MB-R085
Payment integrations should be classified by how they handle card data, such as hosted redirect, hosted fields, iframe/tokenized fields, direct post, or custom raw card collection. This classification helps identify PCI scope and risk before remediation planning. Detect enabled payment modules, checkout templates, provider SDKs, and custom payment implementations to flag scope-expanding patterns.
Different payment methods create different PCI and operational risk. Hosted redirects, hosted fields, iframe fields, direct post, and custom raw-card collection do not have the same security implications.
Detecting payment method scope helps teams understand which integrations reduce sensitive data exposure and which flows require deeper review, evidence, or remediation.
# List enabled payment modules
bin/magento config:show payment
# Review custom modules under app/code for payment method implementations
# Confirm whether card entry occurs on provider-hosted pages, hosted fields, iframes, or Magento-owned forms
Custom checkout template renders fields named card_number and cvv inside Magento.
# Scope likely increased → FAIL
Checkout loads provider-hosted fields and Magento receives only a payment token.
# Reduced exposure → PASS