How does credit card number and social security number masking work in the PCI pods?
Environment:
PCI pods (Includes US Federal Government pods)
Resolution:
Masking Primary Account Numbers (PANs), i.e. credit card and social security numbers, is a data protection feature for sites in the PCI pods.
By default, PANs will be masked on the user interface in any field when accessing the site via the Agent Desktop Console or Browser User interface. These numbers are only masked on the display and not at the data level.
Example: ****-****-****-**** or ***-**-****
This masking should not be confused with the Incident Thread Masking or the Chat Enhanced Business Rules Masking capabilities. These other two features are configurations you setup to remove credit card or SSN from being saved with your data.
Additional helpful masking information:
-Credit card and SSN masking is enabled by default but if you want to view either or both you can submit a Service Request and let us know the type of adjustment you are requesting. Credit card and SSN masking is interface specific for incidents and site wide for chat.
- If your site uses a certain pattern of numbers which should not be masked, we can potentially add that to an exception rule with a request from you with the specific number pattern.
-The masking mechanism will scan everything (subject, body, custom fields, report output values, etc).
-Since forwarding incidents, results in sending emails outside the Oracle B2C Service application, it is not recommended to forward incidents outside of your organization. Credit card and SSN numbers will not be masked outside of B2C. Therefore, if an agent replies to an incident with a credit card number or SSN, while it will appear masked on the agents display, the customer would see that information in the email received.
- The pods use Luhn algorithm (checksum formula) to determine whether the number is a credit card number.
For more information on implementing in a regulated environment such as PCI or HIPAA, please see Answer ID 9570: Guidance for Implementing in PCI or HIPAA Service Cloud Environment for specific deployment considerations.
See also Answer ID 7856: Social Security Number not getting masked in chat transcript for more information on masked formats.