Full CC Number and CVV info are stored in the log file

[sstringer]

If you provide a log file name in the AUTHORIZENET_LOG_FILE, the log file will dutifully store the XML sent to Authorize.net, including the credit card number and the CVV value. If you're trying to adhere to PCI compliance rules, this is a violation, and a pretty egregious one at that since the data are stored unencrypted in the clear. It also violates the credit card vendors' rules against ever storing the CVV in any way.

My suggestion would be to obfuscate the card number with Xs and reveal only the last four digits of the card number. I would also obfuscate the entire CVV with Xs. A fancy version would make this an optional switch that is on by default, meaning I, the developer, have to set a flag explicitly to store these values in the clear.

Thanks,
Steve

[brianmc]

Thanks for this @sstringer, we're working on the fix right now and I'm closing this one as we have a duplicate with #48