cancel
Showing results for 
Search instead for 
Did you mean: 
mkienenb
Contributor
Status: Accepted

Right now, connection details logged from HttpUtility at the debug level include a great deal of useful information along with

 

- the api login and transaction key

- full dump of the xml request including unmasked credit card number, expiration date, etc.

 

Can we move the logging of these two items to a separately-configurable logger like "HttpUtility-sensitive"?

 

I'd like to see the api login and transaction key logging go away completely from the HttpUtility output.

 

ideally, I'd like to see the xml request filtered to not show any <payment> information beyond a generic  <creditCard> output.  (I suppose masked credit card number would be acceptable).

 

I think it would also be wise to not output <billTo> information nor <customer> information with the non-sensitive-data logger other than  <customer><id> even though this is not strictly required by PCI DSS.

 

We want to log when transactions occur with enough context to know what those transactions are without making our logs a security risk.

 

3 Comments
mkienenb
Contributor

Here's a trivial implementation which only moves logging of both the request and the merchant authentication keys to a separate logger and makes no attempt to provide non-sensitive request logging.

 

https://github.com/AuthorizeNet/sdk-java/pull/88

 

Status changed to: Accepted
RichardH
Administrator Administrator
Administrator
 
wqeer43
Member

This is impressive guidance I read it and it gives me some knowledge about it. You shoild visit angry birds apk to download its apk mod and also there are so mnay other game mods are available.