I have a form on my website and my customers send message to me with this form. Sometimes they write their credit card number on the message. So this is really critical. I want to mask these credit card numbers. But of course card numbers don't come on a regular basis.
我在我的网站上有一个表格,我的客户用这个表格给我发信息。有时他们会在留言上写上自己的信用卡号码。这很关键。我想掩盖这些信用卡号码。当然,信用卡号码并不是固定的。
Example 1: 1111222233334444
示例1:1111222233334444
Example 2: 4444 3333 2222 1111
例2:44443333 2222 1111
Example 3: 4444-3333-2222-1111
示例3:4444-3333-2222-1111
Example 4: 4444 - 3333 - 2222 - 1111
例4:4444 - 3333 - 2222 - 1111
Example 5: 4444--3333--2222--1111
示例5:4444——3333——2222——3333
So I can mask for example 1, 2 and 3. But if there are more than one space or dash between numbers I can't.
我可以对1 2 3进行蒙版。但如果在数字之间有多个空格或破折号,我就不能。
And this is my last regex:
这是我的最后一个regex:
preg_replace("/(?:\b| )([3456]\d{3})([ -]+){0,1}\d{4}([ -]+){0,1}\d{4}([ -]+){0,1}(\d{0})/", "$1********$2", $a1);
And results for this regex:
和这个regex的结果:
Result 1: 4444********1111
结果1:4444 * * * * * * * * 1111
Result 2: 4444******** 1111
结果2:4444 * * * * * * * * 1111
Result 3: 4444********-1111
结果3:4444 * * * * * * * * -1111
Result 4: 4444******** - 1111
结果4:4444******* - 1111
Result 5: 4444********--1111
结果5:4444 * * * * * * * * 1111
So what should I do in regex? Thanks.
那么在regex中我应该做什么呢?谢谢。
3 个解决方案
#1
2
How to mask credit card number mask in a text [with regex]?
如何在文本[与regex]中屏蔽信用卡号码掩码?
Don't.
Sometimes they write their credit card number on the message.
有时他们会在留言上写上自己的信用卡号码。
They really shouldn't. Don't encourage this behavior. It is not PCI compliant:
他们真的不应该。不鼓励这种行为。它不是PCI兼容的:
What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider.
支付卡行业数据安全标准(PCI DSS)适用于任何规模的接受信用卡支付的公司。如果您的公司打算接受信用卡支付,并存储、处理和传输持卡人数据,您需要使用符合PCI的托管提供商安全地托管您的数据。
When you accept credit card data via a website, do so using an approved service provider like Stripe, PayPal, BlueSnap, SecurionPay, etc. These services are not immensely popular because it's hard to make payment systems, but because they're hard to make right (and legal). They all have PHP API's, so you can have people enter credit card data that you never see, and still charge them for amounts that you agree upon.
当你通过一个网站接受信用卡数据时,你可以使用像Stripe, PayPal, BlueSnap, SecurionPay等认证服务提供商。这些服务并不是很受欢迎,因为很难建立支付系统,但是因为他们很难做出正确的(和合法的)。他们都有PHP API,所以你可以让人们输入你从未见过的信用卡数据,并且仍然对你同意的金额收取费用。
For example, if you were using Stripe and you wish to inform your customer what credit card they signed up with, their card object has a last4 property that gives the last four digits of the card: At this point you never knew the full credit card number, and you didn't even have to consider whether giving the first four and the last four was a security violation.
例如,如果您正在使用条纹和你想通知你的客户他们签署了什么信用卡,信用卡对象有一个last4属性,给的最后四位数卡:在这一点上你永远不知道完整的信用卡号码,你甚至不需要考虑是否给予前四和最后四是一个安全违规。
Further guidelines:
Never store electronic track data or the card security number in any form
While you may have a business reason for storing credit card information, processing regulations specifically forbid the storage of a card’s security code or any “track data” contained in the magnetic strip on the back of a credit card.
