How Pci Compliance fits into a Paperclip company.

Pci Compliance drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.
SaaS FactoryPaired
Pre-configured AI company — 18 agents, 18 skills, one-time purchase.
$27$59
Explore pack
Source file
SKILL.md448 linesmarkdown
Expand
1---2name: pci-compliance3description: Implement PCI DSS compliance requirements for secure handling of payment card data and payment systems. Use when securing payment processing, achieving PCI compliance, or implementing payment card security measures.4---5 6# PCI Compliance7 8Master PCI DSS (Payment Card Industry Data Security Standard) compliance for secure payment processing and handling of cardholder data.9 10## When to Use This Skill11 12- Building payment processing systems13- Handling credit card information14- Implementing secure payment flows15- Conducting PCI compliance audits16- Reducing PCI compliance scope17- Implementing tokenization and encryption18- Preparing for PCI DSS assessments19 20## PCI DSS Requirements (12 Core Requirements)21 22### Build and Maintain Secure Network23 241. Install and maintain firewall configuration252. Don't use vendor-supplied defaults for passwords26 27### Protect Cardholder Data28 293. Protect stored cardholder data304. Encrypt transmission of cardholder data across public networks31 32### Maintain Vulnerability Management33 345. Protect systems against malware356. Develop and maintain secure systems and applications36 37### Implement Strong Access Control38 397. Restrict access to cardholder data by business need-to-know408. Identify and authenticate access to system components419. Restrict physical access to cardholder data42 43### Monitor and Test Networks44 4510. Track and monitor all access to network resources and cardholder data4611. Regularly test security systems and processes47 48### Maintain Information Security Policy49 5012. Maintain a policy that addresses information security51 52## Compliance Levels53 54**Level 1**: > 6 million transactions/year (annual ROC required)55**Level 2**: 1-6 million transactions/year (annual SAQ)56**Level 3**: 20,000-1 million e-commerce transactions/year57**Level 4**: < 20,000 e-commerce or < 1 million total transactions58 59## Data Minimization (Never Store)60 61```python62# NEVER STORE THESE63PROHIBITED_DATA = {64    'full_track_data': 'Magnetic stripe data',65    'cvv': 'Card verification code/value',66    'pin': 'PIN or PIN block'67}68 69# CAN STORE (if encrypted)70ALLOWED_DATA = {71    'pan': 'Primary Account Number (card number)',72    'cardholder_name': 'Name on card',73    'expiration_date': 'Card expiration',74    'service_code': 'Service code'75}76 77class PaymentData:78    """Safe payment data handling."""79 80    def __init__(self):81        self.prohibited_fields = ['cvv', 'cvv2', 'cvc', 'pin']82 83    def sanitize_log(self, data):84        """Remove sensitive data from logs."""85        sanitized = data.copy()86 87        # Mask PAN88        if 'card_number' in sanitized:89            card = sanitized['card_number']90            sanitized['card_number'] = f"{card[:6]}{'*' * (len(card) - 10)}{card[-4:]}"91 92        # Remove prohibited data93        for field in self.prohibited_fields:94            sanitized.pop(field, None)95 96        return sanitized97 98    def validate_no_prohibited_storage(self, data):99        """Ensure no prohibited data is being stored."""100        for field in self.prohibited_fields:101            if field in data:102                raise SecurityError(f"Attempting to store prohibited field: {field}")103```104 105## Tokenization106 107### Using Payment Processor Tokens108 109```python110import stripe111 112class TokenizedPayment:113    """Handle payments using tokens (no card data on server)."""114 115    @staticmethod116    def create_payment_method_token(card_details):117        """Create token from card details (client-side only)."""118        # THIS SHOULD ONLY BE DONE CLIENT-SIDE WITH STRIPE.JS119        # NEVER send card details to your server120 121        """122        // Frontend JavaScript123        const stripe = Stripe('pk_...');124 125        const {token, error} = await stripe.createToken({126            card: {127                number: '4242424242424242',128                exp_month: 12,129                exp_year: 2024,130                cvc: '123'131            }132        });133 134        // Send token.id to server (NOT card details)135        """136        pass137 138    @staticmethod139    def charge_with_token(token_id, amount):140        """Charge using token (server-side)."""141        # Your server only sees