← Back to Baseline

MB-R086

No raw card collection in Magento checkout

C03 Secure Coding Practices Critical

Magento custom checkout code must not collect raw card numbers, CVV, magnetic stripe data, or equivalent sensitive authentication data unless the store is explicitly designed and assessed for that scope. Search templates, JavaScript, controllers, GraphQL handlers, and API payloads for direct card collection patterns. Prefer hosted payment pages, hosted fields, tokenization, and payment provider SDKs that reduce PCI scope.

Why it Matters

Custom checkout code that collects card numbers or CVV inside Magento can pull the store into much heavier PCI scope. It also creates a direct target for skimming, logging mistakes, and unsafe persistence.

Magento checkout should delegate raw card entry to validated provider components whenever possible.

Verification Steps

Template and JavaScript scan

grep -RIE "(card_number|cc_number|cvv|cvc|expiry|expiration)" app/code app/design 2>/dev/null

Controller/API scan

grep -RIE "(cardNumber|cc_number|cvv|cvc)" app/code 2>/dev/null
# Expected: no custom raw-card handling in Magento code

Remediation / Fix Guidance

  1. Remove custom raw-card fields from Magento templates, JavaScript, controllers, and APIs.
  2. Use hosted payment pages, hosted fields, iframe components, or tokenized provider SDKs.
  3. Verify raw card data is not sent to Magento endpoints.
  4. Clean up logs, exports, and database fields created by old direct collection flows.
  5. Document the accepted payment architecture.

Examples

Fail Example
<input name="card_number" />
<input name="cvv" />
# Magento collects raw card data → FAIL
Pass Example
provider.mountHostedFields("#payment-container");
# Provider collects card data and returns token → PASS

References