Manual Chapter : Masking Credit Card Numbers in Logs

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.0.0
Manual Chapter

Overview: Masking credit card numbers in logs

Application Security Manager™ (ASM) can mask credit card numbers in request logs. By default, when you create a security policy, the option to mask credit card numbers is enabled. Wherever credit card numbers appear in logs and violation details, they will be replaced by asterisks.

Keeping the Mask Credit Card Numbers in Request Log option enabled is required for PCI compliance. You must use this option in addition to Data Guard and masking sensitive parameters to comply with the Protect Stored Cardholder Data requirement. Data Guard masks sensitive information, such as credit card numbers and social security numbers, in responses.

Sensitive parameters can conceal sensitive information that is passed as parameters, such as credit card numbers. Making a parameter sensitive guarantees that its values are always masked in logs. Using sensitive parameters is good for form fields that are designated to contain sensitive data (like credit card numbers). But since a user can include credit card numbers in other places, enabling the Mask Credit Card Numbers in Request Log option looks for them anywhere in the request and masks them, providing an additional layer of security.

Masking credit card numbers in request logs

You can make sure that a security policy is set up to mask credit card numbers in logs and violations. This protects sensitive information, specifically credit card numbers, more securely.
  1. On the Main tab, click Security > Application Security > Policy > Policy Properties .
    The Policy Properties screen for the current edited policy opens.
  2. Select the Mask Credit Card Numbers in Request Log check box if it is not already enabled.
  3. Click Save to save your settings.
The system now looks for occurrences of credit card numbers in request logs, violations, suggestions, and reports and replaces them with asterisks.