尽管您可能有存储信用卡信息的业务原因,但处理规则明确禁止存储信用卡背面磁条中包含的信用卡安全代码或任何“跟踪数据”。
The card security number, called by many acronyms including CVV2, CID, and CSC, is the three digit number on the back of Visa/MasterCard/Discover cards or the 4 digit number on the front of American Express cards. It is designed to provide a way for merchants to know whether a customer authorizing a transaction over the phone or via the Internet actually has the card in their possession. This approach only works if the security code is never stored with the card number. Electronic storage makes this easy. You simply do not create a field for the security code. For paper storage, you need to redact (cross out with a dark pen to make unreadable) the security code after you successfully process the transaction and before you store a paper authorization form. [...]
信用卡安全号是Visa/万事达/发现卡背面的三位数字,或美国运通卡正面的四位数字。它的设计目的是为商家提供一种方式,让商家知道,通过电话或互联网授权交易的客户是否拥有他们所拥有的信用卡。这种方法只有在安全代码没有与卡号一起存储时才有效。电子存储使这变得很容易。您不需要为安全代码创建字段。对于纸张存储,您需要在成功地处理事务之后和存储纸质授权表单之前对安全代码进行修订(用黑笔划掉以使其不可读)。[…]
Clearly you should store neither security codes nor track data purposely. But, you need to make sure you don’t store it inadvertently as well. To do this, be certain to use only approved hardware and software. [...]
显然,您不应该故意存储安全代码或跟踪数据。但是,您需要确保您不会在无意中存储它。要做到这一点,一定要只使用经过批准的硬件和软件。[…]
Make sure all electronic storage of credit card account numbers is encrypted and all paper storage is secured
[...] Electronic storage of credit card numbers is also common if, for example, you process recurring or repeat transactions. If you do this, you need to make certain that you never store these files unencrypted. You need to make certain that any electronic storage is encrypted using a robust encryption algorithm. That way, if your computer is stolen or if someone in your office gains unauthorized access, you have some level of protection for the credit card numbers.
[…[英语背诵文选如果你处理重复或重复的交易,信用卡号码的电子存储也很常见。如果您这样做,您需要确保您从未存储这些未加密的文件。您需要确保使用健壮的加密算法对任何电子存储进行加密。这样,如果你的电脑被偷了,或者你办公室里有人未经授权进入,你的信用卡号码就会受到某种程度的保护。
There are many service providers that offer secure storage—either as a standalone service or as part of a payment processing package. These services typically provide you with a “Token” for a card number they store. You can store the token in any unsecured file. When you’re ready to process a payment, you simply send the service provider the token and it retrieves the full card number for the sole purpose of processing the payment. (It’s technically more complicated than that, but you get the idea.) Just be certain to use a PCI DSS Verified provider [...]
有许多提供安全存储的服务提供者——要么作为独立服务,要么作为支付处理包的一部分。这些服务通常为它们存储的卡号提供一个“令牌”。您可以将标记存储在任何未加密的文件中。当您准备处理支付时,您只需向服务提供者发送令牌,它将检索完整的卡号,以便处理支付。(技术上比这复杂,但你懂的。)一定要使用PCI DSS验证提供者[…]
#2
1
May I suggest that you separate validation of your credit card number from the presentation of that number to your users via the UI? Assuming you have only stored valid credit card numbers, then it is probably safe to assume that every number has at least 8 digits. If so, then you can just use a blanket regex to only display the first 4 and last 8 digits:
我是否可以建议您通过用户界面将您的信用卡号与该号码的显示分开?假设您只存储了有效的信用卡号码,那么可以假定每个号码至少有8位数字。如果是,那么您可以使用一个毯子regex只显示前4位和后8位数字:
$cc = "4444--3333--2222--1111";
echo preg_replace("/(\d{4}).*(\d{4})/", "$1********$2", $cc);
4444********1111
Demo
You might point out that this puts the same number of stars in between every card number. But, then again, this is a good thing, because it makes it even harder for a snooper to fish out what the real unmasked number actually is.
