← Back to Baseline

MB-R085

Payment method scope detection

C12 Third‑party Config Security High

Payment integrations should be classified by how they handle card data, such as hosted redirect, hosted fields, iframe/tokenized fields, direct post, or custom raw card collection. This classification helps identify PCI scope and risk before remediation planning. Detect enabled payment modules, checkout templates, provider SDKs, and custom payment implementations to flag scope-expanding patterns.

Why it Matters

Different payment methods create different PCI and operational risk. Hosted redirects, hosted fields, iframe fields, direct post, and custom raw-card collection do not have the same security implications.

Detecting payment method scope helps teams understand which integrations reduce sensitive data exposure and which flows require deeper review, evidence, or remediation.

Verification Steps

Payment method inventory

# List enabled payment modules
bin/magento config:show payment

# Review custom modules under app/code for payment method implementations

Checkout flow review

# Confirm whether card entry occurs on provider-hosted pages, hosted fields, iframes, or Magento-owned forms

Remediation / Fix Guidance

  1. Document each enabled payment method and its card data flow.
  2. Prefer hosted checkout, hosted fields, iframe/tokenized fields, or provider SDK flows that reduce card data exposure.
  3. Disable unused payment modules.
  4. Escalate direct-post or custom card forms for PCI scope review.
  5. Keep diagrams and provider responsibility notes with release evidence.

Examples

Fail Example
Custom checkout template renders fields named card_number and cvv inside Magento.
# Scope likely increased → FAIL
Pass Example
Checkout loads provider-hosted fields and Magento receives only a payment token.
# Reduced exposure → PASS

References