Implement a tracing layer that scans fields and redacts patterns (JWT, API keys, emails) before output.
compliance-soc2-essentialsprivacy-pii+1
Low
Display PAN as first6last4 only
Render PAN only in truncated form (first 6 and last 4) and never expose full PAN, CVV, or expiration data together. Apply the masking helper at all presentation points including emails and PDFs. (PCI DSS 4.0 Req. 3.3)
compliance-pci-dssprivacy-pii+1
Low
Export for portability in machine-readable format with consent check
Provide subject data export in JSONL or CSV only after confirming lawful basis (consent/contract). Include schema version and exclude internal linkage keys.
compliance-lgpdapi-conventions+1
Low
Filter sensitive parameters from logs
Use $dontFlash in app/Http/Middleware/TrimStrings.php or logging processors to redact 'password', 'token', 'ssn', and emails.
compliance-soc2-essentialsprivacy-pii+1
Low
Mask tokens before logging HTTP requests
Intercept Authorization headers and redact bearer/JWT values; attach requestId to every log line.
compliance-soc2-essentialsprivacy-pii+1
Low
Monolog processors to redact PII
Configure Monolog to add a processor that redacts emails, tokens, and SSNs before writing logs; include request_id.
compliance-soc2-essentialsprivacy-pii+1
Low
Redact PII with log wrappers
Wrap logger to filter emails and tokens using regex before logging; include trace_id in every entry.
compliance-soc2-essentialsprivacy-pii+1
Low
Tag PII in schemas and events for RoPA
Mark columns and event fields with pii and purpose metadata; prefer hashed or tokenized variants in telemetry. Use these tags to auto-generate Records of Processing Activities (RoPA). (GDPR Art. 30)