Best practice to identify it is no value or no permission in json

API return data in json format response: { name : 'John' creditCardNum: '123456789' }

What's the best practice to identify the creditCardNum has no value (maybe not yet setup the credit card) or the request user has no permission to view credit card info?

I am thinking of : No Value : { name : 'John' } No permission : { name : 'John' noPermissionCreditCardNum : true }

But for no permission, I need to add another field for identify it is no permission.