0 Votes

Ability to log HttpUtility calls without exposing sensitive information

Status: Accepted
by on ‎04-19-2016 10:20 AM

Right now, connection details logged from HttpUtility at the debug level include a great deal of useful information along with

 

- the api login and transaction key

- full dump of the xml request including unmasked credit card number, expiration date, etc.

 

Can we move the logging of these two items to a separately-configurable logger like "HttpUtility-sensitive"?

 

I'd like to see the api login and transaction key logging go away completely from the HttpUtility output.

 

ideally, I'd like to see the xml request filtered to not show any <payment> information beyond a generic  <creditCard> output.  (I suppose masked credit card number would be acceptable).

 

I think it would also be wise to not output <billTo> information nor <customer> information with the non-sensitive-data logger other than  <customer><id> even though this is not strictly required by PCI DSS.

 

We want to log when transactions occur with enough context to know what those transactions are without making our logs a security risk.

 

Status: Accepted
Comments
by
on ‎04-19-2016 10:57 AM

Here's a trivial implementation which only moves logging of both the request and the merchant authentication keys to a separate logger and makes no attempt to provide non-sensitive request logging.

 

https://github.com/AuthorizeNet/sdk-java/pull/88

 

by Administrator Administrator
on ‎09-02-2016 01:35 PM
Status changed to: Accepted
 
by
on ‎05-01-2020 04:09 AM

I like to read this blog very much going the online and play the amazing bejeweled 3 online best puzzle game to all people like it very much most of the players exited for this any time thanks a lot for update.