Skill

domain-fintech:fintech-security

Guides fintech security: HSM integration (key generation, signing, encryption), cryptographic key management (BYOK, rotation, key ceremony), PCI DSS for fintech, data encryption (field-level, tokenization), secure multi-party computation, zero-knowledge proofs, and SOC 2 Type II requirements. Use when implementing security controls for financial systems.

Install

npx claudepluginhub rnavarych/alpha-engineer --plugin domain-fintech

Tool Access

This skill is limited to using the following tools:

ReadGrepGlobBash

Preview

- Implementing HSM-backed signing or envelope encryption

Supporting Assets

references/advanced-crypto-compliance.mdreferences/hsm-key-management.mdreferences/pci-dss-encryption.md

SKILL.md

Similar Skills

api-design

Provides REST API design patterns for resource naming, URL structures, HTTP methods/status codes, pagination, filtering, errors, versioning, and rate limiting.

everything-claude-code

156.2k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

156.2k

accessibility

Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.

everything-claude-code

156.2k

Stats

Parent Repo Stars9

Parent Repo Forks0

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

domain-fintech:fintech-security

When to use

Implementing HSM-backed signing or envelope encryption

Managing cryptographic key lifecycle (rotation, BYOK, key ceremony)

Scoping and implementing PCI DSS controls

Designing tokenization for card data or PII

Evaluating SMPC or ZKP for privacy-preserving financial computations

Preparing for SOC 2 Type II audit evidence collection

Core principles

Keys never leave the HSM boundary in plaintext — envelope encryption; DEKs protect data, HSM protects DEKs

Tokenize at the earliest point — reduce PCI scope before data touches your systems

Defense-in-depth encryption — TDE at rest + FLE at application layer, not one or the other

Rotate on a schedule, not on breach — 90-day symmetric rotation with zero-downtime dual-key period

Automate SOC 2 evidence — continuous control monitoring beats point-in-time manual checks every time

Reference Files

references/hsm-key-management.md — HSM key generation, signing, envelope encryption, cloud HSM options, key lifecycle, BYOK, rotation policy, and key ceremony procedure

references/pci-dss-encryption.md — PCI DSS scope reduction, key requirements (3/4/6/7/8/10/11), tokenization architecture, field-level encryption, encryption at rest and in transit

references/advanced-crypto-compliance.md — SMPC use cases and implementation approaches, ZKP protocols (zk-SNARKs, zk-STARKs, Bulletproofs), SOC 2 Type II trust service criteria and fintech-specific evidence automation

Fintech Security

When to use

Implementing HSM-backed signing or envelope encryption
Managing cryptographic key lifecycle (rotation, BYOK, key ceremony)
Scoping and implementing PCI DSS controls
Designing tokenization for card data or PII
Evaluating SMPC or ZKP for privacy-preserving financial computations
Preparing for SOC 2 Type II audit evidence collection

Core principles

Keys never leave the HSM boundary in plaintext — envelope encryption; DEKs protect data, HSM protects DEKs
Tokenize at the earliest point — reduce PCI scope before data touches your systems
Defense-in-depth encryption — TDE at rest + FLE at application layer, not one or the other
Rotate on a schedule, not on breach — 90-day symmetric rotation with zero-downtime dual-key period
Automate SOC 2 evidence — continuous control monitoring beats point-in-time manual checks every time

Reference Files

references/hsm-key-management.md — HSM key generation, signing, envelope encryption, cloud HSM options, key lifecycle, BYOK, rotation policy, and key ceremony procedure
references/pci-dss-encryption.md — PCI DSS scope reduction, key requirements (3/4/6/7/8/10/11), tokenization architecture, field-level encryption, encryption at rest and in transit
references/advanced-crypto-compliance.md — SMPC use cases and implementation approaches, ZKP protocols (zk-SNARKs, zk-STARKs, Bulletproofs), SOC 2 Type II trust service criteria and fintech-specific evidence automation