Set Up Information Privacy Dialog Box

You can configure Information Privacy features to protect sensitive data so that it is not displayed on the screen or in productivity features, such as Screen History.

If you need to...

Do this...

Redact certain patterns of data that are outside the realm of credit card formats (e.g., US Social Security numbers).

Set up Privacy Filter Redaction Rules and Privacy Filters.

Redact credit card Primary Account Numbers (PANs) to meet PCI DSS PCI DSS (Payment Card Industry Data Security Standard) is a worldwide standard comprising technology requirements and process requirements designed to prevent fraud and is published by PCI Security Standards Council, LLC. All companies who handle credit cards are likely to be subject to this standard. requirements (see PCI Security Standards Council).

Set up Primary Account Number (PAN) Redaction Rules and Primary Account Number (PAN) Detection Rules.

Require secure connections (as may be required for PCI DSS compliance).

Set up PCI DSS Rules.

NOTE:

  • You can use Privacy Filters together with Primary Account Number (PAN) detection. To improve performance, do not duplicate existing PAN patterns in privacy filters.

  • Information Privacy settings do not apply to IBM host printer emulation.

  • If redaction is enabled, HLLAPI functions are disabled to prevent access to unredacted data through HLLAPI.

For detailed explanations, instructions, and examples that show how to set up Information Privacy features, see Setting up Information Privacy.

Privacy Filters Redaction Rules

Use privacy filters when you need to:

  • Redact certain patterns of data that are outside the realm of credit card formats (for example, US Social Security numbers or proprietary sensitive account numbers).

  • Redact Primary Account Numbers (PANs) that are outside of a 13-16 digit range. (PAN detection does not detect PANs that are outside of this range.)

The redaction rules specify how to redact sensitive data, based on the filters that you specify in Privacy Filters.

Enable redaction (exported data only)

Redacts sensitive data so that it is not displayed in productivity features, such as Office Tools integration, Screen History, Recent Typing, and Auto Complete. This option also obscures data from the Print Screen and Cut/Copy/Paste commands.

Redact display data (Terminals Supported: IBM)

Redacts data on screens after you navigate out of the current field.

Redact data while typing (Terminals Supported: IBM)

Redacts sensitive data as you type it in.

Privacy Filters

Add

Opens the Add Privacy Filter dialog box where you can define the filter.

Modify

Opens the Modify Privacy Filter dialog box where you can modify the regular or simple expression that defines the filter.

Delete

Deletes the selected filter.

Primary Account Number (PAN) Redaction Rules

You can set up redaction rules to redact PANs (credit card numbers) that appear in screen histories, the clipboard, and Microsoft Office applications. You can also choose to redact PAN data displayed on screens, either as the PAN is typed or after it is entered.

Enable Redaction (exported data only)

Redacts sensitive data, based on the rules that you specify in Primary Account Number (PAN) Detection Rules.

Portion of PAN to redact

Specifies how many digits of the PAN to redact.

Redact display data (Terminals Supported: IBM)

Redacts data after it is entered.

Redact data while typing (Terminals Supported: IBM)

Redacts data as it is typed.

Do not store typed PANs

Prevents PAN data from being saved in an external file or any component that saves screen data. This includes the data saved for the Screen History, Recent Typing, Auto Complete, Auto Expand, and Macro Recording features. It also includes data returned by the Reflection API CreditCardRecognized event.

Primary Account Number (PAN) Detection Rules

Custom Detection Rules

Allow you to add, modify, or delete the regular expressions used by the PAN Detection methods to detect PAN data.

Reflection PAN detection

Allows you to set up regular expressions to detect PAN data. Use this option when:

  • You need to define custom card issuer patterns to detect, such as oil company or department store cards.

  • PANs in your application appear in a non-contiguous format, such as multiple input fields of data arranged in a vertical table, or are entered using non-standard digit group separators.

NOTE:For more about how to use regular expressions to define rules or exceptions for PAN data, see Setting up Information Privacy.

 

Custom Exception Expressions

Use regular expressions to define additional exclusion patterns that prevent false positives or preserve data that you do not want to redact.

NOTE:By default Reflection does not redact digit patterns such as North American phone numbers containing area code information and optional country code, common short date/time formats (MM/DD/YYYY, YYYY/MM/DD, HH:MM:SS, HH:MM, etc), and US Social Security numbers.

Simple PAN detection

Matches either a credit card number sequence (a 13-16 digit number) or preceding text (e.g., keywords like "Account") followed by a credit card number sequence. Use Simple PAN detection when:

  • All credit card data in host applications are always displayed and entered as a single continuous string (e.g. 1211-1441-1311-1551).

  • You need to redact account numbers only from: Visa, MasterCard, American Express, Discover, Diner’s Club, Carte Blanche, Voyager, JCB, or enRoute. (If you need to detect other card issuers, use Reflection PAN detection or Privacy Filters.)

  • All host application screens containing credit cards are very well defined, and credit card information is always "labeled" in predictable ways. (For instance, credit card numbers are always preceded by a label such as "Account: ").

Detect PANs based on 13-16 digit numbers with separators

Matches a credit card number sequence.

Detect PANs based on preceding text

Matches preceding text followed by a credit card number sequence. To use this option, you will need to add the preceding text (e.g., Account) to the Text Items box.

Common Redaction Rules

You can configure Reflection to allow APIs to read redacted data or to allow copying of redacted data with a session.

Allow APIs to read redacted data

Allows programs or macros using the Reflection .NET and VBA APIs to read redacted data as clear text.

For example, you could set up Information Privacy features to mask credit card numbers so that users are unable to see them. With this option enabled, you can also run some automation that scrapes the screen and retrieves all the data on the screen, even the redacted data.

Allow copy of redacted data within sessions

Allows users to copy redacted data from a screen in an IBM session to another screen in the same session or to a screen in another IBM session.

When enabled, users can select redacted data on the screen, and then copy and paste it to another location.

For example, if a user is navigating a mainframe session in a workspace configured to redact credit card numbers and they receive a host screen that contains a credit card, it appears as a series of asterisks and numbers (e.g., ************3267). When this option is enabled, the user can copy this redacted credit card number, navigate a few more screens, and then paste the data.

NOTE:When this option is selected, the Wrap text to next input field Clipboard setting is not supported and pasted text that exceeds the length of a field is truncated instead of being pasted to the next unprotected field.

PCI DSS Rules

You can configure Reflection to require secure connections for all network connections or for only wireless connections. You can also choose to fire a Reflection API event when an unredacted PAN (or credit card number) is displayed.

Do not require secure host connections

Allow non-secure connections, such as Telnet. Select this option only when testing or when your sessions do not require PCI DSS compliance.

Require secure host connections on all networks

Allows only secure connections, regardless of the type of network. This applies to wired, wireless, and VPN connections.

Require secure host connections on wireless networks

Allows non-secure connections on wired networks but requires secure connections for wireless networks.

NOTE:VPN connections are not subject to the wireless restrictions. Because of VPN's inherent security, VPN connections are handled in the same way as wired connections. To secure VPN connections, choose the Require secure host connections on all networks option.

Enable API events when PANs are viewed by the user

Fires the CreditCardRecognized .NET API and VBA event when unredacted PAN data is copied from the terminal to the clipboard or to a productivity tool. For IBM systems, the event is also fired when unredacted PAN data is displayed on the screen.

You can handle this event to create logs or perform other actions required for compliance. (See the Reflection VBA Guide or the Reflection .NET API Guide.)

NOTE:This event is fired only when a PAN is copied or displayed in its entirety ("in the clear"). It is not fired when only redacted PANs are copied or displayed.