Check the entity paymentportaldata.

you need to be sure that everything is fine according to your security expectation. 
for example if user / anonymous user can change some attribute / association of paymentportaldata, this may be a problem. maybe you only want him to change / or see, the attributes (or association) of "his" paymentportaldata. If so you need to create some restriction on the access rule of the entity using xpath constraint.
If everything is fine on the entity level, then maybe some microflow (as it seems to be the case in your burp screenshot) are used in a way that may be problematic, this security problem is more complicated to fix as it can be done in different microflow. 
But the idea here is to change the logic of your microflow (in the screenshot IVK_payPaynamics), you either need to apply entity access in that microflow, this will make sure that the secruity that you applied on your entities will be applied on the microflow as well. Or you can create some decision to make sure that everything works as it should be, for example if the object paymentportaldata is not the one of the current user, then you raise an error.

hope this helps