -367,6 +367,10 @@ derivePersistFieldJSON ''AvsDataPersonCard
 getFullCardNo :: AvsDataPersonCard -> AvsFullCardNo
 getFullCardNo AvsDataPersonCard{avsDataCardNo, avsDataVersionNo} = AvsFullCardNo avsDataCardNo avsDataVersionNo
 
+-- | like `tshowAvsFullCardNo` but without leading zeroes for use as pdf pin
+personCard2pin :: AvsDataPersonCard -> Text
+personCard2pin = Text.dropWhile ('0'==) . tshowAvsFullCardNo . getFullCardNo
+
 data AvsStatusPerson = AvsStatusPerson
       { avsStatusPersonID         :: AvsPersonId
       , avsStatusPersonCardStatus :: Set AvsDataPersonCard -- only delivers non-Maybe fields, all Maybe-fields are Nothing
diff --git a/src/Utils/Print.hs b/src/Utils/Print.hs
index f56993524..ca49bd596 100644
--- a/src/Utils/Print.hs
+++ b/src/Utils/Print.hs
@@ -532,11 +532,11 @@ encryptPDF pw bs = over _Left (decodeUtf8 . LBS.toStrict) . exit2either <$> read
   where
     pw' = sanitizeCmdArg pw
     pc  = setStdin (byteStringInput bs) $
-          proc "pdftk"  [ "-"                     -- read from stdin
-                        , "output", "-"           -- write to stdout
-                        , "user_pw", T.unpack pw' -- encrypt pdf content
-                        , "dont_ask"              -- no interaction
-                        , "allow", "Printing"     -- allow printing despite encryption
+          proc "pdftk"  [ "-"                               -- read from stdin
+                        , "output", "-"                     -- write to stdout
+                        , "user_pw", T.unpack $ T.strip pw' -- encrypt pdf content
+                        , "dont_ask"                        -- no interaction
+                        , "allow", "Printing"               -- allow printing despite encryption
                         ]
     -- Note that pdftk will issue a warning, which will be ignored:
     --    Warning: Using a password on the command line interface can be insecure.