Invicti identified a possible credit card number disclosure.
It is not mandatory for a merchant to require the security code for making a transaction, hence the card is still prone to fraud even if only its number is known to phishers.
We strongly advise you not to expose credit card numbers on your website.
You can search and find all vulnerabilities