This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Masking Sensitive Fields for All Users

on ‎06-23-2022 11:05 AM

veronica_philli
Staff
0 0 828

Looker will not be updating this content, nor guarantees that everything is up-to-date. 

There are several reasons you may want to mask the data in a field from some or all users. Maybe you want to restrict the ability for certain users to view the data for a specific field. Or maybe you want all users to be able to see the field but would like to partially obfuscate the data in that field.

In the latter case, say you want to mask credit card information* so that some characters in the card number are replaced with asterisks. You can do this right in your Looker model by concatenating a combination of LEFT, RPAD, LEN, and RIGHT SQL functions in your SQL parameter.

For example, you can create a new dimension masked_credit_card_number for a 16-digit field credit_card_number (this one uses MYSQL syntax):

dimension: masked_credit_card_number
  type: string
  sql: CONCAT(LEFT(${TABLE}.credit_card_number, 4), RPAD('X', 
       LEN(${TABLE}.credit_card_number) - 8, 'X'),   RIGHT(${TABLE}.credit_card_number, 4)) ;;
}

This will show the first and last four digits of the credit card number, and replace the rest of the digits with asterisks. This means that a credit card number 1234567812345678 will appear as 1234********5678. Dropping the LEFT from the SQL will show ************5678.

* If the credit card primary account number (PAN) is masked appropriately (at a maximum, the first six and last four digits may be unmasked, as show in the example above), then it is no longer considered cardholder data. We encourage both storing and displaying masked PAN wherever the full 15/16 digit number is not required.

The Payment Card Industry Data Security Standard (PCI-DSS) requires that cardholder data be protected with strong cryptography in storage. All companies that store, process, or transmit cardholder data are subject to this standard, and we strongly recommend that you understand and comply with it. Specifically, Requirement 3 (and its sub-requirements) talks about protecting cardholder data in storage and the associated management of encryption keys.

The PCI-DSS can be downloaded from the following link: https://www.pcisecuritystandards.org/document_library.

0 Likes
Version history
Last update:
‎06-23-2022 11:05 AM
Updated by: