diff --git a/src/main/java/com/checkout/ApacheHttpClientTransport.java b/src/main/java/com/checkout/ApacheHttpClientTransport.java
index 64628ed5..8cbef97a 100644
--- a/src/main/java/com/checkout/ApacheHttpClientTransport.java
+++ b/src/main/java/com/checkout/ApacheHttpClientTransport.java
@@ -363,6 +363,10 @@ private Response handleException(Exception e, String errorMessage) {
     }
 
     private Header[] sanitiseHeaders(final Header[] headers) {
+        // TODO: discuss whether Cko-Idempotency-Key should also be filtered — it is a per-request
+        //  unique identifier (not a credential), but filtering it reduces exposure in INFO logs.
+        //  Uncomment the line below once agreed.
+        // .filter(it -> !it.getName().equalsIgnoreCase(CKO_IDEMPOTENCY_KEY))
         return Arrays.stream(headers)
                 .filter(it -> !it.getName().equals(AUTHORIZATION))
                 .toArray(Header[]::new);
diff --git a/src/main/java/com/checkout/CheckoutApiException.java b/src/main/java/com/checkout/CheckoutApiException.java
index a3cbff9b..f04ff4a0 100644
--- a/src/main/java/com/checkout/CheckoutApiException.java
+++ b/src/main/java/com/checkout/CheckoutApiException.java
@@ -7,7 +7,7 @@
 import java.util.Map;
 
 @Getter
-@ToString
+@ToString(exclude = "responseHeaders")
 public final class CheckoutApiException extends CheckoutException {
 
     private final Integer httpStatusCode;
diff --git a/src/main/java/com/checkout/GsonSerializer.java b/src/main/java/com/checkout/GsonSerializer.java
index 2af579ab..2652ae4c 100644
--- a/src/main/java/com/checkout/GsonSerializer.java
+++ b/src/main/java/com/checkout/GsonSerializer.java
@@ -43,6 +43,7 @@
 import com.google.gson.reflect.TypeToken;
 import com.google.gson.typeadapters.RuntimeTypeAdapterFactory;
 import lombok.Getter;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.EnumUtils;
 import org.apache.http.NameValuePair;
 import org.apache.http.client.entity.UrlEncodedFormEntity;
@@ -67,6 +68,7 @@
 import java.util.stream.IntStream;
 
 @Getter
+@Slf4j
 public class GsonSerializer implements Serializer {
 
     private static final List<DateTimeFormatter> DEFAULT_FORMATTERS = Arrays.asList(
@@ -438,7 +440,7 @@ private static JsonDeserializer<ProductResponse> getProductDeserializer() {
                             }
                         }
                     } catch (IllegalAccessException e) {
-                        System.err.println("Error setting field: " + entry.getKey() + ", " + e.getMessage());
+                        log.warn("Error setting field: {}", entry.getKey(), e);
                     }
                 });