Why this matters
Caching CHD-bearing pages increases exposure across clients and proxies.
Set HTTP headers for payment entry points and CHD-adjacent responses to prevent storage: Cache-Control: no-store, Pragma: no-cache, and appropriate privacy headers. Ensure intermediaries cannot cache PAN-related flows.
Caching CHD-bearing pages increases exposure across clients and proxies.
Side-by-side examples engineers can pattern-match during review.
// no headers on payment routerouting {
post("/pay") {
call.response.headers.append("Cache-Control", "no-store")
call.response.headers.append("Pragma", "no-cache")
call.respond(HttpStatusCode.OK)
}
}call.respond(OK) // no cache headerscall.response.headers.append("Cache-Control", "no-store")From the same buckets as this rule.
Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.
Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)