Mask & unmask data in journal

We have custom Windows equipment that generates journals that unfortunately
contains credit card numbers (which PCI-DSS would not allow) but our business
people needs these info.

At Windows OS level, is there any free tools or ways to mask these card info in
the journal (treat these journal files as 'locked' just like event viewer logs) &
when the  authorized needs it, it will be 'unmasked' to them.

Any other solutions are most welcome
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
>when the  authorized needs it, it will be 'unmasked' to them.
when the  authorized staff needs it, it will be 'unmasked' to him/her.
Gary PattersonVP Technology / Senior Consultant Commented:
Sounds like you've got a PCI-DSS problem that is going to take a programmer to fix.  

Ultimately, you're storing the Primary Account Number (PAN), and this is going to create compliance problems for you.  Doesn't matter if you mask it sometimes, if the number is stored and  can be accessed.  

Can you store PAN and comply with PCI-DSS?  Yes, but it is very difficult.

This isn't something we can solve in a forum -risks are too high.  You need to get some professional help.

- Gary
sunhuxAuthor Commented:
Yes, it's a PCI-DSS compliance related : think
ATM card# is out of PCI-DSS scope but
PAN & credit card#  is in scope & is a concern.

Wow, not any masking algorithm is acceptable:
guess need to encrypt & encryption password
known to authorized staff only?
 Acronis Global Cyber Summit 2019 in Miami

The Acronis Global Cyber Summit 2019 will be held at the Fontainebleau Miami Beach Resort on October 13–16, 2019, and it promises to be the must-attend event for IT infrastructure managers, CIOs, service providers, value-added resellers, ISVs, and developers.

btanExec ConsultantCommented:
objective is to achieve this
3.3. Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.
Means to achieve this is via these and not necessary encryption.
3.4. Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
-One-way hashes based on strong cryptography, (hash must be of the entire PAN)
-Truncation (hashing cannot be used to replace the truncated segment of PAN)
-Index tokens and pads (pads must be securely stored)
-Strong cryptography with associated key-management processes and procedures.
Tokenisation is a discussed as another form of approach that "tokenize" (for example) PANs and remove them from CDE and from PCI DSS audit scope.  But this requires setting up of additional system - e.g.
Dynamic data masking. Administrators can establish policies to return an entire field tokenized or dynamically mask parts of a field. For example, a security team could establish policies so that a user with customer service representative credentials would only receive a credit card number with the last four digits visible, while a customer service supervisor could access the full credit card number in the clear.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gary PattersonVP Technology / Senior Consultant Commented:
May I suggest that you just read the relevant sections of PCI DSS?  Suggest that you focus on Requirement 3, which is relevant to this.  You can download it from here:

Storing PAN, even encrypted, subjects you to more complex and costly requirements than if you are able to avoid storing them completely.  Ideally, delegate that responsibility to a vendor (recurring payments is a classic example of why organizations store PAN), for example, and use a tokenization scheme so that only tokens are stored in your system.

If you decide to encrypt, you need to make sure you encrypt the PAN wherever found:  database, logs, dumps, backups, etc.  You also need to understand and document policies for secure management of crypto keys.  Review Requirements 3.5 and 3.6 for more information on crypto key management.

You -CAN- store PAN in your system under DSS, but due to the costs, complexity, and risks, many organizations who can avoid it choose not to.  The best strategy is to avoid storing them at all, if you can.
Between the lines it asks for role-based access controls for displaying full PAN.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.