pci-compliance

Name: pci-compliance - Agent Skill
Rating: 5.0 (26449 reviews)
Author: wshobson

26,449

Implement PCI DSS compliance requirements for secure handling of payment card data and payment systems. Use when securing payment processing, achieving PCI compliance, or implementing payment card security measures.

Download Folder View on GitHub

CLI Install

Recommended

Use the skills CLI to install this skill with one command. Auto-detects all installed AI assistants.

Method 1 - skills CLI

npx skills i wshobson/agents/plugins/payment-processing/skills/pci-compliance

Method 2 - openskills (supports sync & update)

npx openskills install wshobson/agents

Auto-detects Claude Code, Cursor, Codex CLI, Gemini CLI, and more. One install, works everywhere.

Installation Path

Download and extract to one of the following locations:

~/.claude/skills/pci-compliance/

SKILL.md

Skill Instructions

Back

Run with Cloud Agent

No setup needed. Let our cloud agents run this skill for you.

Select Provider

Select Model

Claude Sonnet 4.5

$0.20/task

Best for coding tasks

No setup required

PCI Compliance

Master PCI DSS (Payment Card Industry Data Security Standard) compliance for secure payment processing and handling of cardholder data.

When to Use This Skill

Building payment processing systems
Handling credit card information
Implementing secure payment flows
Conducting PCI compliance audits
Reducing PCI compliance scope
Implementing tokenization and encryption
Preparing for PCI DSS assessments

PCI DSS Requirements (12 Core Requirements)

Build and Maintain Secure Network

Install and maintain firewall configuration
Don't use vendor-supplied defaults for passwords

Protect Cardholder Data

Protect stored cardholder data
Encrypt transmission of cardholder data across public networks

Maintain Vulnerability Management

Protect systems against malware
Develop and maintain secure systems and applications

Implement Strong Access Control

Restrict access to cardholder data by business need-to-know
Identify and authenticate access to system components
Restrict physical access to cardholder data

Monitor and Test Networks

Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes

Maintain Information Security Policy

Maintain a policy that addresses information security

Compliance Levels

Level 1: > 6 million transactions/year (annual ROC required) Level 2: 1-6 million transactions/year (annual SAQ) Level 3: 20,000-1 million e-commerce transactions/year Level 4: < 20,000 e-commerce or < 1 million total transactions

Data Minimization (Never Store)

# NEVER STORE THESE
PROHIBITED_DATA = {
    'full_track_data': 'Magnetic stripe data',
    'cvv': 'Card verification code/value',
    'pin': 'PIN or PIN block'
}
 
# CAN STORE (if encrypted)
ALLOWED_DATA

Tokenization

Using Payment Processor Tokens

import stripe
 
class TokenizedPayment:
    """Handle payments using tokens (no card data on server)."""
 
    @staticmethod
    def create_payment_method_token(card_details):

Custom Tokenization (Advanced)

import secrets
from cryptography.fernet import Fernet
 
class TokenVault:
    """Secure token vault for card data (if you must store it)."""
 
    def __init__(self, encryption_key):
        self.cipher = Fernet(encryption_key)
        self.vault =

Encryption

Data at Rest

from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os
 
class EncryptedStorage:
    """Encrypt data at rest using AES-256-GCM."""
 
    def __init__(self, encryption_key):
        """Initialize with 256-bit key."""
        self.key = encryption_key  # Must be 32 bytes

Data in Transit

# Always use TLS 1.2 or higher
# Flask/Django example
app.config['SESSION_COOKIE_SECURE'] = True  # HTTPS only
app.config['SESSION_COOKIE_HTTPONLY'] = True
app.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
 
# Enforce HTTPS
from flask_talisman import Talisman
Talisman(app, force_https=True)

Access Control

from functools import wraps
from flask import session
 
def require_pci_access(f):
    """Decorator to restrict access to cardholder data."""
    @wraps(f)
    def decorated_function(*args, **kwargs):
        user = session.get('user'

Audit Logging

import logging
from datetime import datetime
 
class PCIAuditLogger:
    """PCI-compliant audit logging."""
 
    def __init__(self):
        self.logger = logging.getLogger('pci_audit')

Security Best Practices

Input Validation

import re
 
def validate_card_number(card_number):
    """Validate card number format (Luhn algorithm)."""
    # Remove spaces and dashes
    card_number = re.sub(r'[\s-]', '', card_number)
 
    # Check if all digits
    if not card_number.isdigit():
        return

PCI DSS SAQ (Self-Assessment Questionnaire)

SAQ A (Least Requirements)

E-commerce using hosted payment page
No card data on your systems
~20 questions

SAQ A-EP

E-commerce with embedded payment form
Uses JavaScript to handle card data
~180 questions

SAQ D (Most Requirements)

Store, process, or transmit card data
Full PCI DSS requirements
~300 questions

Compliance Checklist

PCI_COMPLIANCE_CHECKLIST = {
    'network_security': [
        'Firewall configured and maintained',
        'No vendor default passwords',
        'Network segmentation implemented'
    ],
    'data_protection': [
        'No storage of CVV, track data, or PIN',
        'PAN encrypted when stored',
        'PAN masked when displayed'

Resources

references/data-minimization.md: Never store prohibited data
references/tokenization.md: Tokenization strategies
references/encryption.md: Encryption requirements
references/access-control.md: Role-based access
references/audit-logging.md: Comprehensive logging
assets/pci-compliance-checklist.md: Complete checklist
assets/encrypted-storage.py: Encryption utilities
scripts/audit-payment-system.sh: Compliance audit script

Common Violations

Storing CVV: Never store card verification codes
Unencrypted PAN: Card numbers must be encrypted at rest
Weak Encryption: Use AES-256 or equivalent
No Access Controls: Restrict who can access cardholder data
Missing Audit Logs: Must log all access to payment data
Insecure Transmission: Always use TLS 1.2+
Default Passwords: Change all default credentials
No Security Testing: Regular penetration testing required

Reducing PCI Scope

Use Hosted Payments: Stripe Checkout, PayPal, etc.
Tokenization: Replace card data with tokens
Network Segmentation: Isolate cardholder data environment
Outsource: Use PCI-compliant payment processors
No Storage: Never store full card details

By minimizing systems that touch card data, you reduce compliance burden significantly.

