Field Masking

Field masking is a security feature that automatically hides sensitive information in web forms from viewers during co-browsing sessions, while still allowing the original user to see and input their data.

What you need to know about
Field Masking

Field Masking is a privacy-enhancing technology that allows a customer to enter confidential data into a web form while an agent is assisting them in a co-browsing session. The customer can see what they are typing, but the agent's view shows masked characters (like asterisks ****) or a blank field. This allows for seamless, secure collaboration even on pages that contain Personally Identifiable Information (PII) or payment details.

The technology works by identifying specific input fields on a webpage that are meant to contain sensitive data. This identification can be done in a few ways:

  • Automatic Detection: The system can automatically recognise common sensitive fields like those for credit card numbers, security codes (CVV), or passwords.
  • Manual Configuration: Administrators can specify which fields to mask using their HTML attributes, such as their name, id, or CSS selector. This provides granular control to protect any type of proprietary or personal data.

In the context of Surfly, this process is handled by the Interaction Middleware. As the webpage content passes through Surfly's proxy, it identifies the designated fields and modifies the HTML before it's sent to the agent's browser, replacing the actual data with masked content. The customer's browser receives the original, unmodified page, so their experience is unaffected.

The importance of
Field Masking

Field masking directly improves customer trust and business compliance in digital interactions. By ensuring sensitive data remains private during co-browsing, it enables secure, efficient collaboration without compromising privacy.

Key Benefits for Stakeholders:

  • Achieve Regulatory Compliance: For businesses in regulated industries, it is a key control for meeting compliance standards. It directly supports adherence to PCI DSS (for payment card data), HIPAA (for protected health information), and GDPR (for personal data privacy).
  • Build Customer Trust: Customers are often hesitant to share their screen or get help when personal data is involved. Field masking removes this barrier, showing customers that the company takes their privacy seriously. This trust leads to higher adoption of digital support channels and lower call abandonment.
  • Enable Complete Journey Support: Without field masking, an agent would have to end a session when the customer reaches a payment or personal information page. With it, the agent can guide the customer through the entire process, from start to finish, improving first-call resolution and customer satisfaction.
  • Reduce Insider Threat Risk: It minimizes the risk of internal fraud or accidental data exposure by ensuring support agents never have access to sensitive customer information. All data is masked before it ever reaches their screen.

A Practical Example of
Field Masking

Frequently asked questions about
Field Masking

We’ve compiled answers to the most frequently asked questions about

Field Masking

.

How is field masking configured?

It is typically configured in the co-browsing platform's settings by specifying which HTML elements to mask. Administrators can create rules using CSS selectors (e.g., #ssn, [name="credit_card"], .sensitive-data) to target specific fields across a website.

Does the masked data ever pass through the co-browsing servers?

With a proxy-based solution like Surfly, the customer sends the real data directly to the end website's server. The co-browsing proxy only intercepts and modifies the HTML content being streamed to the agent's browser, so the agent never sees it and the data is not stored.

Can an agent ask a customer to unmask a field?

No, for security and compliance reasons, field masking rules are enforced by the system and cannot be disabled by users during a session. This ensures that company policies are followed without exception.

How does Surfly handle field masking?

Surfly uses its Interaction Middleware proxy to parse web content on the fly. It applies masking rules defined by the customer (using CSS selectors) to the DOM before sending it to the agent. This allows for precise, element-level redaction on any website without needing to install code.

Augment all your digital products with collaborative features