How to mask a Credit Card Number?

TL;DR:

• Exposing credit card information online can lead to fraud and legal liability.
• Users often share credit card numbers via email, customer support tools, cloud drives, and messaging apps.
• To mask credit card numbers, businesses can use email masking software, built-in redaction tools, and API-based scanning.
• SaaS and Cloud apps can be secured with a DLP Solution like Strac that blocks and masks credit card numbers.
• Strac offers automated masking of credit card numbers across various applications.

There are secure and insecure ways to send a credit card number online. Unfortunately, many people opt for the insecure route. In this article, I'll examine why and how people share credit card information online. I'll also discuss ways to detect and mask (or redact) a real credit card number in various business applications.

Why is it essential to mask a credit card number?

Exposing a credit card or a debit card number and related information exposes a user to extreme risk. If a malicious agent gets a hold of a user's credit card information, they can use it to rack up thousands of dollars of charges.

Hackers are constantly looking for ways to obtain a user's sensitive data. These techniques include everything from sniffing data on public wi-fi networks to shoulder-surfing. Users who send real credit card data over an insecure channel can expose themselves to fraud.

‎Businesses must also always be mindful of handling credit card and debit card data. The Payment Card Industry Data Security Standard (PCI-DSS) is de facto mandatory for companies worldwide. One of PCI-DSS's core stipulations is limiting internal access to credit card data. That's impossible if this data exists in multiple locations, such as emails and instant messages.  

Some users think sending a credit card number is safe so long as it's on an encrypted channel (e.g., a Slack chat, or WhatsApp). But this can still expose a business to legal liability. For example, the General Data Protection Regulation (GDPR) in the European Union defines credit card data as personal data. Under GDPR, users have a "right to be forgotten." This is hard - if not impossible - to implement if personal data isn't centralized. If your company inadvertently exposes a user's credit card information, it can be held liable for a data protection violation. Such violations cost companies severe penalties and fines.

Ways people might share real credit card numbers

‍

‎Users should feel safe submitting credit card and debit card data via an encrypted form that securely stores and controls access to this sensitive data. Unfortunately, many users also share credit card numbers via other business tools, including:

• Email
• Customer support systems (e.g., ZenDesk, FreshDesk)
• Cloud drives (such as OneDrive or Google Drive)
• Slack or other messaging applications

You should find and mask (aka redact) credit card numbers in all of these cases. Ideally, you're storing this information in a single location and tokenizing its use elsewhere across your business. This ensures your customer's safety and compliance posture.  

Let's look at each of these cases more closely.

Mask credit card numbers in email

Email is so convenient that users often don't think twice about sending personal information. For example, customers may send their credit card number to a store's service reps to verify their purchase.

However, email is an inherently insecure medium. Hackers can intercept and read unencrypted email messages easily.

A sender or receiver can recall a message containing credit card or debit card information. However, this process is time-consuming as well as error-prone.

To mask information in email, you can use email masking software. Such software scans incoming and outgoing messages and removes any information that matches a certain pattern.

‎Mask credit card numbers in customer support tools

A company agent may ask a customer to send their credit card information via a help system, such as ZenDesk, Intercom, or FreshDesk. Both the customer and agent may feel this is secure since the channel is encrypted. However, this still exposes the company to the data protection issues we discussed above.

‍

In tools such as ZenDesk, administrators and certain agents can leverage the software's built-in redaction tools to remove sensitive information. You can also use the tools' privacy and security features to limit access to potentially sensitive data.

Mask credit card numbers in cloud drives (OneDrive, Google Drive)

Company personnel who realize email isn't secure may use cloud storage to upload credit card and debit card data. This is slightly better than sending the same information via email.

But cloud storage can still expose a user's sensitive information to unauthorized personnel if improperly configured. It could even expose that information to the general public.

With cloud storage, you can write code that uses your cloud provider's Application Programming Interfaces (APIs) to enumerate files and scan their contents. If the code finds information matching a real credit card number format, it can mask (aka redact) it - or even delete the file.

The benefit of this technique is that you can automate it. The downside is that it requires months of investment from technical staff.

Mask credit card numbers in Slack and messaging apps

Slack and instant messaging apps are other examples where customers and agents may be tempted to exchange credit card information. It's convenient, fast, and encrypted.

But Slack may not be as secure as we like to believe. The tool has been the target of hackers in recent years. In 2015, Slack admitted that at least one successfully infiltrated its system and stole customer data.

It's not possible to directly edit another user's messages in slack. However, you could implement masking credit card numbers by implementing a bot. The bot could block any messages containing credit card numbers and then repost them with the numbers masked.

Additionally, be sure to secure your company's usage of Slack to limit the possibility of intrusion and data leakage.

Mask credit card numbers across your enterprise

It's possible to mask credit card numbers across various applications. But implementing this yourself is error-prone and time-consuming.

Strac performs automated masking of credit card numbers and other personally identifiable information across several apps, including Gmail, Slack, ZenDesk, Slack, Office365, and more.

Book a demo today to see it in action!

Strac Masking/Redaction Credit Card Demo

Any questions?

If you have any questions or want to learn how to protect Credit Card numbers on your SaaS or cloud apps, please book a meeting with us.