Handling credit card data (PANs, CVVs, expiry dates) requires adherence to the Payment Card Industry Data Security Standard (PCI-DSS). Achieving PCI compliance is expensive and requires complex audits. The best strategy is to minimize your PCI scope: design your system so that your backend servers never see, store, or process raw credit card numbers.

We accomplish this using credit card tokenization at the frontend and strict data masking on the backend.

1. Tokenization at the Edge

During checkout, the client's web browser or mobile app sends the raw credit card details directly to the payment processor's SDK (e.g., CyberSource or Stripe). The payment processor returns a secure token, which the client then passes to your Go backend. Your servers only handle this token, keeping them out of the PCI-DSS scope.

2. Masking Card Numbers in Logs

If card numbers are mistakenly logged or stored during debugging, you violate compliance. We write a custom formatter for loggers that automatically scans strings and masks sequences that resemble card numbers:

var cardRegex = regexp.MustCompile((?:\d[ -]*?){13,16})

func MaskCardNumbers(input string) string {
    return cardRegex.ReplaceAllStringFunc(input, func(card string) string {
        clean := strings.ReplaceAll(card, " ", "")
        clean = strings.ReplaceAll(clean, "-", "")
        if len(clean) < 13 || len(clean) > 16 {
            return card // Not a card number
        }
        // Retain only the last 4 digits
        return "---" + clean[len(clean)-4:]
    })
}

Combining edge tokenization with log masking keeps your infrastructure secure and audit-ready.