Masking Sensitive Fields for All Users

Looker will not be updating this content, nor guarantees that everything is up-to-date. 

There are several reasons you may want to mask the data in a field from some or all users. Maybe you want to restrict the ability for certain users to view the data for a specific field. Or maybe you want all users to be able to see the field but would like to partially obfuscate the data in that field.

In the latter case, say you want to mask credit card information* so that some characters in the card number are replaced with asterisks. You can do this right in your Looker model by concatenating a combination of LEFT, RPAD, LEN, and RIGHT SQL functions in your SQL parameter.

For example, you can create a new dimension masked_credit_card_number for a 16-digit field credit_card_number (this one uses MYSQL syntax):

dimension: masked_credit_card_number
type: string
sql: CONCAT(LEFT(${TABLE}.credit_card_number, 4), RPAD('X',
LEN(${TABLE}.credit_card_number) - 8, 'X'), RIGHT(${TABLE}.credit_card_number, 4)) ;;

This will show the first and last four digits of the credit card number, and replace the rest of the digits with asterisks. This means that a credit card number 1234567812345678 will appear as 1234********5678. Dropping the LEFT from the SQL will show ************5678.

* If the credit card primary account number (PAN) is masked appropriately (at a maximum, the first six and last four digits may be unmasked, as show in the example above), then it is no longer considered cardholder data. We encourage both storing and displaying masked PAN wherever the full 15/16 digit number is not required.

The Payment Card Industry Data Security Standard (PCI-DSS) requires that cardholder data be protected with strong cryptography in storage. All companies that store, process, or transmit cardholder data are subject to this standard, and we strongly recommend that you understand and comply with it. Specifically, Requirement 3 (and its sub-requirements) talks about protecting cardholder data in storage and the associated management of encryption keys.

The PCI-DSS can be downloaded from the following link:

0 replies

Be the first to reply!