Create a policy to protect Credit Card Number (CCN)

Goal

Create a policy that protects Credit Card Number (CCN) using CCN data element, with:

• At least one role.
• At least one member source assigned to that role.
• Deployed to at least one datastore.

This example provides a walkthrough of the complete workflow to create a policy to protect a Credit Card Number (CCN) with tokenization using Protegrity CLI and REST APIs. The example includes defining a CCN Data Element and access controls to deploy a policy that protectors can enforce at runtime. The CCNs have a specific format and must comply with existing regulations. Hence, this example uses the Credit Card token type, with a common usability pattern of keeping the last four digits visible while tokenizing the rest.

Before using the CLI or the REST APIs, determine the properties required for the CCNs. For example:

• How many digits should be in the clear.
• Whether invalid values should be rejected or tokenized, for example, via Luhn handling.
• What security operations should be allowed. For example, protect, unprotect, or reprotect.

These properties determine how the data element and the policy rules that are configured. They determine what applications and users will experience when data is protected or unprotected.

A key design choice specific to tokenization is selecting the tokenizer. You need to choose a tokenizer because it defines the tokenization engine and lookup-table strategy. Protegrity uses the tokenizer to deterministically transform a CCN into a same-length token. The tokenizer controls how the CCN digits are mapped into tokens so the protector can reliably produce and resolve tokens under policy. Protegrity offers multiple Static Lookup Table (SLT) tokenizer variants, such as, SLT_1_3, SLT_2_3, SLT_1_6, and SLT_2_6, which differ mainly in lookup-table design and operational footprint. For most CCN use cases, this example uses SLT_2_3 because it strikes a practical balance of memory usage and performance while working well for standard PAN lengths. This avoids the much larger memory footprint of the _6 options unless specifically required.

Assumptions

To execute any CLI or API command in this example, the following assumptions have been made:

• You are operating on a new AI Team Edition setup.
  • Set up the AI Team Edition by installing the Protegrity Provisioned Cluster. For more information about installing the PPC, refer to the section Installing PPC.
• You are connected to the Policy Manager container.
  • Connect to the Policy Manager container by deploying the Protegrity Policy Manager. For more information about deploying the Protegrity Policy Manager, refer to the section Installing Policy Workbench.

CLI Examples

To execute any CLI command in this example, the following additional assumption has been made:

• You have access to the PPC CLI.
  • For more information about accessing the PPC CLI, refer to the section Accessing the PPC CLI.
  • For more information about Policy Management CLI, refer to the section Policy Management Command Line Interface (CLI) Reference.

API Examples

To execute any API command in this example, the following additional assumption has been made:

• You have access to the Protegrity Policy Management REST APIs.
  • For more information about accessing the Policy Management REST APIs, refer to the section Using the Policy Management REST APIs.