Right now, connection details logged from HttpUtility at the debug level include a great deal of useful information along with - the api login and transaction key - full dump of the xml request including unmasked credit card number, expiration date, etc. Can we move the logging of these two items to a separately-configurable logger like "HttpUtility-sensitive"? I'd like to see the api login and transaction key logging go away completely from the HttpUtility output. ideally, I'd like to see the xml request filtered to not show any <payment> information beyond a generic <creditCard> output. (I suppose masked credit card number would be acceptable). I think it would also be wise to not output <billTo> information nor <customer> information with the non-sensitive-data logger other than <customer><id> even though this is not strictly required by PCI DSS. We want to log when transactions occur with enough context to know what those transactions are without making our logs a security risk.
... View more