Feb
04
jPOS’s ProtectedLogListener
Posted (db) in PABP, PCI on February-4-2008

locks

A recent blog post at www.pcianswers.com further shows the focus on payment applications with PBAP and these requirements:

PABP requirement (#1) Do not retain full magnetic stripe, card validation code or value(CAV2,CID,CVC2,CVV2), or PIN block data. PCI requirement (#3.2) Do not store sensitive authentication data subsequent to authorization (even if encrypted) this includes: Full magnetic stripe(Track Data), Card Validation code, and PIN or encrypted PIN block PCI requirement (#3.3) Mask PAN when displayed. (first 6 and last 4 digits are the maximum that can be displayed)

jPOS has its own logging subsystem that is typically used with q2. A typical logging configuration has a 00_logger.xml in the deploy directory of a jPOS application looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<logger name="Q2" class="org.jpos.q2.qbean.LoggerAdaptor">
<log-listener class="org.jpos.util.SimpleLogListener" />
<log-listener class="org.jpos.util.RotateLogListener">
<property name="file" value="log/q2.log" />
<property name="window" value="86400" />
<property name="copies" value="30" />
<property name="maxsize" value="1000000" />
</log-listener></logger>

In order to comply with PABP and PCI requirements listed above,

you can use a ProtectedLogListener configuration that looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<logger name="Q2" class="org.jpos.q2.qbean.LoggerAdaptor">
<log-listener class="org.jpos.util.ProtectedLogListener">
<property name="protect" value="2 35" />
<property name="wipe" value="52 45" />
</log-listener>
 <log-listener class="org.jpos.util.RotateLogListener">
 <property name="file" value="log/q2.log" />
<property name="window" value="86400" />
 <property name="copies" value="30" />
<property name="maxsize" value="1000000" />
</log-listener></logger>

Note: the protect and wipe properties:

Protect:

“40000101010001″ is converted to “400001____0001″
“40000101010001=020128375″ is converted to “400001____0001=0201_____”
“123″ is converted to “___”

Wipe: Prevents the field from being logged.

The fields in ISO-8583 that you will likely want to protect and wipe are:

Field 2 - Primary Account Number (PAN)
Field 35 - Track data (account number and magnetic stripe)
Field 52 - PIN Data / Encrypted PIN Block
Field 45 - Track 1 Data

You will also likely want to monitor with your file integrity monitoring software the 00_logger.xml file to detect any authorized changes, as well as apply restrictive permissions on who has access to the 00_logger.xml file.
   Read More   

Comments:
Mike on February 5th, 2008 at 12:03 am #

Thank you for linking to our blog. As you can see the movement in the industry is away from the storage of cardholder data and to a more secure platform.

Post a comment
Name: 
Email: 
URL: 
Comments: