Worldpay-Magento2-CG
Worldpay-Magento2-CG copied to clipboard
Raw credit card data is being included in the HTTP request body alongside encrypted data when client-side encryption is enabled in the Magento 2 module.
Environment:
- Module "sapient/module-worldpay" version 2.4.5-p10123
- Type of the credit card form integration: Direct
Preconditions:
A. In the Adobe Commerce admin panel navigate to Stores -> Configuration -> Sales -> WorldPay -> Credit Cards B. Set Client Side Encryption Enabled to “Yes” C. Save configurations and flush cache
Steps to reproduce
- On the Adobe Commerce storefront add a product to cart
- Proceed to checkout
- On payment step open browser console > network tab
- Place order
- Pay attention to the payload sent to /rest/default/V1/carts/mine/payment-information endpoint
Actual Result:
When client-side encryption is activated, the HTTP request body contains both encrypted data and raw credit card information, potentially exposing sensitive cardholder data:
Expected Result:
The HTTP request body, when client-side encryption is enabled, should solely contain encrypted data without any inclusion of raw credit card information. This ensures the secure handling of sensitive credit card data and compliance with data protection standards.