Hi,
One of our client had this problem before and we had to prove them about client and server security.
What did we do is, we used man of the middle attack in between client and server and caught the TCP packet using the Wireshark. We red TCP packet header but we could not track any details such as password, account, transaction details, etc. (No any plant text data sending).
So, they got to know that SAP Business one is Secured.
Please note that, All the testing in done by in the Test system not in production system.
Thank You.