There are special configuration varables in the Data::Dumper namespace that you can set to control how object are dumped. My advice would be to create a dump filter, (see: http://www.effectiveperlprogramming.com/blog/312) or to make use of $Data::Dumper::Freezer

With $Data::Dumper::Freezer you provide the name of a class method that Data::Dumper will attempt to call on each object it dumps, and if that method exists, the object returned will be dumped instead of the original object, so for your class containing credit card numbers you could provide a hide_secrets() method that blanks out or encypts the secrets. For other classes there will be no such method, so they will be dumped as they are.

Probably the most important consideration for you is to be sure that the debug output cannot somehow wind up on somebody’s web page.

I've posted RFC: SecureString - Obfuscated / masked strings exept when you need them in response to this post. Hopefully either this post, or that post will yield some responses that are useful to you. Unfortunately, the module I threw togeter for that post is too immature (and totally untested) for me to reccommend at this time. In fact, I would even reccommend against using the module as posted - relying on something so immature is a bad idea in my book.