The IBAN algorithm allows you to mask International Bank Account Numbers. It takes IBAN as an input and replaces each numeric character with another numeric character, and the same for alphabet characters. The first two characters of a valid IBAN are its country code. The country code is preserved, it is not masked. The second two characters of a valid IBAN are a checksum, generated from the other characters using the MOD97 method. This is regenerated by the algorithm after masking to ensure checksum validity. The replacement characters are sourced from a hash of the original input IBAN. This hash remains stable for an instance of the algorithm, so the output will always be the same for a given input. A small set of delimiters are preserved if present in the input IBAN: space, period, and hyphen. Delimiters will not be preserved in the first 4 characters of an input, as these are reserved for country code and checksum.
The algorithm attempts to mask all inputs even if they are not valid IBAN and will still replace numeric characters with numeric, and alphabet with alphabet. Unsupported delimiters or punctuation will be replaced with an alphanumeric character. If possible, a new checksum is calculated even if the input did not have a valid checksum. The algorithm cannot proceed with masking invalid data that has less than 4 characters. If this input is received, it will be padded to 4 characters and masking will reattempt.
Creating an Instance / Configuration Options
The default instance of the IBAN algorithm cannot be configured. Newly created instances of the IBAN algorithm have two options that can be configured. As with other algorithms, enter a name and an optional description. You can then choose to enable input validation and select how many characters to mask.
The number of characters to mask maximum is 64, but the longest country supported IBAN is currently Russia with 33 characters. Numbers higher than the length of an IBAN input will mask all characters possible. The minimum number is 6. Lower numbers will speed up the performance of the algorithm, but be conscious of reduction in data obfuscation as the number of changed characters goes down.
There is an option for IBAN input validation. This can be useful to identify corrupted or otherwise invalid input data. It does come at a moderate performance cost. The validation uses the Apache Commons Validator. This tool validates that the country code is supported, the checksum is valid and that the structure of the IBAN is appropriate for the given country. It is updated with new countries as they adopt the IBAN standard. The current version used is 1.7. If invalid IBAN are found, they are treated as non-conformant data. This will not stop the masking job and the value will not be masked but a warning will be shown and details recorded in the job log.
In the upper right-hand region of the Algorithm tab under Settings, click Add Algorithm.
Select IBAN. The "Create IBAN Algorithm" window will appear.
Enter an Algorithm Name.
Info: Name MUST be unique.
Enter a Description (optional).
Set Number of Characters to Mask. This value is the number of characters from the right that will be masked. Values for this field must be in the range [6-64].
When finished, click Save.
Valid IBAN inputs and masked outputs:
NO8330001234567 → NO0631216940542
GL8964710123456789 → GL3640635860760239
Invalid IBAN inputs and masked outputs:
????A????b????C????d????E???? → ??29S1076R7076M0100E0222J0177
ABC123 → AB6447
Notice that it still respects a character's type and the first two as if they were a country code.