Credit Card Filter

This feature offers options for the responsible handling of sensitive data, like credit card numbers, in your OTRS system. With the help of this function, it is possible to hide credit card numbers for new tickets and articles, as well as articles already stored in the system. Additionally, flexibly configurable warning messages for the credit card number can be automatically set and showed.

This mechanism for recognizing credit cards works for cards with 13, 15 or 16 digits. All articles of a ticket in the system will be scanned for valid credit card numbers before storing. Then, the majority of the digits will be encoded before storage in the system.

Benefits
  • Improved data protection.

  • Less security risks for credit card data.

Target Groups
  • Customer service

  • Finance

  • Sales

  • Order management

  • Complaint management

Legacy Credit Card Masking

A console command exists to treat already stored credit card numbers in the system. This command will mask any unmasked valid credit card number in the article database table.

Note

This feature is only available to On-Premise customers. If you are a Managed customer, this feature is taken care of by the Customer Solutions Team in OTRS. Please contact us via support@otrs.com or in the OTRS Portal.

To mask the existing credit card numbers:

  1. Make sure that setting OTRSCreditCardFilter::ActiveMaskEnabled is not enabled.

  2. Create one or more tickets with valid credit card information.

    Issuing Network,Card Number
    JCB,3528988095245935
    JCB,3112606824580636
    JCB,3096030869937728
    JCB,3112437499296450
    JCB,3096010732100407
    JCB,3528461498782367
    JCB,3112892137191440
    JCB,3088814635323630
    
  3. Open the ticket detail view to make sure that the credit card numbers are not masked.

  4. Execute the following command in the command line to mask the credit card numbers:

    otrs> /opt/otrs/bin/otrs.Console.pl Maint::Ticket::MaskCreditCard --restart yes
    
  5. Refresh the ticket detail view. The article the body will shown as:

    Issuing Network,Card Number
    JCB,352898xxxxxx5935
    JCB,311260xxxxxx0636
    JCB,309603xxxxxx7728
    JCB,311243xxxxxx6450
    JCB,309601xxxxxx0407
    JCB,352846xxxxxx2367
    JCB,311289xxxxxx1440
    JCB,308881xxxxxx3630
    

This script starts masking the credit card numbers on last articles first, since they are the most common used, so the results can be seen faster.

See also

For more information about the Maint::Ticket::MaskCreditCard parameters, execute the following command:

otrs> /opt/otrs/bin/otrs.Console.pl Maint::Ticket::MaskCreditCard --help

The architecture of this script is designed to avoid affecting the system performance by working in batches and waiting between each batch. The number of processed articles per batch and the wait time between batches can be fine tuned to match system performance.

The script is also designed to remember last processed article and start again from that, allowing to stop the process at a certain time and resume later. There is an override to force starting again from the beginning.

You could specify an end date so only articles until that date will be processed (e.g. if you started automatic masking at a certain date), also it is possible to specify the number of articles to process per run.

Mask Credit Card

This feature is a complete subsystem that allows the following:

  • Automatically show a warning message next to a credit card number (not storable).

  • Mask credit card numbers for new tickets and articles.

  • Mask credit card numbers contained in articles already stored in the system.

The credit card detection mechanism requires credit card numbers of 13, 15 or 16 digits. These credit card numbers should be at least potentially valid numerically, which means they pass the Luhn algorithm test.

For the current version only a subgroup of all potentially valid credit card number are detected. This is the list of the credit cards numbers that are considered valid:

  • Visa 16 digits starting with a 4.

  • Visa 13 digits starting with a 4.

  • MasterCard 16 digits starting with 51 to 55.

  • Discover 16 digits starting with 6011, 6121-29 to 6229-25, 644 to 649 or 65.

  • JCB 16 digits starting with 3088, 3096, 3112, 3158, 3337 or 3528 to 3589.

  • JCB 15 digits starting with 1800, 2100 or 2131.

  • American Express 15 digits starting with 34 or 37.

