Skip Navigation
Credit Card and Social Security Number Masking in the PI (PCI) or FG Pod
Answer ID 5622   |   Last Review Date 03/08/2022

How does credit card number and social security number masking work in the PI or FG pod?


PCI/DSS, PI pod, FG pod, masking
Oracle B2C Service


Masking Primary Account Numbers (PANs) is a feature for sites in the PI or FG pod, i.e. credit card and social security numbers.

By default the F5 Load Balancers (the "Application Scanning Modules" or "Web Application Firewalls" in the F5s) will mask the PANs when accessing the site via the Agent Desktop or Web interface. These numbers or only masked on the display and not at the data level. 

Example: ****-****-****-**** or ***-**-****

Additional helpful masking information:

-Credit card and SSN masking is enabled by default but if you only want one or the other you can submit a Service Request and let us know the type of adjustment you are requesting. 

- If your site uses a certain pattern of numbers which should not be masked, we can potentially add that to an exception rule with a request from you with the specific number pattern.

-It will scan everything (subject, body, including custom fields).

-Since forwarding incidents, results in sending emails outside the Oracle B2C Service application, it is not recommended to forward incidents outside of your organization. Credit card and SSN numbers will not be masked outside of B2C. Therefore, if an agent replies to an incident with a credit card number or SSN, while it will appear masked on the agents end, the customer would see that information in the email received.

-There are two types of masking: in the admin console, or on enduser page (for a
specific url).

- The pods use Luhn algorithm (checksum formula) to determine whether or not the
number is a CC or SSN. Random numbers will NOT be masked.

-Credit card and SSN masking is interface specific for incidents and site wide for chat.

For more information on implementing in a regulated environment such as PCI or HIPAA, please see Answer ID 9570: Guidance for Implementing in PCI or HIPAA Service Cloud Environment for specific deployment considerations.

See also Answer ID 7856: Social Security Number not getting masked in chat transcript for more information on masked formats.

***INTERNAL REFERENCE ONLY!*** Information in the Section below is not available to customers. Do not send content to customers.

If the customer has a pattern of numbers they don't want masked, one of their Primary Support Contacts would need to request this modification in an SR with the specific pattern used for their custom number and then Support can submit a JIRA ticket requesting GNC to make this change. Don't make any promises to the customer as there may be additional approval needed. IF they don't want masking at all, see the internal section in Answer ID 6541: PC or PI (PCI) FG Masking: Incident vs Chat

***INTERNAL REFERENCE ONLY!*** Information in the Section above is not available to customers. Do not send content to customers.

Available Languages for this Answer:

Notify Me
The page will refresh upon submission. Any pending input will be lost.