Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From cybersecurity-skills
Audits systems handling payment card data against PCI DSS v4.0, focusing on scope determination, CHD storage (Req 3), transmission (Req 4), secure SDLC (Req 6), access (Req 7-8), logging (Req 10), testing (Req 11), and program management (Req 12).
npx claudepluginhub briiirussell/cybersecurity-skills --plugin cybersecurity-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:pci-auditThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
PCI DSS v4.0 (effective March 2025) is the security standard for any environment that stores, processes, or transmits payment card data. Twelve high-level requirements; hundreds of sub-requirements. Most organizations pass or fail on a single decision: **scope**.
Guides PCI DSS compliance planning for payment card handling, covering cardholder data rules, the 12 requirements, scope reduction via tokenization, SAQ selection, and security controls. For e-commerce and payment gateways.
<!-- AUTO-GENERATED by export-plugins.py — DO NOT EDIT -->
Advises on PCI DSS v4.0.1 compliance including CDE scoping, SAQ selection, gap assessments, QSA audits, and remediation roadmaps for payment card data protection.
Share bugs, ideas, or general feedback.
PCI DSS v4.0 (effective March 2025) is the security standard for any environment that stores, processes, or transmits payment card data. Twelve high-level requirements; hundreds of sub-requirements. Most organizations pass or fail on a single decision: scope.
This skill emphasizes scope determination first, then the engineering-relevant requirements. Final compliance attestation (SAQ self-assessment or QSA audit producing an Attestation of Compliance) is a process this skill prepares for — it is not the attestation itself.
Cross-references: crypto-audit for Req 3 / 4 cryptographic detail; iam-audit for Req 7-8; siem-detection for Req 10 logging; dependency-audit and owasp-audit for Req 6 (secure SDLC); incident-triage for Req 12.10 (incident response).
"Scope" in PCI DSS means: the systems that store, process, or transmit cardholder data (CHD), plus systems that can affect the security of those systems (connected-to and security-impacting systems). Everything in scope is subject to all 12 requirements. Everything out of scope is not.
Most PCI failures are scope failures. A system pulled into scope by accident creates years of compliance debt; a system kept out of scope via good architecture saves substantial cost.
For every system in the environment, classify:
| Type | Definition | In scope? |
|---|---|---|
| CDE (Cardholder Data Environment) | Stores, processes, or transmits PAN, expiration, service code, name when paired with PAN, or sensitive authentication data | Yes — full PCI DSS |
| Connected-to | Has direct connectivity to the CDE without compensating segmentation | Yes |
| Security-impacting | Provides security services to the CDE (auth, logging, monitoring, time sync, DNS) | Yes |
| Segmented | No direct connectivity; segmentation validated annually | No |
| Cardholder data flow only as masked / tokenized | The system handles tokens or masked PANs that cannot be reversed without out-of-band access | Usually No, but verify the token type — surrogate tokens reversible by the merchant are still in scope |
Audit step: trace every payment flow end-to-end. Where does the PAN enter the environment, where does it go, where does it stop. Every system the PAN touches is in scope; every system that touches that system without segmentation is also in scope.
The highest-ROI PCI work is usually scope reduction:
A merchant doing 1M transactions/year via Stripe Checkout with no PAN on their servers is radically less in scope than the same merchant taking PANs into their own form and proxying to Stripe. Same merchant; very different audit.
Briefly, because it sets the audit cadence and rigor:
| Level | Volume (Visa) | Validation requirement |
|---|---|---|
| 1 | > 6M transactions/year, or breached merchant of any volume | Annual on-site QSA assessment → AoC |
| 2 | 1M-6M transactions/year | Annual SAQ (self) or QSA assessment (Visa requires QSA from 2024) |
| 3 | 20K-1M e-commerce transactions/year | Annual SAQ |
| 4 | All other | Annual SAQ |
SAQ types (Self-Assessment Questionnaire) match the merchant's CDE shape — SAQ A (fully outsourced e-commerce), SAQ A-EP (e-commerce that does some redirection), SAQ B (terminal only, dial / IP without electronic storage), SAQ C-VT (web-based virtual terminal), SAQ D (everything else, the longest). The right SAQ is the one whose conditions all match your environment.
The default position: do not store PAN. If you must, encrypt at rest and minimize the data retained.
crypto-audit), key rotation, separation of duties on key custodyAudit grep patterns:
pan, card_number, cc_number, cardnum, account_numberpan, cardNumber, regex ^4[0-9]{12,15}$ (Visa), ^5[1-5][0-9]{14}$ (Mastercard), ^3[47][0-9]{13}$ (Amex), ^6(?:011|5[0-9]{2})[0-9]{12}$ (Discover)console\.log.*cardNumber, logger\..*\.pan, log\..*cardIf a Luhn-valid PAN appears anywhere in source, lock files, or logs — that is a finding regardless of intent.
crypto-audit for the configuration detail)This is where the security audit family meets PCI. Most of this requirement is satisfied by running the existing skills:
owasp-audit, api-auditvuln-research, dependency-audit, finding-triageAudit grep patterns:
--no-verify on commits to prod-impacting branches)See iam-audit for the full identity-and-access deep dive.
See iam-audit for implementation patterns and identity-provider integration.
See siem-detection for the engineering implementation; see soc-operations for the review cadence.
See dependency-audit (vulnerability scan), web-pentest (annual app pentest), red-team-engagement (annual offensive engagement for higher levels).
The program-level layer. Engineering inputs:
incident-triage. Tested at least annually# PCI DSS v4.0 Audit Findings
## Merchant: [name]
## Merchant level: [1/2/3/4]
## SAQ type: [A / A-EP / B / C-VT / D / not applicable - Level 1 QSA]
## Date: [date]
## Auditor: [name + qualification]
### Scope determination
- [ ] Payment data flow diagrammed end-to-end
- [ ] CDE explicitly bounded
- [ ] Connected-to systems enumerated
- [ ] Segmentation evidence documented
- [ ] Scope-reduction opportunities identified
### Per-requirement findings
| Req | Compliant? | Findings | Severity |
|-----|------------|----------|----------|
| 3 — Stored CHD | | | |
| 4 — Transmission | | | |
| 6 — Secure SDLC | | | |
| 7 — Access restriction | | | |
| 8 — Authentication | | | |
| 10 — Logging | | | |
| 11 — Testing | | | |
| 12 — Program | | | |
### Per-finding detail
[Title, req reference, severity, location, vulnerable config, remediation, verification]
### Recommended scope reductions (if applicable)
[Hosted payment page, tokenization, network segmentation improvements with effort estimates]
### Compensating controls (if used)
[Each compensating control: control description, what it compensates for, evidence of effectiveness, review cadence]
Disposition rule (Fixed / Deferred / Accepted Risk) per owasp-audit. PCI accepted-risk is heavily disfavored — most "accepted risks" should be Compensating Controls with documented evidence of effectiveness.
incident-triage — PCI breach response has specific timing and notification requirements (acquirer notification typically within 24 hours)pcisecuritystandards.org/document_library