Login Start Free Trial Login Start Free Trial
 

HawkScan Test Info for Information Leak - Credit Card Number

HawkScan Test Info for Information Leak - Credit Card Number

Information Leak - Credit Card Number

Reference

Plugin Id: 100008 | CWE: 311

Resource

Remediation

To remediate credit card number exposure in HTTP responses:

  1. Never transmit full credit card numbers: Use tokenization services provided by payment processors (Stripe, PayPal, etc.) to avoid handling raw credit card data.

  2. Implement PCI DSS requirements: Follow Payment Card Industry Data Security Standard (PCI DSS) requirements for handling cardholder data:
    • Never store full card numbers in databases or logs
    • Use strong encryption for stored card data
    • Mask card numbers (show only last 4 digits)
    • Implement proper access controls
  3. Audit all response paths: Review all HTTP responses including:
    • API responses
    • Web pages and forms
    • JavaScript files
    • Error messages and logs
    • Debug output
    • Database dumps
  4. Use secure payment integrations: Implement payment solutions that handle card data on the payment processor’s servers (e.g., Stripe Elements, PayPal Checkout) to avoid your application ever receiving full card numbers.

About

This scanner detects credit card numbers for major card types in HTTP response bodies:

  • Visa and Mastercard (16 digits starting with 3-5)
  • American Express (15 digits starting with 34 or 37)
  • Discover (16 digits starting with 6011)
  • Diners Club (14 digits starting with 300-305 or 36)
  • JCB (15-16 digits starting with 2131, 1800, or 35)

All detected numbers are validated using the Luhn algorithm (also known as the “modulus 10” algorithm) to reduce false positives. Credit card number exposure represents a critical security vulnerability as it can lead to financial fraud, identity theft, and severe regulatory penalties.

Exposing credit card numbers violates PCI DSS requirements and may result in fines, loss of payment processing privileges, legal liability, and reputational damage.

Risks

The risks associated with credit card number disclosure include:

  • Financial fraud: Exposed credit card numbers can be used for unauthorized purchases, leading to direct financial loss for cardholders and merchants.

  • PCI DSS violations: Exposure of cardholder data violates PCI DSS requirements, potentially resulting in:
    • Fines up to $100,000 per month
    • Loss of ability to process credit card payments
    • Increased transaction fees
    • Mandatory security audits

  • Legal liability: Organizations may face lawsuits from affected customers and regulatory actions from financial institutions.

  • Reputational damage: Credit card breaches severely damage customer trust and brand reputation, often resulting in customer loss.

  • Identity theft: Credit card numbers combined with other personal information can facilitate identity theft.