During the PA-DSS audit, a credit card number was found in our server code (process memory dump) after a transaction with a credit card was completed.
I tried initially just to call the JVM garbage collector at the end of the payment transaction, since our variables were local to solve this problem. But there is another instance that refers to a credit card (SS) in a memory dump. This CC line (actually it was byte []) referred to the CXF SOAP client object, which used the internal sun.net.www.protocol.https.HttpsClient, which finally used the BufferedOutputStream object.
Looking at the code for BufferedOutputStream, I noticed that the private flushBuffer () method simply set the count variable to zero and did not return an internal byte [] array.
There is no problem in this code for a regular application (just the count reset variable is simpler and more efficient), but this led to the appearance of a flag in our safe audit process, so my alternative was to create a custom java.io.BufferedOutputStream that would reset to reset to zero this byte array, and then I will need to add this file to the tomcat download path.
private void flushBuffer() throws IOException { if (count > 0) { out.write(buf, 0, count);
It really worked, and I could no longer find the CC data in the memory dump, but I don't think this is the right solution (custom change to the Java main class).
Any suggestion, how could I solve this problem differently (without having to change the library code)?
source share