Please check if a JIRA exist re this issue. If not create one, please.
Regards,
Pierre
Sent from my iPhone
On 21 mrt. 2012, at 17:25, Vicky Park <vi...@pexsupply.com> wrote:
> Hello folks,
>
>
> I realized that printing some information on log files could violate PCI CSS
> (Payment Card Industry Data Security Standard) depends on how they configure
> the system, and how to use the log file. If I understood correctly, we're
> printing card holder's information including credit card number, expiration
> and CVV num in plain text on log file.
>
> If we don't print out on the log at all on the live site, that would solve
> the problem. But if there is a person who wasn't aware of that fact, he
> might accidentally violate the PCI DSS compliance. For example, let's say
> there is a person who keeps the log to be printed on the live site. And for
> some reason, he downloaded log file to his local computer and kept unsafe
> location, or passed to someone else to let them take a look that log file for
> asking help. Then I believe he is violating the PCI CSS compliance
> accidentally.
>
>
> Code involved 1:
> [PayflowPro.java:166]
> if (Debug.verboseOn()) Debug.logVerbose("Sending to Verisign: " +
> params.toString(), module);
>
>
> Logs which is being printed:
> [Datetime] (TP-Processor70) [ PayflowPro.java:166:INFO ] Sending to
> Verisign: PARTNER=verisign&VENDOR=[Company
> ]&USER=[UserID]&PWD=[Password]&COMMENT1=[Order ID]&PONUM=[PO Order Id]
> &CUSTCODE=[Customer's code]&TRXTYPE=[]&TENDER=[]&CVV2=*[CVV
> number*]&AMT=[Amount]&ACCT=*[16 digit credit card number in plain
> text]*&FIRSTNAME=[Cardholder's firstname]&LASTNAME=[Card holder's last
> name]&COMMENT2=[]&EXPDATE=*[expiration date]*&STREET=[Card holder's
> address&ZIP=[card holder's zip code]
>
>
> Code involved 2:
> [RequestHandler.java:719]
> if (Debug.infoOn()) Debug.logInfo("Sending redirect to: [" + url + "],
> sessionId=" + UtilHttp.getSessionId(req), module);
>
> => I realized that credit card information is being printed from different
> file as well (RequestHandler.java:719). I need to check what service triggers
> RequestHandler.java:719 and passes credit card information within url
> variable. But at least I noticed sometimes that line in the log file contains
> credit card information in plain text as well.
>
>
> PCI DSS involved:
> 7. Restrict access to cardholder data by business need-to-know
> 9. Restrict physical access to cardholder data
> [Reference]http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
>
>
>
> So, here is my questions & recommendation:
>
> 1. As we (at least I) want to keep log for in case, I think it's better to
> not to print out credit card information to the log file. What do you think?
> Do you think deleting that line is the best option?
> 2. If you guys think it's better to print out at least some information to
> log file for some purpose, I believe it's better to print out in encrypted
> format rather than in plain text. Otherwise we can print out last 4 digit or
> first 4 digit, not entire number.
> 3. Do you know what triggers RequestHander to print out credit card
> information?
> 4. Is there any other file you can think of which likely print out credit
> card information to log file?
>
>
> Hope it would be helpful for security improvement for myself and someone else
> who may use ofbiz on the live site.
>
>
> Thanks you for reading.
>