您可能会指出,这将使每个卡号之间的星数相同。但是,再一次,这是一件好事,因为它使一个窥探者更难找出真正的揭开面具的数字是什么。
Edit:
编辑:
Here is a smarter regex which will star out the middle portion of any number, leaving only the first and last 4 characters visible:
下面是一个更聪明的regex,它将显示任何数字的中间部分,只显示第一个和最后四个字符:
$cc = "4444--3333--2222--1111";
echo preg_replace("/(?<=.{4}).(?=.{4})/", "*", $cc);
4444**************1111
Note that this solution would not remove anything from 11114444 as a theoretical input.
注意,这个解决方案不会删除作为理论输入的11114444中的任何内容。
#3
0
Check the next regex \b([3-6]\d{3})(?: *-* *\d{4}){2} *-* *(\d{4})\b.
检查下一个regex \b([3-6]\d{3})(?: * * *\d{4}){2} *-* *(\d{4})\b。
#1
2
How to mask credit card number mask in a text [with regex]?
如何在文本[与regex]中屏蔽信用卡号码掩码?
Don't.
Sometimes they write their credit card number on the message.
有时他们会在留言上写上自己的信用卡号码。
They really shouldn't. Don't encourage this behavior. It is not PCI compliant:
他们真的不应该。不鼓励这种行为。它不是PCI兼容的:
What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider.
支付卡行业数据安全标准(PCI DSS)适用于任何规模的接受信用卡支付的公司。如果您的公司打算接受信用卡支付,并存储、处理和传输持卡人数据,您需要使用符合PCI的托管提供商安全地托管您的数据。
When you accept credit card data via a website, do so using an approved service provider like Stripe, PayPal, BlueSnap, SecurionPay, etc. These services are not immensely popular because it's hard to make payment systems, but because they're hard to make right (and legal). They all have PHP API's, so you can have people enter credit card data that you never see, and still charge them for amounts that you agree upon.
当你通过一个网站接受信用卡数据时,你可以使用像Stripe, PayPal, BlueSnap, SecurionPay等认证服务提供商。这些服务并不是很受欢迎,因为很难建立支付系统,但是因为他们很难做出正确的(和合法的)。他们都有PHP API,所以你可以让人们输入你从未见过的信用卡数据,并且仍然对你同意的金额收取费用。
For example, if you were using Stripe and you wish to inform your customer what credit card they signed up with, their card object has a last4 property that gives the last four digits of the card: At this point you never knew the full credit card number, and you didn't even have to consider whether giving the first four and the last four was a security violation.
例如,如果您正在使用条纹和你想通知你的客户他们签署了什么信用卡,信用卡对象有一个last4属性,给的最后四位数卡:在这一点上你永远不知道完整的信用卡号码,你甚至不需要考虑是否给予前四和最后四是一个安全违规。
Further guidelines:
Never store electronic track data or the card security number in any form
While you may have a business reason for storing credit card information, processing regulations specifically forbid the storage of a card’s security code or any “track data” contained in the magnetic strip on the back of a credit card.
尽管您可能有存储信用卡信息的业务原因,但处理规则明确禁止存储信用卡背面磁条中包含的信用卡安全代码或任何“跟踪数据”。
The card security number, called by many acronyms including CVV2, CID, and CSC, is the three digit number on the back of Visa/MasterCard/Discover cards or the 4 digit number on the front of American Express cards. It is designed to provide a way for merchants to know whether a customer authorizing a transaction over the phone or via the Internet actually has the card in their possession. This approach only works if the security code is never stored with the card number. Electronic storage makes this easy. You simply do not create a field for the security code. For paper storage, you need to redact (cross out with a dark pen to make unreadable) the security code after you successfully process the transaction and before you store a paper authorization form. [...]