'pan': 'Primary Account Number (card number)',

'cardholder_name': 'Name on card',

'expiration_date': 'Card expiration',

'service_code': 'Service code'

"""Safe payment data handling."""

self.prohibited_fields = ['cvv', 'cvv2', 'cvc', 'pin']

def sanitize_log(self, data):

"""Remove sensitive data from logs."""

sanitized = data.copy()

if 'card_number' in sanitized:

card = sanitized['card_number']

sanitized['card_number'] = f"{card[:6]}{'*' * (len(card) - 10)}{card[-4:]}"

# Remove prohibited data

for field in self.prohibited_fields:

sanitized.pop(field, None)

def validate_no_prohibited_storage(self, data):

"""Ensure no prohibited data is being stored."""

for field in self.prohibited_fields:

raise SecurityError(f"Attempting to store prohibited field: {field}")

"""Create token from card details (client-side only)."""

# THIS SHOULD ONLY BE DONE CLIENT-SIDE WITH STRIPE.JS

# NEVER send card details to your server

// Frontend JavaScript

const stripe = Stripe('pk_...');

const {token, error} = await stripe.createToken({

number: '4242424242424242',

// Send token.id to server (NOT card details)

def charge_with_token(token_id, amount):

"""Charge using token (server-side)."""

# Your server only sees the token, never the card number

stripe.api_key = "sk_..."

charge = stripe.Charge.create(

source=token_id, # Token instead of card details

description="Payment"

def store_payment_method(customer_id, payment_method_token):

"""Store payment method as token for future use."""

stripe.Customer.modify(

source=payment_method_token

# Store only customer_id and payment_method_id in your database

# NEVER store actual card details

'customer_id': customer_id,

'has_payment_method': True

# DO NOT store: card number, CVV, etc.

# In production: use encrypted database

def tokenize(self, card_data):

"""Convert card data to token."""

# Generate secure random token

token = secrets.token_urlsafe(32)

encrypted = self.cipher.encrypt(json.dumps(card_data).encode())

# Store token -> encrypted data mapping

self.vault[token] = encrypted

def detokenize(self, token):

"""Retrieve card data from token."""

encrypted = self.vault.get(token)

raise ValueError("Token not found")

decrypted = self.cipher.decrypt(encrypted)

return json.loads(decrypted.decode())

def delete_token(self, token):

"""Remove token from vault."""

self.vault.pop(token, None)

def encrypt(self, plaintext):

# Generate random nonce

nonce = os.urandom(12)

aesgcm = AESGCM(self.key)

ciphertext = aesgcm.encrypt(nonce, plaintext.encode(), None)

# Return nonce + ciphertext

return nonce + ciphertext

def decrypt(self, encrypted_data):

# Extract nonce and ciphertext

nonce = encrypted_data[:12]

ciphertext = encrypted_data[12:]

aesgcm = AESGCM(self.key)

plaintext = aesgcm.decrypt(nonce, ciphertext, None)

return plaintext.decode()

storage = EncryptedStorage(os.urandom(32))

encrypted_pan = storage.encrypt("4242424242424242")

# Store encrypted_pan in database

# Check if user has PCI access role

if not user or 'pci_access' not in user.get('roles', []):

return {'error': 'Unauthorized access to cardholder data'}, 403

# Log access attempt

action='access_cardholder_data',

return f(*args, **kwargs)

return decorated_function

@app.route('/api/payment-methods')

def get_payment_methods():

"""Retrieve payment methods (restricted access)."""

# Only accessible to users with pci_access role

# Configure to write to secure, append-only log

def log_access(self, user_id, resource, action, result):

"""Log access to cardholder data."""

'timestamp': datetime.utcnow().isoformat(),

'resource': resource,

'ip_address': request.remote_addr

self.logger.info(json.dumps(entry))

def log_authentication(self, user_id, success, method):

"""Log authentication attempt."""

'timestamp': datetime.utcnow().isoformat(),

'event': 'authentication',

'ip_address': request.remote_addr

self.logger.info(json.dumps(entry))

audit = PCIAuditLogger()

audit.log_access(user_id=123, resource='payment_methods', action='read', result='success')

def luhn_checksum(card_num):

return [int(d) for d in str(n)]

digits = digits_of(card_num)

odd_digits = digits[-1::-2]

even_digits = digits[-2::-2]

checksum = sum(odd_digits)

for d in even_digits:

checksum += sum(digits_of(d * 2))

return checksum % 10

return luhn_checksum(card_number) == 0

def sanitize_input(user_input):

"""Sanitize user input to prevent injection."""

# Remove special characters

# Validate against expected format

# Escape for database queries

'Encryption keys properly managed'

'vulnerability_management': [

'Anti-virus installed and updated',

'Secure development practices',

'Regular security patches',

'Vulnerability scanning performed'

'Access restricted by role',

'Unique IDs for all users',

'Multi-factor authentication',

'Physical security measures'

'Audit logs enabled',

'Log review process',

'File integrity monitoring',

'Regular security testing'

'Security policy documented',

'Risk assessment performed',

'Security awareness training',

'Incident response plan'