Note the following points about the Citrix Application Firewall credit card security check:

• The Application Firewall enables you to protect credit card information and detect any attempts to access this sensitive data.

• To use the Credit Card protection check, you must specify at least one type of credit card and an action. The check is then applied to HTML, XML, and Web 2.0 profiles.

• You can exclude specific numbers from Credit Card inspection without bypassing the security check inspection for the rest of the credit card numbers.

• Relaxation is available for all Application Firewall protected credit card patterns. In the configuration utility, you can use the visualizer to specify Add, Edit, Delete, Enable, or Disable operations on relaxation rules.

• The Application Firewall learning engine can monitor the outgoing traffic to recommend rules based on observed violations. Visualizer support is also available for managing the learned credit card rules in the configuration utility. You can edit and deploy the learned rules, or skip them after careful inspection.

• The number of X'd out digits depends on the length of the credit card numbers. Ten digits are X'd out for credit cards that have 13 through 15 digits. Twelve digits are X'd out for credit cards that have 16 digits. If your application does not require sending the entire credit card number in the response, Citrix recommends that you enable this action to mask the digits in the credit card numbers.

• The X-out operation transforms all the credit cards and works independently of the configured settings for the maximum number of allowed credit cards. For example, if there are 4 credit cards in the response and the creditCardMaxAllowed parameter is set to 10, all 4 credit cards are X'd-out, but they are not blocked. If the credit card numbers are spread out in the document, a partial response with X'd-out numbers might be sent to the client before the response is blocked.

• Do not disable the doSecureCreditCardLogging parameter before due consideration. When this parameter is turned off, the credit card numbers are displayed and are accessible in the log messages. These numbers are not masked in the logs, even if the X-out action is enabled. If you are sending logs to a remote syslog server, and the logs are compromised, the credit card numbers can be exposed.

• When the response page is blocked because of a Credit Card violation, the application firewall does not redirect to the error page.

For more information refer to Citrix eDocs - Credit Card Check