Hey Bjoern,
There certainly appears to be something other than the request, just based on the data above. DataGuard should certainly only trigger on response data, so if you are certain that it is happening on the data in the request, I would say that a case with F5 Support is warranted.
Again, however, judging by the formatting of the data in the "Context" field in which it matched, the data appears to be the response. Observe the formatting:
karteNummer" value="6677880000000004" />
This is HTML format, even though it has been truncated. This is most likely part of a field that looks like this:
If this were part of the request, we would see all of the above encoded and in the format of HTTP POST data:
karteNummer=6677880000000004
Or even if the above string were itself a parameter, we would see the encoding:
karteNummer%21%20value%3d%216677880000000004%21%20%2f%3e
Since the "Context" is the ASM showing you precisely where it found the data that caused the match, this indicates that this is exactly the stream it was parsing when the violation was raised.
The data in the "Context" stream came from somewhere, and the fact that the data in the stream looks like HTML rather than HTTP POST data would indicate that this was, in fact, part of the response.
Were it me, I would probably try to connect direct to the web servers and view the source/responses this way to confirm. Alternatively, tcpdumps from the ASM viewing both the browser and server sides simultaneously should show this, as well (assuming this is all plain-text and not SSL).
If the above testing (especially the captures, that would be the most difinitive demonstration) do show that the responses are masked but the ASM stills seems to "see" credit card numbers in them, this is definitely worthy of a case to the folks in F5 Support.
Cheers!
// Ben