A recent blog post at www.pcianswers.com further shows the focus on payment applications with PBAP and these requirements: PABP requirement (#1) Do not retain full magnetic stripe, card validation code or value(CAV2,CID,CVC2,CVV2), or PIN block data. PCI requirement (#3.2) Do not store sensitive authentication data subsequent to authorization (even if encrypted) this includes: Full magnetic stripe(Track Data), Card Validation code, and PIN or encrypted PIN block PCI requirement (#3.3) Mask PAN when displayed. (first 6 and last 4 digits are the maximum that can be displayed) jPOS has its own logging subsystem that is typically used with q2. A typical logging configuration has a 00_logger.xml in the deploy directory of a jPOS application looks like this:
In order to comply with PABP and PCI requirements listed above, you can use a ProtectedLogListener configuration that looks like this:
Note: the protect and wipe properties: Protect: “40000101010001” is converted to “400001____0001” “40000101010001=020128375” is converted to “400001____0001=0201_____” “123” is converted to “___” Wipe: Prevents the field from being logged. The fields in ISO-8583 that you will likely want to protect and wipe are: Field 2 - Primary Account Number (PAN) Field 35 - Track data (account number and magnetic stripe) Field 52 - PIN Data / Encrypted PIN Block Field 45 - Track 1 Data You will also likely want to monitor with your file integrity monitoring software the 00_logger.xml file to detect any authorized changes, as well as apply restrictive permissions on who has access to the 00_logger.xml file.