Anonymizing credit card numbers
Log messages of banking and e-commerce applications might include credit card numbers (Primary Account Number or PAN). According to privacy best practices and the requirements of the Payment Card Industry Data Security Standards (PCI-DSS), PAN must be rendered unreadable. The AxoSyslog application uses a regular expression to detect credit card numbers, and provides two ways to accomplish this: you can either mask the credit card numbers, or replace them with a hash. To mask the credit card numbers, use the credit-card-mask()
or the credit-card-hash()
rewrite rules in a log path.
Declaration:
@include "scl/rewrite/cc-mask.conf"
rewrite {
credit-card-mask(value("<message-field-to-process>"));
};
By default, these rewrite rules process the MESSAGE part of the log message.
credit-card-hash()
Synopsis: | credit-card-hash(value(" |
Description: Process the specified message field (by default, ${MESSAGE}
), and replace any credit card numbers (Primary Account Number or PAN) with a 16-character-long hash. This hash is generated by calculating the SHA-1 hash of the credit card number, selecting the first 64 bits of this hash, and representing this 64 bits in 16 characters.
credit-card-mask()
Synopsis: | credit-card-mask(value(" |
Description: Process the specified message field (by default, ${MESSAGE}
), and replace the 7-12th character of any credit card numbers (Primary Account Number or PAN) with asterisks (\
*). For example, AxoSyslog replaces the number 5542043004559005
with 554204******9005
.