Skills pci-compliance
🔒

pci-compliance

Safe

Implement PCI DSS Compliance

This skill provides guidance on implementing PCI DSS requirements for secure payment processing. It covers encryption, tokenization, access controls, and audit logging to help achieve and maintain payment card industry compliance.

Supports: Claude Codex Code(CC)
📊 71 Adequate
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Test it

Using "pci-compliance". What data should never be stored for PCI compliance?

Expected outcome:

  • PROHIBITED DATA (Never Store):
  • - Full track data (magnetic stripe data)
  • - CVV/CVC/CVV2 (card verification code)
  • - PIN or PIN block
  •  
  • ALLOWED DATA (If Encrypted):
  • - PAN (Primary Account Number/card number)
  • - Cardholder name
  • - Expiration date
  • - Service code

Using "pci-compliance". What are the PCI compliance levels?

Expected outcome:

  • PCI DSS Compliance Levels (Based on Annual Transactions):
  •  
  • Level 1: Over 6 million transactions/year
  • - Required: Annual Report on Compliance (ROC)
  • - Must use Qualified Security Assessor (QSA)
  •  
  • Level 2: 1-6 million transactions/year
  • - Required: Annual Self-Assessment Questionnaire (SAQ)
  •  
  • Level 3: 20,000-1 million e-commerce transactions/year
  • - Required: Annual SAQ
  •  
  • Level 4: Under 20,000 e-commerce or under 1 million total
  • - Required: Annual SAQ

Security Audit

Safe
v5 • 1/21/2026

Educational PCI DSS compliance skill. All static findings are false positives. The skill provides documentation and code examples for implementing payment card security requirements. No actual vulnerable code or malicious patterns present.

2
Files scanned
935
Lines analyzed
0
findings
5
Total audits
No security issues found
Audited by: claude View Audit History →

Quality Score

38
Architecture
100
Maintainability
87
Content
29
Community
100
Security
91
Spec Compliance

What You Can Build

Payment System Development

Developers building payment processing systems use this skill to implement secure data handling, encryption, and access controls that meet PCI DSS requirements.

Compliance Preparation

Security engineers preparing for PCI DSS assessments use this skill to understand requirements, identify gaps, and implement necessary controls.

Code Review for Payment Apps

Code reviewers auditing payment applications use this skill to verify proper handling of cardholder data, encryption implementation, and audit logging.

Try These Prompts

PCI DSS Requirements Overview 
What are the 12 core PCI DSS requirements? Provide a summary of each requirement category for implementing payment card security.
Card Data Encryption 
Show me how to encrypt stored cardholder data (PAN) using AES-256-GCM in Python. Include key generation, encryption, and decryption.
Tokenization Strategy 
Explain how to implement tokenization for payment cards. Show code examples for creating payment method tokens and storing them instead of actual card numbers.
Access Control Implementation 
How do I implement role-based access control for payment data endpoints in a web application? Show a Python Flask decorator example.

Best Practices

  • Never store CVV, track data, or PIN - these must be rejected at input and never persisted
  • Use tokenization to replace card numbers with reversible tokens, eliminating card data from your systems
  • Implement encryption using AES-256-GCM or equivalent strong cryptography for stored cardholder data

Avoid

  • Storing full card numbers in plaintext or with weak encryption
  • Logging card numbers or sensitive payment data without masking
  • Using default passwords or vendor-supplied credentials for payment systems

Frequently Asked Questions

What is the minimum encryption strength for PCI DSS?
PCI DSS requires strong cryptography including AES-256 or equivalent. Encryption must use industry-standard algorithms with strong key management practices.
Can I use a hosted payment page to reduce compliance scope?
Yes, using hosted payment pages (like Stripe Checkout or PayPal) where card data never touches your servers significantly reduces PCI scope to SAQ A.
What is the difference between SAQ A and SAQ D?
SAQ A is for merchants using fully outsourced payment handling with minimal requirements. SAQ D is for organizations that store, process, or transmit card data with full PCI DSS requirements.
Do I need to encrypt card data in transit?
Yes, PCI DSS requires encryption (TLS 1.2 or higher) for all transmission of cardholder data across public networks.
How long must I retain audit logs for PCI compliance?
PCI DSS requires retaining audit logs for at least one year, with 90 days immediately accessible and the remaining 9 months in archive.
What access controls are required for cardholder data?
PCI DSS requires unique user IDs, role-based access control, least-privilege principles, and multi-factor authentication for remote access to cardholder data environments.

Developer Details

Author

wshobson

License

MIT

Repository

https://github.com/wshobson/agents/tree/main/plugins/payment-processing/skills/pci-compliance

Ref

main

File structure

📄 SKILL.md