MB-R083
Magento export folders, media paths, database dumps, backups, and archived artifacts must not contain PAN, CVV, track data, or full payment payloads. Cardholder data in files is easy to copy, index, expose through webroot mistakes, or retain beyond business need. Scan high-risk file types and storage paths for card data patterns and require secure deletion or tokenization when found.
Payment data in files, exports, media folders, database dumps, or archived backups is easy to copy and hard to govern. These locations are frequently transferred to staging, attached to support tickets, synced to cloud storage, or accidentally exposed by webroot mistakes.
Keeping cardholder data out of files reduces breach impact and prevents old artifacts from becoming long-lived payment data liabilities.
# Scan high-risk paths for card data terms and payment payloads
grep -RIE "(card_number|cvv|track|payment_payload|pan)" var/ pub/media/ export/ 2>/dev/null
# Inspect backup/export names and retention
find var pub/media -type f \( -iname "*.sql" -o -iname "*.csv" -o -iname "*.zip" \)
pub/media/export/orders_full.csv
# Contains card_number and cvv columns → FAIL
var/export/orders_masked.csv
# Contains payment_method and card_last4 only → PASS