Users sometimes enter sensitive information such as credit card numbers into Web sites where they shouldn't. If a credit card number is entered into a form on a Web site, it may get stored in a database and logged to log files. This is probably undesirable for the business running the Web site. Once the credit card number is stored in multiple places on your systems, it can be hard to get rid of it.
Removal of credit card information is an important element in PCI compliance.
credit_card_sanitizer scans text for credit card numbers by applying the Luhn checksum algorithm,
implemented by the luhn_checksum gem, and by validating the number has a proper
credit card number prefix. Numbers in text that appear to be valid credit card numbers are "sanitized" by replacing
some or all of the digits with a replacement character.
Example:
text = "Hello my card is 4111 1111 1111 1111 maybe you should not store that in your database!"
CreditCardSanitizer.new(replacement_character: '▇').sanitizer.sanitize!(text)
text == "Hello my card is 4111 11▇▇ ▇▇▇▇ 1111 maybe you should not store that in your database!"replacement_token: The character used to replace digits of the credit number. The default is ▇.
expose_first: The number of leading digits of the credit card number to leave intact. The default is 6.
expose_last: The number of trailing digits of the credit card number to leave intact. The default is 4.
The default configuration of credit_card_sanitizer leaves the first 6 and last 4 digits of credit card
numbers intact, and replaces all the digits in between with replacement_token.
This level of sanitization is sufficient for PCI compliance. At this level of removal, the resulting data is no longer considered credit card data under the PCI standard.
credit_card_sanitizer allows for "line noise" between the digits of a credit card number. Line noise
is any sequence of non-numeric characters. For example, all of the following numbers will be sanitized
successfully:
4111 1111 1111 1111
4111-1111-1111-1111
4111*1111***1111*****1111
Numbers are sanitized if they are a minimum of 12 digits long and a maximum of 19 digits long, and have a proper prefix that matches an IIN range of an issuing network like Visa or MasterCard (https://en.wikipedia.org/wiki/Primary_Account_Number). We have shamelessly taken the regex used in active_merchant to validate these prefixes.
The #parameter_filter is meant to be used with ActionDispatch to automatically redact parameters that are to
be logged before getting flushed.
Rails.app.config.filter_parameters = [:password, CreditCardSanitizer.parameter_filter]
env = {
"action_dispatch.request.parameters" => {"credit_card_number" => "4111 1111 1111 1111", "password" => "123"},
"action_dispatch.parameter_filter" => Rails.app.config.filter_parameters
}
>> ActionDispatch::Request.new(env).filtered_parameters
=> {"credit_card_number" => "4111 11▇▇ ▇▇▇▇ 1111", "password" => "[FILTERED]"}Apache License 2.0