Baseline profile
PCI-aware Checks for Magento Checkout and Payment Flows
Magebean helps Magento teams review payment-related security signals that support PCI DSS readiness planning.
These checks do not certify PCI compliance. Instead, they help identify technical risks around checkout pages, payment integrations, cardholder data exposure, browser-side scripts, admin access, logging, and transport security.
What this profile checks
The PCI-aware profile focuses on Magento areas that can affect payment security and PCI DSS readiness.
Payment data exposure
Magebean checks whether raw cardholder data may be present in unsafe locations.
Examples:
Raw card numbers in database tables
- CVV or payment payloads in logs
- Card data in export files or backups
- Custom checkout code collecting raw card dataRelevant finding examples:
MB-R082 No PAN, CVV, or track data stored in database
MB-R083 No cardholder data in files, exports, or backups
MB-R084 No cardholder data in application logs
MB-R086 No raw card collection in Magento checkoutCheckout page script security
Magebean reviews payment-page script exposure and integrity signals.
Examples:
Third-party scripts loaded on checkout
- Missing payment-page script inventory
- Weak script allowlist
- Missing CSP enforcement
- Missing tamper monitoring readinessRelevant finding examples:
MB-R087 Payment page script inventory maintained
MB-R088 Payment page script allowlist and integrity controls
MB-R089 Checkout Content Security Policy enforced
MB-R090 Payment page tamper monitoring readinessPayment method scope detection
Magebean helps identify how payment methods interact with card data.
Examples:
Hosted redirect
- Hosted fields
- Iframe/tokenized fields
- Direct post
- Custom raw card collectionThis helps teams understand whether the implementation may increase PCI scope.
Webhook and payment callback hardening
Magebean checks whether payment callbacks and webhooks are protected against spoofing or replay risks.
Examples:
Missing webhook signature validation
- Missing timestamp or replay-window checks
- Weak payment callback authentication
- Insecure payment state updatesAdmin, HTTPS, cookies, and headers
Magebean also reviews supporting controls that matter for payment environments.
Examples:
Admin 2FA
- Strong admin password policy
- HTTPS enforcement
- Secure cookie flags
- HSTS
- Security headers
- Sensitive data not loggedSample command
./magebean.phar scan --path=/var/www/magento --profile=pci
# Or from the project root
./magebean.phar scan --path=. --profile=pciExample output
Magebean Security Scan
Profile: PCI-aware
Target: /var/www/magento
Findings:
[CRITICAL] MB-R084 Cardholder data pattern detected in application logs
[HIGH] MB-R089 Checkout CSP is missing or incomplete
[HIGH] MB-R087 Payment page script inventory not found
[MEDIUM] MB-R093 PCI manual evidence checklist not foundWhat to do with findings
PCI-aware findings should be treated as readiness signals.
- Confirm whether raw cardholder data is present.
- Remove or tokenize unsafe payment data.
- Review checkout scripts and payment-page behavior.
- Harden CSP, webhook validation, cookies, and admin access.
- Document manual PCI evidence where automation cannot prove compliance.
- Re-run Magebean and keep the report for internal review.
Important note
Magebean does not certify PCI DSS compliance. It provides automated technical checks and readiness signals that support PCI scoping and review.
Good fit for
- Magento merchants preparing for PCI review
- Agencies maintaining checkout-heavy stores
- Teams reviewing payment integrations
- Developers validating custom checkout code
- Technical leads documenting payment security posture
PCI readiness starts with visibility
Payment security is not only about the payment gateway. It also depends on scripts, logs, admin access, checkout code, webhooks, configuration, and operational evidence.
Magebean helps Magento teams find these risks early, before they become audit blockers or production incidents.