the token, never the card number142        stripe.api_key = "sk_..."143 144        charge = stripe.Charge.create(145            amount=amount,146            currency="usd",147            source=token_id,  # Token instead of card details148            description="Payment"149        )150 151        return charge152 153    @staticmethod154    def store_payment_method(customer_id, payment_method_token):155        """Store payment method as token for future use."""156        stripe.Customer.modify(157            customer_id,158            source=payment_method_token159        )160 161        # Store only customer_id and payment_method_id in your database162        # NEVER store actual card details163        return {164            'customer_id': customer_id,165            'has_payment_method': True166            # DO NOT store: card number, CVV, etc.167        }168```169 170### Custom Tokenization (Advanced)171 172```python173import secrets174from cryptography.fernet import Fernet175 176class TokenVault:177    """Secure token vault for card data (if you must store it)."""178 179    def __init__(self, encryption_key):180        self.cipher = Fernet(encryption_key)181        self.vault = {}  # In production: use encrypted database182 183    def tokenize(self, card_data):184        """Convert card data to token."""185        # Generate secure random token186        token = secrets.token_urlsafe(32)187 188        # Encrypt card data189        encrypted = self.cipher.encrypt(json.dumps(card_data).encode())190 191        # Store token -> encrypted data mapping192        self.vault[token] = encrypted193 194        return token195 196    def detokenize(self, token):197        """Retrieve card data from token."""198        encrypted = self.vault.get(token)199        if not encrypted:200            raise ValueError("Token not found")201 202        # Decrypt203        decrypted = self.cipher.decrypt(encrypted)204        return json.loads(decrypted.decode())205 206    def delete_token(self, token):207        """Remove token from vault."""208        self.vault.pop(token, None)209```210 211## Encryption212 213### Data at Rest214 215```python216from cryptography.hazmat.primitives.ciphers.aead import AESGCM217import os218 219class EncryptedStorage:220    """Encrypt data at rest using AES-256-GCM."""221 222    def __init__(self, encryption_key):223        """Initialize with 256-bit key."""224        self.key = encryption_key  # Must be 32 bytes225 226    def encrypt(self, plaintext):227        """Encrypt data."""228        # Generate random nonce229        nonce = os.urandom(12)230 231        # Encrypt232        aesgcm = AESGCM(self.key)233        ciphertext = aesgcm.encrypt(nonce, plaintext.encode(), None)234 235        # Return nonce + ciphertext236        return nonce + ciphertext237 238    def decrypt(self, encrypted_data):239        """Decrypt data."""240        # Extract nonce and ciphertext241        nonce = encrypted_data[:12]242        ciphertext = encrypted_data[12:]243 244        # Decrypt245        aesgcm = AESGCM(self.key)246        plaintext = aesgcm.decrypt(nonce, ciphertext, None)247 248        return plaintext.decode()249 250# Usage251storage = EncryptedStorage(os.urandom(32))252encrypted_pan = storage.encrypt("4242424242424242")253# Store encrypted_pan in database254```255 256### Data in Transit257 258```python259# Always use TLS 1.2 or higher260# Flask/Django example261app.config['SESSION_COOKIE_SECURE'] = True  # HTTPS only262app.config['SESSION_COOKIE_HTTPONLY'] = True263app.config['SESSION_COOKIE_SAMESITE'] = 'Strict'264 265# Enforce HTTPS266from flask_talisman import Talisman267Talisman(app, force_https=True)268```269 270## Access Control271 272```python273from functools import wraps274from flask import session275 276def require_pci_access(f):277    """Decorator to restrict access to cardholder data."""278    @wraps(f)279    def decorated_function(*args, **kwargs):280        user = session.get('user')281 282        # Check if user has PCI access role283        if not user or 'pci_access' not in user.get('roles', []):284            return {'error': 'Unauthorized access to cardholder data'}, 403285 286        # Log access attempt287        audit_log(288            user=user['id'],289            action='access_cardholder_data',290            resource=f.