Critical - PCI DSS Violation
🔴 Exposure of PAN / Credit Card Data
🧠 Description
Application stores or exposes Primary Account Numbers (PAN), credit card numbers, CVV, or cardholder data without proper encryption or PCI DSS compliance.
Impact: PCI DSS Violation, Financial Fraud, Legal Liability, Data Breach
🎯 Attack Surface
- Database storing card data
- API responses exposing card numbers
- Logs containing card data
- Backup files
- Email/CSV exports
🛡️ Mitigation (PCI DSS Compliance)
✅ Use tokenization for card storage
✅ Encrypt PAN at rest (AES-256)
✅ Never store CVV after authorization
✅ Mask PAN in displays (show last 4 digits)
✅ Use compliant payment processors
✅ Encrypt PAN at rest (AES-256)
✅ Never store CVV after authorization
✅ Mask PAN in displays (show last 4 digits)
✅ Use compliant payment processors