For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ziad_K_49340's avatar
Ziad_K_49340
Icon for Nimbostratus rankNimbostratus
Jan 13, 2014

Masking credit card numbers based on username

Dears, i am trying to use the credit card masking in a web application using the ASM but the customer wants to mask credit card for specific user and for other users he wants to leave the credit card number as it is. the authentication is done on the web application side.

 

any hints?

 

application delivery
devops
iRules

12 Replies

Show More
  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Jan 13, 2014

    Although it's technically possible to mask the credit card numbers for certain users (or, preferably, not mask them for certain users), it would be tricky at best.

     

    Furthermore, since you're dealing with credit card information you're required to comply with the PCI-DSS (standards set by the Payment Card Industry - applies to anyone dealing with credit card data).

     

    If the application is already showing the card numbers to everyone and it cannot be configured to show the card numbers for only certain users, my guess is that the application itself violates the PCI-DSS. If that's true you have much bigger problems than trying to hide the numbers in certain situations...

     

  • M_4's avatar
    M_4
    Icon for Nimbostratus rankNimbostratus
    Mar 05, 2014

    If the app is APM protected, this is really easy. 🙂

    Use the CCN scrubber code (https://devcentral.f5.com/articles/irule-ccn-scrubber) and just add a user check around the masking portion.

     

    if { [ACCESS::session data get "session.logon.last.username"] ne "username to allow cc access" } {  mask CCN }