For successful detection, the digits of these credit card numbers are allowed without separation or with a single separator in groups of digits as 4-4-4-4, 4-4-4-3, 4-4-4-1 or 4-6-5 (the last combination for American Express only). Allowed separators are -, +, /, . or a combination thereof.

Valid credit card numbers that are a subset of a bigger number are not considerate as credit card numbers. This is to avoid false positives, e.g. a serial number that contains a (not intentionally) valid credit card number. Valid credit card numbers should be enclosed by at least one non-numeric character.

Active Credit Card Masking

When this feature is enabled, every article will be scanned for valid credit card numbers before it is saved on the database. In case of any findings in subject or body, all but the first six and the last four digits will be replaced by a configurable masking character.

See also

The behavior can be changed with the following settings in the system configuration:

  • OTRSCreditCardFilter::ActiveMaskEnabled

  • OTRSCreditCardFilter::MaskedCharacter

For example 1234-5678-9012-3456 becomes 1234-56xx-xxxx-3456.

Warning

This procedure is permanent and irreversible!

To use this feature:

  1. Create a ticket with the following article body:

    Issuing Network,Card Number
    JCB 15 digit,180061388939823
    JCB 15 digit,180079668437698
    JCB 15 digit,180001434886883
    JCB 15 digit,180044208063503
    JCB 15 digit,180010497338476
    JCB 15 digit,210004248524033
    JCB 15 digit,210012319871803
    JCB 15 digit,180094846333594
    JCB 15 digit,210084424984649
    JCB 15 digit,210012951351973
    JCB 15 digit,210008094074787
    JCB 15 digit,210081171733450
    
  2. Open the ticket detail view to see the created ticket. The body of the article will shown as:

    Issuing Network,Card Number
    JCB 15 digit,180061xxxxx9823
    JCB 15 digit,180079xxxxx7698
    JCB 15 digit,180001xxxxx6883
    JCB 15 digit,180044xxxxx3503
    JCB 15 digit,180010xxxxx8476
    JCB 15 digit,210004xxxxx4033
    JCB 15 digit,210012xxxxx1803
    JCB 15 digit,180094xxxxx3594
    JCB 15 digit,210084xxxxx4649
    JCB 15 digit,210012xxxxx1973
    JCB 15 digit,210008xxxxx4787
    JCB 15 digit,210081xxxxx3450
    
  3. You can also try with valid credit card numbers in the subject or fetch a mail with valid credit card information using a postmaster account.

Credit Card Warning Message

It is possible to display a warning message next to the credit card number.

To use this feature:

  1. Make sure that setting OTRSCreditCardFilter::ActiveMaskEnabled is not enabled.

  2. Make sure that setting OTRSCreditCardFilter::WarningTextEnabled is enabled.

  3. Define your custom message in setting OTRSCreditCardFilter::WarningText in the system configuration.

  4. Create a ticket with the following article body:

    Issuing Network,Card Number
    JCB,3528988095245935
    JCB,3112606824580636
    JCB,3096030869937728
    JCB,3112437499296450
    JCB,3096010732100407
    JCB,3528461498782367
    JCB,3112892137191440
    JCB,3088814635323630
    
  5. Open the ticket detail view. The warning message should appear next to the credit card number.

    Issuing Network,Card Number
    JCB,3528988095245935 Reminder: You should not store credit card numbers in this product!
    JCB,3112606824580636 Reminder: You should not store credit card numbers in this product!
    JCB,3096030869937728 Reminder: You should not store credit card numbers in this product!
    JCB,3112437499296450 Reminder: You should not store credit card numbers in this product!
    JCB,3096010732100407 Reminder: You should not store credit card numbers in this product!
    JCB,3528461498782367 Reminder: You should not store credit card numbers in this product!
    JCB,3112892137191440 Reminder: You should not store credit card numbers in this product!
    JCB,3088814635323630 Reminder: You should not store credit card numbers in this product!
    

You can also try with valid credit card numbers in the subject or fetch a mail with valid credit card information using a postmaster account.

Scroll to Top