enableMasking not working if non-tokenised card details sent

[sipsorcery]

Failing when the REST API is called directly with the card details, no Flextokenisation etc.

Using latest release 0.0.1.14.

[2022-05-04 22:03:31.1672] [DEBUG] [PaymentsApi] : CALLING API "CreatePaymentAsync" STARTED
[2022-05-04 22:03:31.2929] [DEBUG] [PaymentsApi] : HTTP Request Body :
{"clientReferenceInformation":{"code":"2282a77a-d21f-47db-97a8-e27b006961a2","partner":{"solutionId":"xxxxx"}},"processingInformation":{"actionList":["CONSUMER_AUTHENTICATION"],"capture":true,"commerceIndicator":"internet","authorizationOptions":{"ignoreAvsResult":true,"ignoreCvResult":false}},"paymentInformation":{"card":{"number":"4111 1111 1111 1111","expirationMonth":"01","expirationYear":"2023","securityCode":"123"}},"orderInformation":{"amountDetails":{"totalAmount":"1.00","currency":"EUR"},"billTo":{"firstName":"NA","lastName":"NA","address1":"NA","address2":"NA","locality":"NA","administrativeArea":"NA","postalCode":"NA","country":"NA","email":"NA@example.com","phoneNumber":"12345678"},"shipTo":{"firstName":"Jane","lastName":"Doe","address1":"1 Somewhere St","locality":"Some City","administrativeArea":"Some State","postalCode":"A99 NR99","country":"IE"}},"consumerAuthenticationInformation":{"returnUrl":"https://localhost/callback","referenceId":"036c703b-01cd-41ff-89ce-501f254dfd1c","transactionMode":"S"}}
[2022-05-04 22:03:31.2929] [DEBUG] [MerchantConfig] : APPLICATION LOGGING START:

[wrightsonm]

Have you configured enableMasking and set it to true?

i.e.

if (!NLog.LogManager.Configuration.Variables.ContainsKey("enableMasking"))
                {
                    NLog.LogManager.Configuration.Variables.Add("enableMasking", new NLog.Layouts.SimpleLayout("true"));
                }

[sipsorcery]

Have you configured enableMasking and set it to true?

Yes, I've already had the joy of grappling with the requirement CyberSource has on NLog and the enableMasking setting.

The masking does work in certain cases but then fails in others.

[wrightsonm]

i think it is related to the whitespace in your card number.

https://regex101.com/r/sIJ3Cg/1

I think this is a bug that should be addressed by the Cybersource SDK team. Note they don't appear to monitor these github issues that much so best to raise it via developer@cybersource.com

If you look at the .net standard version you can see the source code for AuthenticationSDK which contains the masking code. For some reason the .net equivalent is not available on github.... ...but is probably the same.

https://github.com/CyberSource/cybersource-rest-client-dotnetstandard/blob/master/cybersource-rest-auth-netstandard/AuthenticationSdk/AuthenticationSdk/util/SensitiveDataConfigurationType.cs

new SensitiveTag("cardNumber", "(\\p{N}+)(\\p{N}{4})", "xxxxx$2", false),

[sipsorcery]

Thanks for the tips. I suspect you're right about the netstandard forum being a better spot for the issue.

I had the same thought about the spaces in the card number after seeing the regex but unfortunately removing the spaces didn't fix the problem.

I think this is a bug that should be addressed by the Cybersource SDK team. Note they don't appear to monitor these github issues that much so best to raise it via developer@cybersource.com

Has that worked for you? I've tried the official channels in the past but got told as I wasn't the direct CyberSource customer, the acquiring bank I work with is the CyberSource customer, they won't help.

[wrightsonm]

I am in the same situation as you where we primarily work with our acquiring bank.
Any emails that i've sent to developer@cybersource.com have also had contacts from our bank on copy.

The masking does work in certain cases but then fails in others.

Which scenarios work and which don't?

I have just checked our logs. We do not appear to have this issue. We are using an internal fork derived from cybersource-rest-client-dotnet version 0.0.1.18

The only notable difference is that for payments with the card details, no Flextokenisation etc we use the sync api calls whereas you are using the async equivalent.

[sipsorcery]

Definitely a bug in the library. I've sent an advisory to the developer@cybersource.com address. Until it's fixed I'd recommend not updating your fork to include any commits beyond mid Jan 2022...

[wrightsonm]

Have you found any scenarios where a card number without any whitespace is leaked into the logs in the latest version?

[sipsorcery]

fyi https://github.com/CyberSource/cybersource-rest-client-dotnetstandard/commit/edbc952ec3cc2b3048ee57c7e8c5781e3a2fdb22

[wrightsonm]

@sipsorcery there are still edge cases. I raised it against the latest PR but it hasn't been corrected.

See https://github.com/CyberSource/cybersource-rest-client-dotnetstandard/pull/37

i.e. Some of these examples will fail.

[DataTestMethod]
        [DataRow("\"cardNumber\":\"1111111111111111\"", "\"cardNumber\":\"xxxxx1111\"")]
        [DataRow("\"cardNumber\":\"4111 1111 1111 1111\"", "\"cardNumber\":\"xxxxx1111\"")]
        [DataRow("\"cardNumber\":\" 4111 1111 1111 1111\"", "\"cardNumber\":\"xxxxx1111\"")]
        [DataRow("\"cardNumber\":\"4111 1111 1111 1111 \"", "\"cardNumber\":\"xxxxx1111\"")]
        [DataRow("\"cardNumber\":\"41 11111111111111\"", "\"cardNumber\":\"xxxxx1111\"")]
        [DataRow("\"cardNumber\":\"41 11 11 11 11 11 11 11\"", "\"cardNumber\":\"xxxxx1111\"")]
        public void CardNumberIsMasked(string inputString, string outputString)
        {
            string result = new LogUtility().MaskSensitiveData(inputString);
            Assert.AreEqual(outputString, result);
            //run twice to ensure repeatability
            result = new LogUtility().MaskSensitiveData(inputString);
            Assert.AreEqual(outputString, result);
        }

[sipsorcery]

But at least now it's possible to get the masking orking by removing the spaces in the card number. Prior to that commit it wasn't.