Anywhere there's an input field, someone will try to give you their details ... Saying "please don't enter personally identifying information" is a bit like saying "Please don't push this button". How many people hit send with their CC in the Name/address field because they were watching the keyboard instead of where the cursor was? Even with a validation error, the information has processed, and probably transmitted. Someone just needs a regex pattern.
The standard Enterprise security baselines usually prevent .dmp files being transmitted (policy or firewall) but they may still need to be destroyed. Anything that was saved to a 'temp' file - including logs - can potentially be harvested by next machine user on shared cloud infrastructure (not sure about SSD backed SAN), which is why government / High Security clouds, where users are basically buying the hosted infrastructure for guaranteed exclusive use. On Thu, 19 Dec 2019 at 11:14, mike smith <meski...@gmail.com> wrote: > Consider that ultimate of all log files, a .dmp file. Everything is > going to be in that, and they typically get automatically sent when > something goes wrong. > > Mike. > > On Thu, Dec 19, 2019, 09:03 Alan Ingleby <alan.ingl...@gmail.com> wrote: > >> I guess the key requirement here is "I'm about to write this string to a >> log file, is there a chance there's a credit card number in here?". All >> other things considered, this is reasonably good safeguard. I'd imaging if >> the quick and dirty regex I listed picks anything up, you could do a >> further mod10 to validate against valid credit card numbers etc. >> >> All seems a bit iffy though doesn't it. If a CC # has gotten its way to >> a log file, you really need to question your developers. >> >> On Wed, 18 Dec 2019 at 23:11, Grant Maw <grant....@gmail.com> wrote: >> >>> I thought all credit cards use the Mod10 (Kuhn) algorithm. I seem to >>> remember it being a safeguard against data entry errors back in the day, >>> so this is possibly a hangover from those days. >>> >>> We never validate card numbers. We pass the card data to the processing >>> gateway and let their APIs handle all that stuff. Less code for us to >>> maintain. >>> >>> On Wed, 18 Dec. 2019, 3:33 pm Preet Sangha, <preetsan...@gmail.com> >>> wrote: >>> >>>> Hi Ed, >>>> >>>> Thanks for that. We are an large enterprise platform doing thousands of >>>> transactions via gateways - CC info is normally flowing through our code >>>> except in the most secure of ways - we are PCI compliant. However to be >>>> extra careful I'm trying to remove anything that looks like a known CC >>>> shape from logging. It's to prevent issues in case someone inadvertently >>>> stores CC in fields that they shouldn't. Yes there education but sometimes >>>> mistakes happen. >>>> >>>> regards, >>>> Preet, in Auckland NZ >>>> >>>> >>>> >>>> On Wed, 18 Dec 2019 at 16:57, <eddie.deb...@gmail.com> wrote: >>>> >>>>> Hi Preet, >>>>> >>>>> >>>>> >>>>> I don’t know of any libraries that handle this, but I do have a >>>>> question for you. >>>>> >>>>> >>>>> >>>>> Why are you validating credit card info? >>>>> >>>>> >>>>> >>>>> I ask this because if you are validating card info then you are >>>>> handling/processing card info. Any business handling credit card >>>>> information should have PCI-DSS compliance. >>>>> >>>>> >>>>> >>>>> Personally, I find it is much easier to use external providers (eway, >>>>> paypal et al) to handle the whole payment process, meaning your code never >>>>> needs to touch a credit card number and you never have to worry about >>>>> compliance, *security etc. >>>>> >>>>> >>>>> >>>>> Just a another random thought, YMMV. >>>>> >>>>> >>>>> >>>>> *Security of the card information >>>>> >>>>> >>>>> >>>>> Ed. >>>>> >>>>> >>>>> >>>>> *From:* ozdotnet-boun...@ozdotnet.com <ozdotnet-boun...@ozdotnet.com> *On >>>>> Behalf Of *Preet Sangha >>>>> *Sent:* Wednesday, 18 December 2019 2:41 PM >>>>> *To:* ozDotNet <ozdotnet@ozdotnet.com> >>>>> *Subject:* >>>>> >>>>> >>>>> >>>>> Would anyone know of any credit card validation/detection or similar >>>>> libraries that we may be able incorporate into our .net framework code >>>>> (preferably in nuget form) in order to eliminate our own hand coded regexs >>>>> please? >>>>> >>>>> >>>>> >>>>> Regards Preet >>>>> >>>>> >>>>> >>>> >> >> -- >> Alan Ingleby >> > -- Dan Cash -m. 0411 468 779 -e. dan.c...@gmail.com F.A.B. Information Systems Pty Ltd ABN 16 084 146 261
