Philterd

Talk to an Expert

Tell us about your stack and the privacy problems you're trying to solve. We typically respond within one business day.

Prefer to skip the form? Pick a time on our calendar →
or send a message

← All policies

Finance · Philterd

PCI DSS Scope Reduction

Strip cardholder data (PAN, CVV, expiration) from logs, transcripts, and tickets to reduce PCI DSS scope per Requirement 3.4.

View policy → Download JSON → View source on GitHub
v1.0.0 Updated 2026-05-18 Philter >=3.0.0 By Philterd
PCI DSScardholder dataPANscope reductionReq 3.4

The policy

The full pci-dss-scope-reduction.json file — the same content you’d get by downloading. Copy any part of it, or use the buttons in the hero to grab the whole file.

{
  "name": "pci-dss-scope-reduction",
  "config": {
    "splitting": {
      "enabled": false,
      "threshold": 4000
    }
  },
  "ignored": [],
  "identifiers": {
    "creditCard": {
      "onlyValidCreditCards": true,
      "creditCardFilterStrategies": [
        {"strategy": "MASK", "maskCharacter": "*", "maskLength": "SAME", "leaveCharacters": 4}
      ]
    },
    "iban": {
      "ibanFilterStrategies": [
        {"strategy": "MASK", "maskCharacter": "*", "maskLength": "SAME", "leaveCharacters": 4}
      ]
    },
    "ssn": {
      "ssnFilterStrategies": [
        {"strategy": "REDACT", "redactionFormat": "[REDACTED-SSN]"}
      ]
    },
    "identifiers": [
      {
        "id": "cvv",
        "pattern": "\\b(?:CVV|CVC|CVV2|CSC)[\\s:#]*\\d{3,4}\\b",
        "caseSensitive": false,
        "identifierFilterStrategies": [
          {"strategy": "REDACT", "redactionFormat": "[REDACTED-CVV]"}
        ]
      },
      {
        "id": "card-expiration",
        "pattern": "\\b(?:EXP|EXPIRES?|EXPIRATION)[\\s:#]*(0[1-9]|1[0-2])[/\\-](\\d{2}|\\d{4})\\b",
        "caseSensitive": false,
        "identifierFilterStrategies": [
          {"strategy": "REDACT", "redactionFormat": "[REDACTED-EXP]"}
        ]
      }
    ]
  }
}

Example

Input

Customer paid with card 4532-1234-5678-9010 expires 12/27, CVV 845. Routing IBAN GB82WEST12345698765432 charged $499.

Output

Customer paid with card ****-****-****-9010 expires [REDACTED-EXP], CVV [REDACTED-CVV]. Routing IBAN ********************5432 charged $499.

Entities this policy acts on

CREDIT_CARDIBANSSNCVVEXPIRATION

What this policy does

Targets the data that pulls systems into PCI DSS audit scope:

  • Primary Account Numbers (PANs) — masked to leave only the last 4 digits visible, satisfying PCI DSS Requirement 3.4 (“PAN, at minimum, is rendered unreadable anywhere it is stored”).
  • CVV / CVC / CSC — fully redacted. PCI DSS Requirement 3.2 prohibits storing sensitive authentication data after authorization, even if encrypted.
  • Expiration dates — fully redacted (not strictly required but common in scope-reduction patterns).
  • IBANs — masked to last 4 digits.
  • SSNs — fully redacted (often co-occur in financial documents and are independent PII).

onlyValidCreditCards: true means Philter requires a valid Luhn checksum before treating a 13–19 digit sequence as a PAN. This dramatically reduces false positives on things like order numbers, tracking IDs, and customer reference codes.

When to use this

The most common deployment patterns:

  • Application logs — pre-ingest redaction before logs hit Splunk, Datadog, Elastic, etc. Removes those log indexers from PCI scope.
  • Call-center transcripts — see also contact-center/pci-call-recording-transcripts.json for a more aggressive variant tuned for spoken-aloud numbers.
  • Customer support tickets — Zendesk, Salesforce Service Cloud, Freshdesk tickets where agents accidentally paste card numbers.
  • Email archives — bulk de-scope email systems that occasionally receive cardholder data.

When to customize

  • Visible digits. Last 4 is the PCI minimum. Some workflows (chargebacks, dispute investigations) need first 6 + last 4 — adjust leaveCharacters and the masking strategy accordingly, but verify with your QSA.
  • Routing numbers and account numbers. US bank routing numbers (9-digit ABA RTNs) and account numbers aren’t covered by default. Add custom identifiers patterns if your data contains them.
  • Currency amounts. This policy intentionally preserves dollar amounts — they’re not PCI-sensitive and usually have business value. If your data also needs amounts redacted (e.g., for cross-customer training data), add a custom identifier.

Compliance notes

  • PCI DSS Requirement 3.4 allows several rendering methods: one-way hash, truncation, index tokens, or strong cryptography. This policy uses truncation (mask all but last 4) — the lowest-friction option for downstream readability.
  • Requirement 3.2 prohibits storing sensitive authentication data (full track data, CAV2/CVC2/CVV2/CID, PINs/PIN blocks) after authorization. This policy redacts CVVs fully to support that.
  • De-scoping caveats. Removing PAN from a system doesn’t automatically take it out of PCI scope. You also need: documented data flow showing PAN can’t re-enter; segmentation controls; periodic validation. Treat this policy as one input to scope-reduction, not the whole answer.

References

Use this policy

Download and load into your running Philter instance:

# Download the policy
curl -O https://raw.githubusercontent.com/philterd/pii-redaction-policies/main/policies/philterd/finance/pci-dss-scope-reduction.json

# Upload to your Philter instance
curl -X POST http://localhost:8080/api/policies \
     -H "Content-Type: application/json" \
     --data @pci-dss-scope-reduction.json

# Redact text using the policy
curl http://localhost:8080/api/filter?p=pci-dss-scope-reduction \
     --data "your text here" \
     -H "Content-Type: text/plain"

No Philter instance yet? Deploy one in 5 minutes → · Want to tune this policy against your data? Talk to the team.

← All policies