0

I'm trying to find a solution for clearing sensitive credit card data from memory after communicating it to a payment gateway. Most payment gateways seem to expect the plain text card number as a string in the API. If I use a string in C# I cannot clear the memory as I do not have any control over when the memory is garbage collected. The below dto snippet from an SDK for Cybersource illustrates my problem. Note I'm trying to fulfill PA-DSS version 3.2 requirement 5.1.6.1 Coding techniques include documentation of how PAN and/or SAD are handled in memory. Our auditor is indicating that plain text account numbers cannot be stored in a C# string variable.

We have integrations with other gateways that also have this PAN in string variable issue. How are others dealing with this problem?

namespace CyberSource.Clients.SoapServiceReference
{
    //
    [DebuggerStepThrough]
    [DesignerCategory("code")]
    [GeneratedCode("System.Xml", "4.0.30319.34234")]
    [XmlType(Namespace = "urn:schemas-cybersource-com:transaction-data-1.109")]
    public class Card : INotifyPropertyChanged
    {
        public Card();

        [XmlElement(Order = 6)]
        public string cardType { get; set; }
        //
        [XmlElement(Order = 5)]
        public string cvNumber { get; set; }
        //
        [XmlElement(Order = 4)]
        public string cvIndicator { get; set; }
        //
        [XmlElement(DataType = "integer", Order = 3)]
        public string expirationYear { get; set; }
        //
        [XmlElement(DataType = "integer", Order = 2)]
        public string expirationMonth { get; set; }
        //
        [XmlElement(Order = 1)]
        public string accountNumber { get; set; }
        //
        [XmlElement(Order = 0)]
        public string fullName { get; set; }
J. Moore
  • 21
  • 2
  • We're struggling with the same problem. All the gateways we work with use HTTPS/TLS encryption for encrypting the messages in transit. But none of them provide APIs that encrypt the messages in memory on the client-side. Some gateways just expect an HTTP POST. But even these are problematic because the .NET HttpClient library does not ensure that the request stream is cleared or that no copies are made of the data in the stream. There is no solution, is there? – Matt Varblow Mar 29 '18 at 17:19

2 Answers2

1

The solution is to use SecureString: https://learn.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netframework-4.7.1

Lots of examples on how to use it:
When would I need a SecureString in .NET?
Memory Heap Security: String garbage collection
C# SecureString Question

Chris Andrews
  • 1,881
  • 3
  • 21
  • 31
  • Thanks Chris - I can use a secure string up until the point where I need to pass the number off to the gateway. Which is in fact what I am doing. I'm really surprised that gateways don't have a way to encrypt the CC number so that the encrypted number could be sent instead of the plain text number. – J. Moore Dec 08 '17 at 22:33
  • I would say that comment is really a separate question. "I'm trying to find a solution for clearing sensitive credit card data from memory after communicating it to a payment gateway. " is really handled by the SecureString. I'm no expert with the CyberSource API, but from their github page https://github.com/CyberSource/cybersource-sdk-dotnet#support-for-message-level-encryption it looks like they support Message Level Encryption, which would encrypt the whole SOAP message. – Chris Andrews Dec 11 '17 at 16:16
-1

Actually, you have such a control. GC.Collect().https://msdn.microsoft.com/en-us/library/xe0c2357(v=vs.110).aspx. The problem there that you should be aware of how GC works to ensure your object indeed gets collected. It heavily depends upon your implementation, so I can't help more that just pointing out such a possibility.

Zazaeil
  • 3,900
  • 2
  • 14
  • 31