← Back to Baseline

MB-R084

No cardholder data in application logs

C07 Logging & Monitoring Critical

Application, integration, exception, debug, and payment logs must not contain PAN, CVV, track data, or full payment payloads. PCI DSS prohibits storing sensitive authentication data after authorization and requires strong protection for any cardholder data retained. Scan log paths and recent samples for card data patterns and require masking or deletion when detected.

Why it Matters

Logs are widely used by developers, agencies, support teams, and monitoring systems. If application logs contain PAN, CVV, authorization payloads, or payment tokens, many people and systems may gain access to sensitive payment data without realizing it.

Payment log sanitization lets teams troubleshoot checkout issues without turning logs into a second payment database.

Verification Steps

Log scan

# Review Magento and integration logs for payment data
grep -RIE "(card_number|cvv|pan|payment_intent|authorization|token)" var/log 2>/dev/null

Code inspection

# Search custom modules for raw payload logging
grep -R "logger->" app/code 2>/dev/null

Remediation / Fix Guidance

  1. Mask card numbers, CVV, tokens, authorization headers, and request bodies before logging.
  2. Disable verbose payment debug logs in production unless a tightly controlled support window is active.
  3. Restrict log access to trusted operators.
  4. Rotate or revoke any credentials or tokens that were logged.
  5. Add sanitization tests for payment integrations.

Examples

Fail Example
$this->logger->debug(json_encode($paymentRequest));
# Full payment payload logged → FAIL
Pass Example
$this->logger->debug("Payment request", ["order" => $orderId, "method" => $method]);
# Sensitive fields omitted → PASS

References