MB-R084
Application, integration, exception, debug, and payment logs must not contain PAN, CVV, track data, or full payment payloads. PCI DSS prohibits storing sensitive authentication data after authorization and requires strong protection for any cardholder data retained. Scan log paths and recent samples for card data patterns and require masking or deletion when detected.
Logs are widely used by developers, agencies, support teams, and monitoring systems. If application logs contain PAN, CVV, authorization payloads, or payment tokens, many people and systems may gain access to sensitive payment data without realizing it.
Payment log sanitization lets teams troubleshoot checkout issues without turning logs into a second payment database.
# Review Magento and integration logs for payment data
grep -RIE "(card_number|cvv|pan|payment_intent|authorization|token)" var/log 2>/dev/null
# Search custom modules for raw payload logging
grep -R "logger->" app/code 2>/dev/null
$this->logger->debug(json_encode($paymentRequest));
# Full payment payload logged → FAIL
$this->logger->debug("Payment request", ["order" => $orderId, "method" => $method]);
# Sensitive fields omitted → PASS