[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-51af2472-85a1-487e-a7bc-692671f52be5":3,"$fRDl6NhSB7zxm5mrIVLraMOuhcmBppafYca9inlQ5_yk":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"51af2472-85a1-487e-a7bc-692671f52be5","pci-compliance","掌握PCI DSS(支付卡行业数据安全标准)合规性,以确保安全的支付处理和持卡人数据的处理。","cat_coding_review","mod_coding","sickn33,coding","---\nname: pci-compliance\ndescription: \"Master PCI DSS (Payment Card Industry Data Security Standard) compliance for secure payment processing and handling of cardholder data.\"\nrisk: unknown\nsource: community\ndate_added: \"2026-02-27\"\n---\n\n# PCI Compliance\n\nMaster PCI DSS (Payment Card Industry Data Security Standard) compliance for secure payment processing and handling of cardholder data.\n\n## Do not use this skill when\n\n- The task is unrelated to pci compliance\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources\u002Fimplementation-playbook.md`.\n\n## Use this skill when\n\n- Building payment processing systems\n- Handling credit card information\n- Implementing secure payment flows\n- Conducting PCI compliance audits\n- Reducing PCI compliance scope\n- Implementing tokenization and encryption\n- Preparing for PCI DSS assessments\n\n## PCI DSS Requirements (12 Core Requirements)\n\n### Build and Maintain Secure Network\n1. Install and maintain firewall configuration\n2. Don't use vendor-supplied defaults for passwords\n\n### Protect Cardholder Data\n3. Protect stored cardholder data\n4. Encrypt transmission of cardholder data across public networks\n\n### Maintain Vulnerability Management\n5. Protect systems against malware\n6. Develop and maintain secure systems and applications\n\n### Implement Strong Access Control\n7. Restrict access to cardholder data by business need-to-know\n8. Identify and authenticate access to system components\n9. Restrict physical access to cardholder data\n\n### Monitor and Test Networks\n10. Track and monitor all access to network resources and cardholder data\n11. Regularly test security systems and processes\n\n### Maintain Information Security Policy\n12. Maintain a policy that addresses information security\n\n## Compliance Levels\n\n**Level 1**: > 6 million transactions\u002Fyear (annual ROC required)\n**Level 2**: 1-6 million transactions\u002Fyear (annual SAQ)\n**Level 3**: 20,000-1 million e-commerce transactions\u002Fyear\n**Level 4**: \u003C 20,000 e-commerce or \u003C 1 million total transactions\n\n## Data Minimization (Never Store)\n\n```python\n# NEVER STORE THESE\nPROHIBITED_DATA = {\n 'full_track_data': 'Magnetic stripe data',\n 'cvv': 'Card verification code\u002Fvalue',\n 'pin': 'PIN or PIN block'\n}\n\n# CAN STORE (if encrypted)\nALLOWED_DATA = {\n 'pan': 'Primary Account Number (card number)',\n 'cardholder_name': 'Name on card',\n 'expiration_date': 'Card expiration',\n 'service_code': 'Service code'\n}\n\nclass PaymentData:\n \"\"\"Safe payment data handling.\"\"\"\n\n def __init__(self):\n self.prohibited_fields = ['cvv', 'cvv2', 'cvc', 'pin']\n\n def sanitize_log(self, data):\n \"\"\"Remove sensitive data from logs.\"\"\"\n sanitized = data.copy()\n\n # Mask PAN\n if 'card_number' in sanitized:\n card = sanitized['card_number']\n sanitized['card_number'] = f\"{card[:6]}{'*' * (len(card) - 10)}{card[-4:]}\"\n\n # Remove prohibited data\n for field in self.prohibited_fields:\n sanitized.pop(field, None)\n\n return sanitized\n\n def validate_no_prohibited_storage(self, data):\n \"\"\"Ensure no prohibited data is being stored.