Right now, connection details logged from HttpUtility at the debug level include a great deal of useful information along with
- the api login and transaction key
- full dump of the xml request including unmasked credit card number, expiration date, etc.
Can we move the logging of these two items to a separately-configurable logger like "HttpUtility-sensitive"?
I'd like to see the api login and transaction key logging go away completely from the HttpUtility output.
ideally, I'd like to see the xml request filtered to not show any <payment> information beyond a generic <creditCard> output. (I suppose masked credit card number would be acceptable).
I think it would also be wise to not output <billTo> information nor <customer> information with the non-sensitive-data logger other than <customer><id> even though this is not strictly required by PCI DSS.
We want to log when transactions occur with enough context to know what those transactions are without making our logs a security risk.