信用卡安全号是Visa/万事达/发现卡背面的三位数字,或美国运通卡正面的四位数字。它的设计目的是为商家提供一种方式,让商家知道,通过电话或互联网授权交易的客户是否拥有他们所拥有的信用卡。这种方法只有在安全代码没有与卡号一起存储时才有效。电子存储使这变得很容易。您不需要为安全代码创建字段。对于纸张存储,您需要在成功地处理事务之后和存储纸质授权表单之前对安全代码进行修订(用黑笔划掉以使其不可读)。[…]
Clearly you should store neither security codes nor track data purposely. But, you need to make sure you don’t store it inadvertently as well. To do this, be certain to use only approved hardware and software. [...]
显然,您不应该故意存储安全代码或跟踪数据。但是,您需要确保您不会在无意中存储它。要做到这一点,一定要只使用经过批准的硬件和软件。[…]
Make sure all electronic storage of credit card account numbers is encrypted and all paper storage is secured
[...] Electronic storage of credit card numbers is also common if, for example, you process recurring or repeat transactions. If you do this, you need to make certain that you never store these files unencrypted. You need to make certain that any electronic storage is encrypted using a robust encryption algorithm. That way, if your computer is stolen or if someone in your office gains unauthorized access, you have some level of protection for the credit card numbers.
[…[英语背诵文选如果你处理重复或重复的交易,信用卡号码的电子存储也很常见。如果您这样做,您需要确保您从未存储这些未加密的文件。您需要确保使用健壮的加密算法对任何电子存储进行加密。这样,如果你的电脑被偷了,或者你办公室里有人未经授权进入,你的信用卡号码就会受到某种程度的保护。
There are many service providers that offer secure storage—either as a standalone service or as part of a payment processing package. These services typically provide you with a “Token” for a card number they store. You can store the token in any unsecured file. When you’re ready to process a payment, you simply send the service provider the token and it retrieves the full card number for the sole purpose of processing the payment. (It’s technically more complicated than that, but you get the idea.) Just be certain to use a PCI DSS Verified provider [...]
有许多提供安全存储的服务提供者——要么作为独立服务,要么作为支付处理包的一部分。这些服务通常为它们存储的卡号提供一个“令牌”。您可以将标记存储在任何未加密的文件中。当您准备处理支付时,您只需向服务提供者发送令牌,它将检索完整的卡号,以便处理支付。(技术上比这复杂,但你懂的。)一定要使用PCI DSS验证提供者[…]
#2
1
May I suggest that you separate validation of your credit card number from the presentation of that number to your users via the UI? Assuming you have only stored valid credit card numbers, then it is probably safe to assume that every number has at least 8 digits. If so, then you can just use a blanket regex to only display the first 4 and last 8 digits:
我是否可以建议您通过用户界面将您的信用卡号与该号码的显示分开?假设您只存储了有效的信用卡号码,那么可以假定每个号码至少有8位数字。如果是,那么您可以使用一个毯子regex只显示前4位和后8位数字:
$cc = "4444--3333--2222--1111";
echo preg_replace("/(\d{4}).*(\d{4})/", "$1********$2", $cc);
4444********1111
Demo
You might point out that this puts the same number of stars in between every card number. But, then again, this is a good thing, because it makes it even harder for a snooper to fish out what the real unmasked number actually is.
您可能会指出,这将使每个卡号之间的星数相同。但是,再一次,这是一件好事,因为它使一个窥探者更难找出真正的揭开面具的数字是什么。
Edit:
编辑:
Here is a smarter regex which will star out the middle portion of any number, leaving only the first and last 4 characters visible:
下面是一个更聪明的regex,它将显示任何数字的中间部分,只显示第一个和最后四个字符:
$cc = "4444--3333--2222--1111";
echo preg_replace("/(?<=.{4}).(?=.{4})/", "*", $cc);
4444**************1111
Note that this solution would not remove anything from 11114444 as a theoretical input.
注意,这个解决方案不会删除作为理论输入的11114444中的任何内容。
#3
0
Check the next regex \b([3-6]\d{3})(?: *-* *\d{4}){2} *-* *(\d{4})\b.
检查下一个regex \b([3-6]\d{3})(?: * * *\d{4}){2} *-* *(\d{4})\b。