Anywhere there's an input field, someone will try to give you their details
...  Saying  "please don't enter personally identifying information" is a
bit like saying "Please don't push this button".   How many people hit send
with their CC in the Name/address field because they were watching the
keyboard instead of where the cursor was?  Even with a validation error,
the information has processed, and probably transmitted.  Someone just
needs a regex pattern.

The standard Enterprise security baselines usually prevent .dmp files being
transmitted (policy or firewall) but they may still need to be destroyed.
Anything that was saved to a 'temp' file - including logs - can potentially
be harvested by next machine user on shared cloud infrastructure (not sure
about SSD backed SAN), which is why government / High Security clouds,
where users are basically buying the hosted infrastructure for guaranteed
exclusive use.


On Thu, 19 Dec 2019 at 11:14, mike smith <meski...@gmail.com> wrote:

> Consider that ultimate of all log files, a .dmp file.   Everything is
> going to be in that, and they typically get automatically sent when
> something goes wrong.
>
> Mike.
>
> On Thu, Dec 19, 2019, 09:03 Alan Ingleby <alan.ingl...@gmail.com> wrote:
>
>> I guess the key requirement here is "I'm about to write this string to a
>> log file, is there a chance there's a credit card number in here?".  All
>> other things considered, this is reasonably good safeguard.  I'd imaging if
>> the quick and dirty regex I listed picks anything up, you could do a
>> further mod10 to validate against valid credit card numbers etc.
>>
>> All seems a bit iffy though doesn't it.  If a CC # has gotten its way to
>> a log file, you really need to question your developers.
>>
>> On Wed, 18 Dec 2019 at 23:11, Grant Maw <grant....@gmail.com> wrote:
>>
>>> I thought all credit cards use the Mod10 (Kuhn) algorithm. I seem to
>>> remember it being a safeguard against data entry errors back in the day,
>>> so this is possibly a hangover from those days.
>>>
>>> We never validate card numbers.  We pass the card data to the processing
>>> gateway and let their APIs handle all that stuff. Less code for us to
>>> maintain.
>>>
>>> On Wed, 18 Dec. 2019, 3:33 pm Preet Sangha, <preetsan...@gmail.com>
>>> wrote:
>>>
>>>> Hi Ed,
>>>>
>>>> Thanks for that. We are an large enterprise platform doing thousands of
>>>> transactions via gateways - CC info is normally flowing through our code
>>>> except in the most secure of ways - we are PCI compliant. However to be
>>>> extra careful I'm trying to remove anything that looks like a known CC
>>>> shape from logging. It's to prevent issues in case someone inadvertently
>>>> stores CC in fields that they shouldn't. Yes there education but sometimes
>>>> mistakes happen.
>>>>
>>>> regards,
>>>> Preet, in Auckland NZ
>>>>
>>>>
>>>>
>>>> On Wed, 18 Dec 2019 at 16:57, <eddie.deb...@gmail.com> wrote:
>>>>
>>>>> Hi Preet,
>>>>>
>>>>>
>>>>>
>>>>> I don’t know of any libraries that handle this, but I do have a
>>>>> question for you.
>>>>>
>>>>>
>>>>>
>>>>> Why are you validating credit card info?
>>>>>
>>>>>
>>>>>
>>>>> I ask this because if you are validating card info then you are
>>>>> handling/processing card info. Any business handling credit card
>>>>> information should have PCI-DSS compliance.
>>>>>
>>>>>
>>>>>
>>>>> Personally, I find it is much easier to use external providers (eway,
>>>>> paypal et al) to handle the whole payment process, meaning your code never
>>>>> needs to touch a credit card number and you never have to worry about
>>>>> compliance, *security etc.
>>>>>
>>>>>
>>>>>
>>>>> Just a another random thought, YMMV.
>>>>>
>>>>>
>>>>>
>>>>> *Security of the card information
>>>>>
>>>>>
>>>>>
>>>>> Ed.
>>>>>
>>>>>
>>>>>
>>>>> *From:* ozdotnet-boun...@ozdotnet.com <ozdotnet-boun...@ozdotnet.com> *On
>>>>> Behalf Of *Preet Sangha
>>>>> *Sent:* Wednesday, 18 December 2019 2:41 PM
>>>>> *To:* ozDotNet <ozdotnet@ozdotnet.com>
>>>>> *Subject:*
>>>>>
>>>>>
>>>>>
>>>>> Would anyone know of any credit card validation/detection or similar
>>>>> libraries that we may be able incorporate into our .net framework code
>>>>> (preferably in nuget form) in order to eliminate our own hand coded regexs
>>>>>  please?
>>>>>
>>>>>
>>>>>
>>>>> Regards Preet
>>>>>
>>>>>
>>>>>
>>>>
>>
>> --
>> Alan Ingleby
>>
>

-- 
Dan Cash
-m. 0411 468 779
-e. dan.c...@gmail.com

F.A.B. Information Systems Pty Ltd   ABN 16 084 146 261
  • Re: Greg Keogh
  • Re: Preet Sangha
    • Re: Preet Sangha
    • Re: Eddie de Bear
      • Re: mike smith
        • Re: Alan Ingleby
          • Re: Preet Sangha
    • Re: Grant Maw
      • Re: Alan Ingleby
        • Re: mike smith
          • Re: Dan Cash
            • Re: Preet Sangha

Reply via email to