Set Up Information Privacy Dialog Box
How do I get to this dialog box?
Open Workspace Settings.
The steps depend on your user interface mode.
User Interface Mode Steps Ribbon On the File menu, or the Reflection button (if using the Office 2007 Look and Feel), choose Reflection Workspace Settings. Reflection Browser On the Reflection menu, choose Settings and then Reflection Workspace Settings. TouchUx Tap the Gear icon and then select Reflection Workspace Settings.
Under Trust Center, select Set Up Information Privacy.
Reflection provides several options for protecting credit card Primary Account Numbers (PANs) and other sensitive data so that it is not displayed on the screen, in logs, or in productivity features, such as Screen History.
|Redact certain patterns of data that are outside the realm of credit card formats (for example, social security numbers).
|Primary Account Number Redaction
|Redact credit card numbers that appear in screen histories, the clipboard, and Microsoft Office applications.
|Common Redaction Rules
|Allow APIs to read redacted data or allow copying of redacted data within a session.
|PCI DSS Rules
|Require secure connections or enable events that fire when PANs are displayed.
For more about when to use each option, see Protecting Sensitive Data.
Privacy Filters Redaction Rules
Use privacy filters when you need to:
Redact certain patterns of data that are outside the realm of credit card formats (for example, US Social Security numbers or proprietary sensitive account numbers).
Redact Primary Account Numbers (PANs) that are outside of a 13-16 digit range. (PAN detection does not detect PANs that are outside of this range.)
The redaction rules specify how to redact sensitive data, based on the filters that you specify in Privacy Filters.
|Enable redaction (exported data only)
|Redacts sensitive data so that it is not displayed in productivity features, such as Office Tools integration, Screen History, Recent Typing, and Auto Complete. This option also obscures data from the Print Screen and Cut/Copy/Paste commands.
|Redact display data (Terminals Supported: IBM) redacts data on screens after you navigate out of the current field.
|Redact data while typing (Terminals Supported: IBM) redacts sensitive data as you type it in.
|Opens the Add Privacy Filter dialog box where you can define the filter.
|Opens the Modify Privacy Filter dialog box where you can modify the regular or simple expression that defines the filter.
|Deletes the selected filter.
Primary Account Number (PAN) Redaction Rules
You can set up redaction rules to redact PANs (credit card numbers) that appear in screen histories, the clipboard, and Microsoft Office applications. You can also choose to redact PAN data displayed on screens, either as the PAN is typed or after it is entered.
|Enable Redaction (exported data only)
|Redacts sensitive data, based on the rules that you specify in Primary Account Number (PAN) Detection Rules.
|Portion of PAN to redact specifies how many digits of the PAN to redact.
|Redact display data (Terminals Supported: IBM) redacts data after it is entered.
|Redact data while typing (Terminals Supported: IBM) redacts data as it is typed.
|Do not store typed PANs
|Prevents PAN data from being saved in an external file or any component that saves screen data. This includes the data saved for the Screen History, Recent Typing, Auto Complete, Auto Expand, and Macro Recording features. It also includes data returned by the Reflection API CreditCardRecognized event.
Primary Account Number (PAN) Detection Rules
|Custom Detection Rules
|Allow you to add, modify, or delete the regular expressions used by the PAN Detection methods to detect PAN data.
|Reflection PAN detection
|Allows you to set up regular expressions to detect PAN data. Reflection PAN Detection is the most flexible option for detecting PANs but is more difficult to configure that the other options. The likelihood of "false positive" redaction is much greater with this method than the other two, especially if your host screens are very digit-laden.
|Use this option when:
|• You need to define custom card issuer patterns to detect, such as oil company or department store cards.
|• PANs in your application appear in a non-contiguous format, such as multiple input fields of data arranged in a vertical table, or are entered using non-standard digit group separators.
|Note: For more about how to use regular expressions to define rules or exceptions for PAN data, see the Reflection Desktop Deployment guide.
|Custom Exception Expressions
|Use regular expressions to define additional exclusion patterns that prevent false positives or preserve data that you do not want to redact.
|Note: By default Reflection does not redact digit patterns such as North American phone numbers containing area code information and optional country code, common short date/time formats (MM/DD/YYYY, YYYY/MM/DD, HH:MM:SS, HH:MM, etc), and US Social Security numbers.
|Simple PAN detection
|Matches either a credit card number sequence (a 13-16 digit number) or preceding text (e.g., keywords like "Account") followed by a credit card number sequence. This option is the easiest option to set up and works well for most applications.
|Use Simple PAN detection when:
|• All credit card data in host applications are always displayed and entered as a single continuous string (e.g.
|• You need to redact account numbers only from: Visa, MasterCard, American Express, Discover, Diner's Club, Carte Blanche, Voyager, JCB, or enRoute. (If you need to detect other card issuers, use Reflection PAN detection or Privacy Filters.)
|• All host application screens containing credit cards are very well defined, and credit card information is always "labeled" in predictable ways. (For instance, credit card numbers are always preceded by a label such as "Account: ").
|Detect PANs based on 13-16 digit numbers with separators
|Matches a credit card number sequence.
|Detect PANs based on preceding text
|If credit card data in your host applications are always labeled in predictable ways, using this option can help avoid false positives.
|Matches preceding text followed by a credit card number sequence. To use this option, you will need to add the preceding text (e.g.,
Account) to the Text Items box.
Common Redaction Rules
You can configure Reflection to allow APIs to read redacted data or to allow copying of redacted data within a session.
|Allow APIs to read redacted data
|Allows programs or macros using the Reflection .NET and VBA APIs to read redacted data as clear text.
|For example, you could set up Information Privacy features to mask credit card numbers so that users are unable to see them. With this option enabled, you can also run some automation that scrapes the screen and retrieves all the data on the screen, even the redacted data.
|Allow copy of redacted data within sessions
|Allows users to copy redacted data from a screen in an IBM session to another screen in the same session or to a screen in another IBM session.
|When enabled, users can select redacted data on the screen, and then copy and paste it to another location.
|For example, if a user is navigating a mainframe session in a workspace configured to redact credit card numbers and they receive a host screen that contains a credit card, it appears as a series of asterisks and numbers (e.g., ************3267). When this option is enabled, the user can copy this redacted credit card number, navigate a few more screens, and then paste the data.
|Note: When this option is selected, the Wrap text to next input field Clipboard setting is not supported and pasted text that exceeds the length of a field is truncated instead of being pasted to the next unprotected field.
|Retain redacted data formatting is available when Allow copy of redacted data within sessions is enabled. This option removes non-digit characters from a redacted string when it is pasted onto another screen.
|Select this option when you are copying redacted PAN data that spans more than one field from one IBM screen to another. If a Primary Account Number (PAN) spans several fields, and you copy redacted data from these fields, the information you copy may include additional characters that are not part of the PAN. When this option is selected, those characters are removed when the data is pasted.
PCI DSS Rules
You can configure Reflection to require secure connections for all network connections or for only wireless connections. You can also choose to fire a Reflection API event when an unredacted PAN (or credit card number) is displayed.
|Do not require secure host connections
|Allow non-secure connections, such as Telnet. Select this option only when testing or when your sessions do not require PCI DSS compliance.
|Require secure host connections on all networks
|Allows only secure connections, regardless of the type of network. This applies to wired, wireless, and VPN connections.
|Require secure host connections on wireless networks
|Allows non-secure connections on wired networks but requires secure connections for wireless networks.
|Note: VPN connections are not subject to the wireless restrictions. Because of VPN's inherent security, VPN connections are handled in the same way as wired connections. To secure VPN connections, choose the Require secure host connections on all networks option.
|Enable API events when PANs are viewed by the user
|Fires the CreditCardRecognized .NET API and VBA event when unredacted PAN data is copied from the terminal to the clipboard or to a productivity tool. For IBM systems, the event is also fired when unredacted PAN data is displayed on the screen.
|You can handle this event to create logs or perform other actions required for compliance. (See the Reflection VBA Guide or the Reflection .NET API Guide.)
|Note: The CreditCardRecognized event is fired only when a PAN is copied or displayed in its entirety ("in the clear"). It is not fired when only redacted PANs are copied or displayed.*