__name__291        )292 293        return f(*args, **kwargs)294 295    return decorated_function296 297@app.route('/api/payment-methods')298@require_pci_access299def get_payment_methods():300    """Retrieve payment methods (restricted access)."""301    # Only accessible to users with pci_access role302    pass303```304 305## Audit Logging306 307```python308import logging309from datetime import datetime310 311class PCIAuditLogger:312    """PCI-compliant audit logging."""313 314    def __init__(self):315        self.logger = logging.getLogger('pci_audit')316        # Configure to write to secure, append-only log317 318    def log_access(self, user_id, resource, action, result):319        """Log access to cardholder data."""320        entry = {321            'timestamp': datetime.utcnow().isoformat(),322            'user_id': user_id,323            'resource': resource,324            'action': action,325            'result': result,326            'ip_address': request.remote_addr327        }328 329        self.logger.info(json.dumps(entry))330 331    def log_authentication(self, user_id, success, method):332        """Log authentication attempt."""333        entry = {334            'timestamp': datetime.utcnow().isoformat(),335            'user_id': user_id,336            'event': 'authentication',337            'success': success,338            'method': method,339            'ip_address': request.remote_addr340        }341 342        self.logger.info(json.dumps(entry))343 344# Usage345audit = PCIAuditLogger()346audit.log_access(user_id=123, resource='payment_methods', action='read', result='success')347```348 349## Security Best Practices350 351### Input Validation352 353```python354import re355 356def validate_card_number(card_number):357    """Validate card number format (Luhn algorithm)."""358    # Remove spaces and dashes359    card_number = re.sub(r'[\s-]', '', card_number)360 361    # Check if all digits362    if not card_number.isdigit():363        return False364 365    # Luhn algorithm366    def luhn_checksum(card_num):367        def digits_of(n):368            return [int(d) for d in str(n)]369 370        digits = digits_of(card_num)371        odd_digits = digits[-1::-2]372        even_digits = digits[-2::-2]373        checksum = sum(odd_digits)374        for d in even_digits:375            checksum += sum(digits_of(d * 2))376        return checksum % 10377 378    return luhn_checksum(card_number) == 0379 380def sanitize_input(user_input):381    """Sanitize user input to prevent injection."""382    # Remove special characters383    # Validate against expected format384    # Escape for database queries385    pass386```387 388## PCI DSS SAQ (Self-Assessment Questionnaire)389 390### SAQ A (Least Requirements)391 392- E-commerce using hosted payment page393- No card data on your systems394- ~20 questions395 396### SAQ A-EP397 398- E-commerce with embedded payment form399- Uses JavaScript to handle card data400- ~180 questions401 402### SAQ D (Most Requirements)403 404- Store, process, or transmit card data405- Full PCI DSS requirements406- ~300 questions407 408## Compliance Checklist409 410```python411PCI_COMPLIANCE_CHECKLIST = {412    'network_security': [413        'Firewall configured and maintained',414        'No vendor default passwords',415        'Network segmentation implemented'416    ],417    'data_protection': [418        'No storage of CVV, track data, or PIN',419        'PAN encrypted when stored',420        'PAN masked when displayed',421        'Encryption keys properly managed'422    ],423    'vulnerability_management': [424        'Anti-virus installed and updated',425        'Secure development practices',426        'Regular security patches',427        'Vulnerability scanning performed'428    ],429    'access_control': [430        'Access restricted by role',431        'Unique IDs for all users',432        'Multi-factor authentication',433        'Physical security measures'434    ],435    'monitoring': [436        'Audit logs enabled',437        'Log review process',438        'File integrity monitoring',439        'Regular security testing'440    ],441    'policy': [442        'Security policy documented',443        'Risk assessment performed',444        'Security awareness training',445        'Incident response plan'446    ]447}448```
Related skills
Accessibility Compliance

This walks you through implementing proper WCAG 2.2 compliance with real code patterns for screen readers, keyboard navigation, and mobile accessibility. It cov
Airflow Dag Patterns

If you're building data pipelines with Airflow, this skill gives you production-ready DAG patterns that actually work in the real world. It covers TaskFlow API
Angular Migration

Migrating from AngularJS to Angular is notoriously painful, and this skill tackles the practical stuff that makes or breaks these projects. It covers hybrid app