1. Data Protection Guide
  2. Administration of PII Data
  3. Masking of PII data

4.3 Masking of PII data

OBAPI framework provides a facility to mask user sensitive information before showing on the screen.

Masking is a process in which only some portion of the data is displayed to the user while remaining portion of the data is either skipped or is replaced with hash characters such as ‘*’. Main purpose of masking is to avoid a possibility of ‘over the shoulder’ stealing of sensitive information. However it is also used so that the clear text sensitive information is not logged in system logs.

A typical example of masking is the account numbers. When OBAPI API is invoked that contains Account number is the response, the API will always give masked value. So complete clear text account number is never displayed on the screen.

Sr. No. Field Name
1 Party Identifier
2 Account Number (Includes current account, saving account, deposit, loan account)
3 Mobile/phone number
4 E-mail ID
5 Social Security Number
6 Submission Identifier
7 Application Identifier

OBAPI framework also provides a provision in which any field other can the ones mentioned in above table can also be masked as per the requirement. This can be achieved by following steps:

  1. Create a complex datatype in OBAPI.

    This datatype must extend com.ofss.digx.datatype.complex. MaskedIndirectedObject

  2. Define a ‘masking qualifier’ and a ‘masking attribute’
  3. Configure this masking qualifier and masking attribute in DIGX_FW_CONFIG_ALL_B. An example of the configurations for account number mask is given below

    INSERT INTO digx_fw_config_all_b (PROP_ID, CATEGORY_ID, PROP_VALUE, FACTORY_SHIPPED_FLAG, PROP_COMMENTS, SUMMARY_TEXT, CREATED_BY, CREATION_DATE, LAST_UPDATED_BY, LAST_UPDATED_DATE, OBJECT_STATUS, OBJECT_VERSION_NUMBER)

    VALUES ('*.account_id', 'Masking', 'AccountNumberMasking<', 'Y', null, null, 'ofssuser', sysdate, 'ofssuser', sysdate, 'A', 1);

    INSERT INTO digx_fw_config_all_b (PROP_ID, CATEGORY_ID, PROP_VALUE, FACTORY_SHIPPED_FLAG, PROP_COMMENTS, SUMMARY_TEXT, CREATED_BY, CREATION_DATE, LAST_UPDATED_BY, LAST_UPDATED_DATE, OBJECT_STATUS, OBJECT_VERSION_NUMBER)

    VALUES ('AccountNumberMasking', 'MaskingPattern', 'xxxxxxxxxxxxNNNN', 'Y', null, null, 'ofssuser', sysdate, 'ofssuser', sysdate, 'A', 1);

With above steps, the OBAPI framework will make sure to mask the data of this data type during serialization phase in the REST tier.

The masking pattern can contain following characters

  1. N – Original character in the data will be retained
  2. H – Original character in the data will be skipped
  3. * (Or any other placeholder character) – Original character in the data will be replaced with this character

Parent topic: Administration of PII Data