During PlaceOrderAndAuthorize_API execution password and customers credit card number can be seen in plain text in PBA logs and XXX prefix, that is suggested to use to avoid logging of sensitive data is not deleted from actual password/card number. For example the following fields are used to pass account's login and password:
As a result user with login test and password XXXtest is created. XXXtest value can be seen in plain text in logs.
How to avoid password/card number logging and make PBA remove XXX prefix?
The correct format for password filed is the following:
for credit card:
So XXX prefix should be in the field's very beginning.
There is a bug PBA-61549 for incorrect example provided in PBA API guide.