MB-R082
Magento databases must not store raw card numbers, CVV, magnetic stripe data, or equivalent sensitive authentication data unless the environment is intentionally in full PCI DSS scope and protected accordingly. Scan schema names, payment tables, custom extension tables, and sampled values for cardholder data indicators. Tokenized references and provider customer IDs are preferred over raw payment data.
Raw PAN, CVV, or track data stored in the Magento database turns the store into a high-value payment data target. A normal database backup, staging refresh, SQL export, or support query can become a serious data exposure if cardholder data is retained.
Tokenized payment flows keep sensitive authentication data with the payment provider. Magento should store only safe references such as payment method labels, gateway transaction IDs, masked last-four display values, and provider tokens that are approved for storage.
# Search SQL dumps or safe database exports for payment data patterns
grep -RIE "(cvv|card_number|pan|track1|track2)" var/ backup/ 2>/dev/null
# Review custom payment tables and sales payment additional_information fields
# Confirm payment modules use hosted fields, hosted checkout, redirect, or tokenization
# Expected: no custom table or attribute stores raw cardholder data
CREATE TABLE custom_payment (
order_id INT,
card_number VARCHAR(19),
cvv VARCHAR(4)
);
# Raw card data stored in Magento → FAIL
CREATE TABLE custom_payment (
order_id INT,
gateway_token VARCHAR(128),
card_last4 CHAR(4)
);
# Token/reference only → PASS