Mask & unmask data in journal

sunhux
sunhux used Ask the Experts™
on
We have custom Windows equipment that generates journals that unfortunately
contains credit card numbers (which PCI-DSS would not allow) but our business
people needs these info.

At Windows OS level, is there any free tools or ways to mask these card info in
the journal (treat these journal files as 'locked' just like event viewer logs) &
when the  authorized needs it, it will be 'unmasked' to them.

Any other solutions are most welcome
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Correction:
>when the  authorized needs it, it will be 'unmasked' to them.
when the  authorized staff needs it, it will be 'unmasked' to him/her.
Gary PattersonVP Technology / Senior Consultant
Commented:
Sounds like you've got a PCI-DSS problem that is going to take a programmer to fix.  

Ultimately, you're storing the Primary Account Number (PAN), and this is going to create compliance problems for you.  Doesn't matter if you mask it sometimes, if the number is stored and  can be accessed.  

Can you store PAN and comply with PCI-DSS?  Yes, but it is very difficult.

This isn't something we can solve in a forum -risks are too high.  You need to get some professional help.

- Gary

Author

Commented:
Yes, it's a PCI-DSS compliance related : think
ATM card# is out of PCI-DSS scope but
PAN & credit card#  is in scope & is a concern.

Wow, not any masking algorithm is acceptable:
guess need to encrypt & encryption password
known to authorized staff only?
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

Exec Consultant
Distinguished Expert 2018
Commented:
objective is to achieve this
3.3. Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.
Means to achieve this is via these and not necessary encryption.
3.4. Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
-One-way hashes based on strong cryptography, (hash must be of the entire PAN)
-Truncation (hashing cannot be used to replace the truncated segment of PAN)
-Index tokens and pads (pads must be securely stored)
-Strong cryptography with associated key-management processes and procedures.
Tokenisation is a discussed as another form of approach that "tokenize" (for example) PANs and remove them from CDE and from PCI DSS audit scope.  But this requires setting up of additional system - e.g.
Dynamic data masking. Administrators can establish policies to return an entire field tokenized or dynamically mask parts of a field. For example, a security team could establish policies so that a user with customer service representative credentials would only receive a credit card number with the last four digits visible, while a customer service supervisor could access the full credit card number in the clear.
https://www.vormetric.com/products/tokenization
Gary PattersonVP Technology / Senior Consultant
Commented:
May I suggest that you just read the relevant sections of PCI DSS?  Suggest that you focus on Requirement 3, which is relevant to this.  You can download it from here:

https://www.pcisecuritystandards.org/document_library

Storing PAN, even encrypted, subjects you to more complex and costly requirements than if you are able to avoid storing them completely.  Ideally, delegate that responsibility to a vendor (recurring payments is a classic example of why organizations store PAN), for example, and use a tokenization scheme so that only tokens are stored in your system.

If you decide to encrypt, you need to make sure you encrypt the PAN wherever found:  database, logs, dumps, backups, etc.  You also need to understand and document policies for secure management of crypto keys.  Review Requirements 3.5 and 3.6 for more information on crypto key management.

You -CAN- store PAN in your system under DSS, but due to the costs, complexity, and risks, many organizations who can avoid it choose not to.  The best strategy is to avoid storing them at all, if you can.
Top Expert 2015
Commented:
Between the lines it asks for role-based access controls for displaying full PAN.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial