thanks Dan. regards, Preet, in Auckland NZ
On Tue, 24 Dec 2019 at 16:44, Dan Cash <dan.c...@gmail.com> wrote: > Anywhere there's an input field, someone will try to give you their > details ... Saying "please don't enter personally identifying > information" is a bit like saying "Please don't push this button". How > many people hit send with their CC in the Name/address field because they > were watching the keyboard instead of where the cursor was? Even with a > validation error, the information has processed, and probably transmitted. > Someone just needs a regex pattern. > > The standard Enterprise security baselines usually prevent .dmp files > being transmitted (policy or firewall) but they may still need to be > destroyed. Anything that was saved to a 'temp' file - including logs - can > potentially be harvested by next machine user on shared cloud > infrastructure (not sure about SSD backed SAN), which is why government / > High Security clouds, where users are basically buying the hosted > infrastructure for guaranteed exclusive use. > > > On Thu, 19 Dec 2019 at 11:14, mike smith <meski...@gmail.com> wrote: > >> Consider that ultimate of all log files, a .dmp file. Everything is >> going to be in that, and they typically get automatically sent when >> something goes wrong. >> >> Mike. >> >> On Thu, Dec 19, 2019, 09:03 Alan Ingleby <alan.ingl...@gmail.com> wrote: >> >>> I guess the key requirement here is "I'm about to write this string to a >>> log file, is there a chance there's a credit card number in here?". All >>> other things considered, this is reasonably good safeguard. I'd imaging if >>> the quick and dirty regex I listed picks anything up, you could do a >>> further mod10 to validate against valid credit card numbers etc. >>> >>> All seems a bit iffy though doesn't it. If a CC # has gotten its way to >>> a log file, you really need to question your developers. >>> >>> On Wed, 18 Dec 2019 at 23:11, Grant Maw <grant....@gmail.com> wrote: >>> >>>> I thought all credit cards use the Mod10 (Kuhn) algorithm. I seem to >>>> remember it being a safeguard against data entry errors back in the day, >>>> so this is possibly a hangover from those days. >>>> >>>> We never validate card numbers. We pass the card data to the >>>> processing gateway and let their APIs handle all that stuff. Less code for >>>> us to maintain. >>>> >>>> On Wed, 18 Dec. 2019, 3:33 pm Preet Sangha, <preetsan...@gmail.com> >>>> wrote: >>>> >>>>> Hi Ed, >>>>> >>>>> Thanks for that. We are an large enterprise platform doing thousands >>>>> of transactions via gateways - CC info is normally flowing through our >>>>> code >>>>> except in the most secure of ways - we are PCI compliant. However to be >>>>> extra careful I'm trying to remove anything that looks like a known CC >>>>> shape from logging. It's to prevent issues in case someone inadvertently >>>>> stores CC in fields that they shouldn't. Yes there education but sometimes >>>>> mistakes happen. >>>>> >>>>> regards, >>>>> Preet, in Auckland NZ >>>>> >>>>> >>>>> >>>>> On Wed, 18 Dec 2019 at 16:57, <eddie.deb...@gmail.com> wrote: >>>>> >>>>>> Hi Preet, >>>>>> >>>>>> >>>>>> >>>>>> I don’t know of any libraries that handle this, but I do have a >>>>>> question for you. >>>>>> >>>>>> >>>>>> >>>>>> Why are you validating credit card info? >>>>>> >>>>>> >>>>>> >>>>>> I ask this because if you are validating card info then you are >>>>>> handling/processing card info. Any business handling credit card >>>>>> information should have PCI-DSS compliance. >>>>>> >>>>>> >>>>>> >>>>>> Personally, I find it is much easier to use external providers (eway, >>>>>> paypal et al) to handle the whole payment process, meaning your code >>>>>> never >>>>>> needs to touch a credit card number and you never have to worry about >>>>>> compliance, *security etc. >>>>>> >>>>>> >>>>>> >>>>>> Just a another random thought, YMMV. >>>>>> >>>>>> >>>>>> >>>>>> *Security of the card information >>>>>> >>>>>> >>>>>> >>>>>> Ed. >>>>>> >>>>>> >>>>>> >>>>>> *From:* ozdotnet-boun...@ozdotnet.com <ozdotnet-boun...@ozdotnet.com> >>>>>> *On Behalf Of *Preet Sangha >>>>>> *Sent:* Wednesday, 18 December 2019 2:41 PM >>>>>> *To:* ozDotNet <ozdotnet@ozdotnet.com> >>>>>> *Subject:* >>>>>> >>>>>> >>>>>> >>>>>> Would anyone know of any credit card validation/detection or similar >>>>>> libraries that we may be able incorporate into our .net framework code >>>>>> (preferably in nuget form) in order to eliminate our own hand coded >>>>>> regexs >>>>>> please? >>>>>> >>>>>> >>>>>> >>>>>> Regards Preet >>>>>> >>>>>> >>>>>> >>>>> >>> >>> -- >>> Alan Ingleby >>> >> > > -- > Dan Cash > -m. 0411 468 779 > -e. dan.c...@gmail.com > > F.A.B. Information Systems Pty Ltd ABN 16 084 146 261 > >
