action.skip

Protecting Sensitive Data

You can protect credit card Primary Account Numbers (PANs) and other sensitive data so that it is not displayed on the screen or in productivity features, such as Screen History. You can also redact other types of sensitive data and set other security features to protect your data.

You configure these settings in the Set Up Information Privacy dialog box.

How do I get to the Set Up Information Privacy dialog box?
  1. Open Workspace Settings.

    The steps depend on your user interface mode.

    User Interface Mode Steps
    Ribbon On the File menu, or the Reflection button (if using the Office 2007 Look and Feel), choose Reflection Workspace Settings. Then click Workspace Settings.
    Reflection Browser On the Reflection menu, choose Settings and then Reflection Workspace Settings. Then click Workspace Settings.
    TouchUx Tap the Gear icon and then select Reflection Workspace Settings. Then click Workspace Settings.
  2. Under Trust Center, click Set Up Information Privacy.

Redacting Primary Account Numbers used for credit cards

You can redact credit card Primary Account Numbers (PANs) to meet Payment Card Industry Data Security Standard (PCI DSS) requirements (see PCI Security Standards Council).

note

PCI DSS is a worldwide standard comprising technology requirements and process requirements designed to prevent fraud and is published by PCI Security Standards Council, LLC. All companies who handle credit cards are likely to be subject to this standard.

You can choose from three methods for redacting credit card PAN data: Simple Primary PAN Detection, Simple PAN Detection with Preceding Text, or Reflection PAN Detection.

Method Use when Considerations
Simple PAN Detection matches a credit card number sequence. All of the credit card data in your host applications are displayed and entered in a "contiguous" fashion.

You are only detecting PANs for the prepackaged major credit card issuers.
Easy to set up
Simple PAN Detection with Preceding Text matches preceding text (e.g., Account) followed by a credit card number sequence. Same as above except credit card data in your host applications are always labeled in predictable ways. Relatively easy to set up

Avoids false positives
Reflection PAN Detection uses regular expressions to detect PANs. You need to define custom card issuer patterns to detect, such as oil company or department store cards. Allows the greatest degree of flexibility and customization for unique detection needs
PANs appear in a non-contiguous format or are entered using non- standard digit group separators. Computationally-intensive—can degrade performance on PCs with limited processing power or memory.
You want PAN detection to be especially "aggressive" or "greedy" in that any digit grouping on any screen should be considered for redaction, and you need to be able to redact without regard to what other text or digit separators may appear between single or groups of digits in the PAN. The likelihood of "false positive" redaction is much greater with this method than the other two, especially if your host screens are very digit-laden.

Redacting Other Types of Data and Requiring Secure Connections

You can redact other types of sensitive data like US Social Security Numbers and set other security features to require secure connections. You can also enable events that fire when PANs can be viewed by a user.

Do this... If you need to...
Set up Privacy Filters Redaction Rules and Privacy Filters. Redact certain patterns of data that are outside the realm of credit card formats (e.g., US Social Security numbers).
Set up PCI DSS Rules. Require secure connections (as may be required for PCI DSS compliance). Fire API events that you can handle to create logs or perform other actions required for compliance.

note

  • You can use Privacy Filters together with Primary Account Number (PAN) detection. To improve performance, do not duplicate existing PAN patterns in privacy filters.

  • Information Privacy settings do not apply to IBM host printer emulation.

  • If redaction is enabled, HLLAPI functions are disabled to prevent access to unredacted data through HLLAPI.

For detailed explanations, instructions, and examples that show how to set up Information Privacy features, see the Reflection Desktop Deployment Guide.