\"\"\"\n for field in self.prohibited_fields:\n if field in data:\n raise SecurityError(f\"Attempting to store prohibited field: {field}\")\n```\n\n## Tokenization\n\n### Using Payment Processor Tokens\n```python\nimport stripe\n\nclass TokenizedPayment:\n \"\"\"Handle payments using tokens (no card data on server).\"\"\"\n\n @staticmethod\n def create_payment_method_token(card_details):\n \"\"\"Create token from card details (client-side only).\"\"\"\n # THIS SHOULD ONLY BE DONE CLIENT-SIDE WITH STRIPE.JS\n # NEVER send card details to your server\n\n \"\"\"\n \u002F\u002F Frontend JavaScript\n const stripe = Stripe('pk_...');\n\n const {token, error} = await stripe.createToken({\n card: {\n number: '4242424242424242',\n exp_month: 12,\n exp_year: 2024,\n cvc: '123'\n }\n });\n\n \u002F\u002F Send token.id to server (NOT card details)\n \"\"\"\n pass\n\n @staticmethod\n def charge_with_token(token_id, amount):\n \"\"\"Charge using token (server-side).\"\"\"\n # Your server only sees the token, never the card number\n stripe.api_key = \"sk_...\"\n\n charge = stripe.Charge.create(\n amount=amount,\n currency=\"usd\",\n source=token_id, # Token instead of card details\n description=\"Payment\"\n )\n\n return charge\n\n @staticmethod\n def store_payment_method(customer_id, payment_method_token):\n \"\"\"Store payment method as token for future use.\"\"\"\n stripe.Customer.modify(\n customer_id,\n source=payment_method_token\n )\n\n # Store only customer_id and payment_method_id in your database\n # NEVER store actual card details\n return {\n 'customer_id': customer_id,\n 'has_payment_method': True\n # DO NOT store: card number, CVV, etc.\n }\n```\n\n### Custom Tokenization (Advanced)\n```python\nimport secrets\nfrom cryptography.fernet import Fernet\n\nclass TokenVault:\n \"\"\"Secure token vault for card data (if you must store it).\"\"\"\n\n def __init__(self, encryption_key):\n self.cipher = Fernet(encryption_key)\n self.vault = {} # In production: use encrypted database\n\n def tokenize(self, card_data):\n \"\"\"Convert card data to token.\"\"\"\n # Generate secure random token\n token = secrets.token_urlsafe(32)\n\n # Encrypt card data\n encrypted = self.cipher.encrypt(json.dumps(card_data).encode())\n\n # Store token -> encrypted data mapping\n self.vault[token] = encrypted\n\n return token\n\n def detokenize(self, token):\n \"\"\"Retrieve card data from token.\"\"\"\n encrypted = self.vault.get(token)\n if not encrypted:\n raise ValueError(\"Token not found\")\n\n # Decrypt\n decrypted = self.cipher.decrypt(encrypted)\n return json.loads(decrypted.decode())\n\n def delete_token(self, token):\n \"\"\"Remove token from vault.\"\"\"\n self.vault.pop(token, None)\n```\n\n## Encryption\n\n### Data at Rest\n```python\nfrom cryptography.hazmat.primitives.ciphers.aead import AESGCM\nimport os\n\nclass EncryptedStorage:\n \"\"\"Encrypt data at rest using AES-256-GCM.\"\"\"\n\n def __init__(self, encryption_key):\n \"\"\"Initialize with 256-bit key.\"\"\"\n self.key = encryption_key # Must be 32 bytes\n\n def encrypt(self, plaintext):\n \"\"\"Encrypt data.\"\"\"\n # Generate random nonce\n nonce = os.urandom(12)\n\n # Encrypt\n aesgcm = AESGCM(self.key)\n ciphertext = aesgcm.encrypt(nonce, plaintext.encode(), None)\n\n # Return nonce + ciphertext\n return nonce + ciphertext\n\n def decrypt(self, encrypted_data):\n \"\"\"Decrypt data.