[Bug]: [V10] cardBin and other card attributes missing → breaks fraud payloads

[f123248]

Description

After upgrading the Adyen Magento plugin, the card BIN and some card metadata are no longer available in the payment’s additional_information. Our fraud adapters rely on these fields to build the payment_details payload

Steps to reproduce

Install/upgrade to the 10.4.0 Adyen Magento plugin (version below).

Enable Adyen Credit Card (Checkout API), 3DS on or off (both reproduce).

Place an order with a test card (e.g., MC).

Inspect sales_order_payment.additional_information and/or the fraud payload constructed after order placement/notification.

Observe that BIN/expiry/issuer fields are not present.

{
  "guestEmail": "xxx@xxx.com",
  "method_title": "Credit or Debit Card",
  "3dActive": false,
  "pspReference": "xxx",
  "adyen_avs_result": "1 Address matches, postal code doesn't",
  "adyen_cvc_result": "1 Matches",
  "adyen_refusal_reason_raw": "xxx",
  "adyen_acquirer_reference": "xxx",
  "adyen_auth_code": "xxx",
  "payment_method": "visa"
}

Actual behavior

additionalData in the authorization/notification no longer contains cardBin, expiryDate, issuerCountry.
Fraud payload is missing credit_card_bin and related attributes.

Expected behavior

The plugin should continue to expose a stable BIN field and basic card metadata so merchants can forward them to fraud services.

Code snippet or screenshots (if applicable)

Bring back below code from vendor/adyen/module-payment/Helper/Webhook.php

        if (isset($additionalData['cardBin'])) {
            $payment->setAdditionalInformation('adyen_card_bin', $additionalData['cardBin']);
        }
        if (isset($additionalData['expiryDate'])) {
            $payment->setAdditionalInformation('adyen_expiry_date', $additionalData['expiryDate']);
        }
        if (isset($additionalData['issuerCountry'])) {
            $payment
                ->setAdditionalInformation('adyen_issuer_country', $additionalData['issuerCountry']);
        }

Adyen Magento Plugin version

10.4.0

Magento version

2.4.8-p2

Operating System

Linux

Browser (if applicable)

No response

Additional context and logs

Please check my fix patch for more detail

diff --git a/vendor/adyen/module-payment/Helper/Webhook.php b/vendor/adyen/module-payment/Helper/Webhook.php
index a883d23..b930017 100644
--- a/vendor/adyen/module-payment/Helper/Webhook.php
+++ b/vendor/adyen/module-payment/Helper/Webhook.php
@@ -408,6 +408,16 @@ class Webhook
         if (isset($additionalData['authCode'])) {
             $payment->setAdditionalInformation('adyen_auth_code', $additionalData['authCode']);
         }
+        if (isset($additionalData['cardBin'])) {
+            $payment->setAdditionalInformation('adyen_card_bin', $additionalData['cardBin']);
+        }
+        if (isset($additionalData['expiryDate'])) {
+            $payment->setAdditionalInformation('adyen_expiry_date', $additionalData['expiryDate']);
+        }
+        if (isset($additionalData['issuerCountry'])) {
+            $payment
+                ->setAdditionalInformation('adyen_issuer_country', $additionalData['issuerCountry']);
+        }
         $payment->setAdyenPspReference($notification->getPspreference());
         $payment->setAdditionalInformation('pspReference', $notification->getPspreference());
 

adyen-card-bin-additional-data-fix.patch

[candemiralp]

Hello @f123248,

Thank you for creating this issue. As you mentioned, the fields not consumed by the plugin are not stored in the database anymore #2981. The reason behind this clean-up is to prevent database bloat and potential compliance issues.

So that, cardBin, expiryDate and issuerCountry fields from the additionalData are not stored anymore. Besides, the fields indicated here are removed from the additional_information after processing the webhooks.

Our policy for data storage is that only the relevant information should be stored (temporarily if possible) and all the other fields should be removed if they are not consumed by the plugin later. If any custom logic including the fraud check depends on these fields, storing and managing the lifecycle of the required fields is the responsibility of the third-party customizing the plugin. Also, considering the plugin is being used by many merchants, storing the data not being used does not make sense for them.

However, if you feel like these three fields are absolutely necessary for the majority of plugin users, we are ready to discuss any improvement on this matter.

Best Regards,
Can

[candemiralp]

Closing this ticket due to no activity.