MB-R086
Magento custom checkout code must not collect raw card numbers, CVV, magnetic stripe data, or equivalent sensitive authentication data unless the store is explicitly designed and assessed for that scope. Search templates, JavaScript, controllers, GraphQL handlers, and API payloads for direct card collection patterns. Prefer hosted payment pages, hosted fields, tokenization, and payment provider SDKs that reduce PCI scope.
Custom checkout code that collects card numbers or CVV inside Magento can pull the store into much heavier PCI scope. It also creates a direct target for skimming, logging mistakes, and unsafe persistence.
Magento checkout should delegate raw card entry to validated provider components whenever possible.
grep -RIE "(card_number|cc_number|cvv|cvc|expiry|expiration)" app/code app/design 2>/dev/null
grep -RIE "(cardNumber|cc_number|cvv|cvc)" app/code 2>/dev/null
# Expected: no custom raw-card handling in Magento code
<input name="card_number" />
<input name="cvv" />
# Magento collects raw card data → FAIL
provider.mountHostedFields("#payment-container");
# Provider collects card data and returns token → PASS