\"\"\"\n # Extract nonce and ciphertext\n nonce = encrypted_data[:12]\n ciphertext = encrypted_data[12:]\n\n # Decrypt\n aesgcm = AESGCM(self.key)\n plaintext = aesgcm.decrypt(nonce, ciphertext, None)\n\n return plaintext.decode()\n\n# Usage\nstorage = EncryptedStorage(os.urandom(32))\nencrypted_pan = storage.encrypt(\"4242424242424242\")\n# Store encrypted_pan in database\n```\n\n### Data in Transit\n```python\n# Always use TLS 1.2 or higher\n# Flask\u002FDjango example\napp.config['SESSION_COOKIE_SECURE'] = True # HTTPS only\napp.config['SESSION_COOKIE_HTTPONLY'] = True\napp.config['SESSION_COOKIE_SAMESITE'] = 'Strict'\n\n# Enforce HTTPS\nfrom flask_talisman import Talisman\nTalisman(app, force_https=True)\n```\n\n## Access Control\n\n```python\nfrom functools import wraps\nfrom flask import session\n\ndef require_pci_access(f):\n \"\"\"Decorator to restrict access to cardholder data.\"\"\"\n @wraps(f)\n def decorated_function(*args, **kwargs):\n user = session.get('user')\n\n # Check if user has PCI access role\n if not user or 'pci_access' not in user.get('roles', []):\n return {'error': 'Unauthorized access to cardholder data'}, 403\n\n # Log access attempt\n audit_log(\n user=user['id'],\n action='access_cardholder_data',\n resource=f.__name__\n )\n\n return f(*args, **kwargs)\n\n return decorated_function\n\n@app.route('\u002Fapi\u002Fpayment-methods')\n@require_pci_access\ndef get_payment_methods():\n \"\"\"Retrieve payment methods (restricted access).\"\"\"\n # Only accessible to users with pci_access role\n pass\n```\n\n## Audit Logging\n\n```python\nimport logging\nfrom datetime import datetime\n\nclass PCIAuditLogger:\n \"\"\"PCI-compliant audit logging.\"\"\"\n\n def __init__(self):\n self.logger = logging.getLogger('pci_audit')\n # Configure to write to secure, append-only log\n\n def log_access(self, user_id, resource, action, result):\n \"\"\"Log access to cardholder data.\"\"\"\n entry = {\n 'timestamp': datetime.utcnow().isoformat(),\n 'user_id': user_id,\n 'resource': resource,\n 'action': action,\n 'result': result,\n 'ip_address': request.remote_addr\n }\n\n self.logger.info(json.dumps(entry))\n\n def log_authentication(self, user_id, success, method):\n \"\"\"Log authentication attempt.\"\"\"\n entry = {\n 'timestamp': datetime.utcnow().isoformat(),\n 'user_id': user_id,\n 'event': 'authentication',\n 'success': success,\n 'method': method,\n 'ip_address': request.remote_addr\n }\n\n self.logger.info(json.dumps(entry))\n\n# Usage\naudit = PCIAuditLogger()\naudit.log_access(user_id=123, resource='payment_methods', action='read', result='success')\n```\n\n## Security Best Practices\n\n### Input Validation\n```python\nimport re\n\ndef validate_card_number(card_number):\n \"\"\"Validate card number format (Luhn algorithm).\"\"\"\n # Remove spaces and dashes\n card_number = re.sub(r'[\\s-]', '', card_number)\n\n # Check if all digits\n if not card_number.isdigit():\n return False\n\n # Luhn algorithm\n def luhn_checksum(card_num):\n def digits_of(n):\n return [int(d) for d in str(n)]\n\n digits = digits_of(card_num)\n odd_digits = digits[-1::-2]\n even_digits = digits[-2::-2]\n checksum = sum(odd_digits)\n for d in even_digits:\n checksum += sum(digits_of(d * 2))\n return checksum % 10\n\n return luhn_checksum(card_number) == 0\n\ndef sanitize_input(user_input):\n \"\"\"Sanitize user input to prevent injection.\"\"\"\n # Remove special characters\n # Validate against expected format\n # Escape for database queries\n pass\n```\n\n## PCI DSS SAQ (Self-Assessment Questionnaire)\n\n### SAQ A (Least Requirements)\n- E-commerce using hosted payment page\n- No card data on your systems\n- ~20 questions\n\n### SAQ A-EP\n- E-commerce with embedded payment form\n- Uses JavaScript to handle card data\n- ~180 questions\n\n### SAQ D (Most Requirements)\n- Store, process, or transmit card data\n- Full PCI DSS requirements\n- ~300 questions\n\n## Compliance Checklist\n\n```python\nPCI_COMPLIANCE_CHECKLIST = {\n 'network_security': [\n 'Firewall configured and maintained',\n 'No vendor default passwords',\n 'Network segmentation implemented'\n ],\n 'data_protection': [\n 'No storage of CVV, track data, or PIN',\n 'PAN encrypted when stored',\n 'PAN masked when displayed',\n 'Encryption keys properly managed'\n ],\n 'vulnerability_management': [\n 'Anti-virus installed and updated',\n 'Secure development practices',\n 'Regular security patches',\n 'Vulnerability scanning performed'\n ],\n 'access_control': [\n 'Access restricted by role',\n 'Unique IDs for all users',\n 'Multi-factor authentication',\n 'Physical security measures'\n ],\n 'monitoring': [\n 'Audit logs enabled',\n 'Log review process',\n 'File integrity monitoring',\n 'Regular security testing'\n ],\n 'policy': [\n 'Security policy documented',\n 'Risk assessment performed',\n 'Security awareness training',\n 'Incident response plan'\n ]\n}\n```\n\n## Resources\n\n- **references\u002Fdata-minimization.md**: Never store prohibited data\n- **references\u002Ftokenization.md**: Tokenization strategies\n- **references\u002Fencryption.md**: Encryption requirements\n- **references\u002Faccess-control.md**: Role-based access\n- **references\u002Faudit-logging.md**: Comprehensive logging\n- **assets\u002Fpci-compliance-checklist.md**: Complete checklist\n- **assets\u002Fencrypted-storage.py**: Encryption utilities\n- **scripts\u002Faudit-payment-system.sh**: Compliance audit script\n\n## Common Violations\n\n1. **Storing CVV**: Never store card verification codes\n2. **Unencrypted PAN**: Card numbers must be encrypted at rest\n3. **Weak Encryption**: Use AES-256 or equivalent\n4. **No Access Controls**: Restrict who can access cardholder data\n5. **Missing Audit Logs**: Must log all access to payment data\n6. **Insecure Transmission**: Always use TLS 1.2+\n7. **Default Passwords**: Change all default credentials\n8. **No Security Testing**: Regular penetration testing required\n\n## Reducing PCI Scope\n\n1. **Use Hosted Payments**: Stripe Checkout, PayPal, etc.\n2. **Tokenization**: Replace card data with tokens\n3. **Network Segmentation**: Isolate cardholder data environment\n4. **Outsource**: Use PCI-compliant payment processors\n5. **No Storage**: Never store full card details\n\nBy minimizing systems that touch card data, you reduce compliance burden significantly.\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,213,1913,"2026-05-16 13:33:29",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查,提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"代码审查","review","mdi-magnify-scan","代码质量分析、安全审查",4,145,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"4d822a6d-4670-456b-bc35-ba92b1229a40","1.0.0","pci-compliance.zip",5290,"uploads\u002Fskills\u002F51af2472-85a1-487e-a7bc-692671f52be5\u002Fpci-compliance.zip","7a6cee86fe98f72e90bdf8da3c4ff9b54ba3816ced9d100809faea321609a5c3","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":14162}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]