← Back to Baseline

MB-R082

No PAN, CVV, or track data stored in database

C12 Third‑party Config Security Critical

Magento databases must not store raw card numbers, CVV, magnetic stripe data, or equivalent sensitive authentication data unless the environment is intentionally in full PCI DSS scope and protected accordingly. Scan schema names, payment tables, custom extension tables, and sampled values for cardholder data indicators. Tokenized references and provider customer IDs are preferred over raw payment data.

Why it Matters

Raw PAN, CVV, or track data stored in the Magento database turns the store into a high-value payment data target. A normal database backup, staging refresh, SQL export, or support query can become a serious data exposure if cardholder data is retained.

Tokenized payment flows keep sensitive authentication data with the payment provider. Magento should store only safe references such as payment method labels, gateway transaction IDs, masked last-four display values, and provider tokens that are approved for storage.

Verification Steps

Database pattern scan

# Search SQL dumps or safe database exports for payment data patterns
grep -RIE "(cvv|card_number|pan|track1|track2)" var/ backup/ 2>/dev/null

# Review custom payment tables and sales payment additional_information fields

Payment configuration review

# Confirm payment modules use hosted fields, hosted checkout, redirect, or tokenization
# Expected: no custom table or attribute stores raw cardholder data

Remediation / Fix Guidance

  1. Remove raw cardholder data from Magento tables and backups using an approved secure deletion process.
  2. Refactor checkout/payment integrations to use hosted fields, redirects, iframe/tokenized fields, or provider SDK tokenization.
  3. Restrict storage to masked display values and approved gateway references only.
  4. Rotate affected payment credentials and involve the payment provider if raw data was discovered.
  5. Add database and export scanning to release or maintenance checks.

Examples

Fail Example
CREATE TABLE custom_payment (
    order_id INT,
    card_number VARCHAR(19),
    cvv VARCHAR(4)
);
# Raw card data stored in Magento → FAIL
Pass Example
CREATE TABLE custom_payment (
    order_id INT,
    gateway_token VARCHAR(128),
    card_last4 CHAR(4)
);
# Token/reference only → PASS

References