Payment card field value logged
Part of Documentation, UX & Accessibility, which counts for 15% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A print/log call includes a credit-card-number or CVV-named field. Card network rules prohibit retaining a CVV anywhere, including logs, after authorization.
Why it matters
Logging a credit card number, CVV, or other card field puts payment card data into log storage that almost never meets PCI DSS requirements for handling cardholder data, since logs are typically retained longer and shared with more tooling than the payment flow itself was designed for. A CVV should never be stored anywhere, including logs, since card networks prohibit retaining it after authorization. A leaked log file containing card numbers is a direct path to fraud and a compliance violation.
How to fix it
Remove the card field from the log call. If you need to confirm which transaction ran, log the payment processor's transaction id or a masked card number (last four digits only) instead of the raw value, and never log a CVV under any circumstances. Route all real card handling through your payment processor's tokenization so the raw number never reaches your own code, let alone your logs.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo