Skill

domain-ecommerce:pci-compliance

PCI DSS compliance for e-commerce: compliance levels (SAQ A, SAQ A-EP, SAQ D), cardholder data handling, tokenization (Stripe, Braintree tokens), secure payment forms (iframes, hosted fields), network segmentation, vulnerability scanning, penetration testing, and compliance audit preparation.

Install

npx claudepluginhub rnavarych/alpha-engineer --plugin domain-ecommerce

Tool Access

This skill is limited to using the following tools:

ReadGrepGlobBash

Preview

- Choosing the right PCI compliance level (SAQ A vs. SAQ A-EP vs. SAQ D) for a checkout integration

Supporting Assets

references/cardholder-data-tokenization.mdreferences/network-security-audit.md

SKILL.md

Similar Skills

ui-ux-pro-max

Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.

ui-ux-pro-max

57.6k

context7-mcp

Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.

context7-plugin

51.8k

market-sizing-analysis

2 files

Calculates TAM/SAM/SOM using top-down, bottom-up, and value theory methodologies for market sizing, revenue estimation, and startup validation.

startup-business-analyst

32.9k

Stats

Parent Repo Stars9

Parent Repo Forks0

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

domain-ecommerce:pci-compliance

When to use

Choosing the right PCI compliance level (SAQ A vs. SAQ A-EP vs. SAQ D) for a checkout integration

Auditing what card data is stored, logged, or transmitted — and what must be eliminated

Implementing tokenization correctly (Stripe, Braintree, Adyen) to keep servers out of PCI scope

Setting up or reviewing secure payment form implementation (iframes, hosted fields, hosted pages)

Designing network segmentation for payment processing systems (VPC, VLAN, firewall rules)

Preparing for quarterly vulnerability scans (ASV) or annual penetration testing

Assembling documentation and evidence for a PCI compliance audit

Core principles

SAQ A is the target — every architectural decision should aim to keep card data off your servers entirely

Never store CVV after auth — not encrypted, not hashed, not "temporarily" — this is a hard PCI DSS requirement

Tokenize client-side, always — the token travels to your server; the raw PAN must never touch it

Network segmentation reduces scope — systems outside the CDE subnet face far fewer requirements

Documentation is the audit — assessors believe what is written and evidenced, not what you remember

Reference Files

references/cardholder-data-tokenization.md — SAQ levels and selection criteria, what can/cannot be stored, tokenization per gateway (Stripe/Braintree/Adyen), iframe and hosted page secure form patterns

references/network-security-audit.md — network segmentation requirements, internal and ASV vulnerability scanning, annual penetration testing, audit documentation and evidence collection

PCI DSS Compliance

When to use

Choosing the right PCI compliance level (SAQ A vs. SAQ A-EP vs. SAQ D) for a checkout integration
Auditing what card data is stored, logged, or transmitted — and what must be eliminated
Implementing tokenization correctly (Stripe, Braintree, Adyen) to keep servers out of PCI scope
Setting up or reviewing secure payment form implementation (iframes, hosted fields, hosted pages)
Designing network segmentation for payment processing systems (VPC, VLAN, firewall rules)
Preparing for quarterly vulnerability scans (ASV) or annual penetration testing
Assembling documentation and evidence for a PCI compliance audit

Core principles

SAQ A is the target — every architectural decision should aim to keep card data off your servers entirely
Never store CVV after auth — not encrypted, not hashed, not "temporarily" — this is a hard PCI DSS requirement
Tokenize client-side, always — the token travels to your server; the raw PAN must never touch it
Network segmentation reduces scope — systems outside the CDE subnet face far fewer requirements
Documentation is the audit — assessors believe what is written and evidenced, not what you remember

Reference Files

references/cardholder-data-tokenization.md — SAQ levels and selection criteria, what can/cannot be stored, tokenization per gateway (Stripe/Braintree/Adyen), iframe and hosted page secure form patterns
references/network-security-audit.md — network segmentation requirements, internal and ASV vulnerability scanning, annual penetration testing, audit documentation and evidence collection