HighFile-scopeGo Plug & play

Enforce TLS 1.2+ and strict cert verification to payment gateway

All outbound connections that may carry CHD/PAN tokens must enforce TLS >= 1.2, validate hostname/chain, and optionally pin gateway SPKI. Disable insecure ciphers/versions. (PCI DSS 4.0 Req. 4)

Add to Mesrai Open workspace

Why this matters

Strong transport encryption prevents interception of CHD and tokens.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

client := &http.Client{}
resp, _ := client.Get(gatewayURL) // ❌ default TLS; no checks

Prefer

tr := &http.Transport{TLSClientConfig: &tls.Config{
 MinVersion: tls.VersionTLS12,
 ServerName: "api.paygateway.com",
 // Optional pinning example
 VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]x509.Certificate) error {
 cert, _ := x509.ParseCertificate(rawCerts[0])
 spki := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
 want := mustDecodeHex("d4e5...ab")
 if !bytes.Equal(spki[:], want) { return errors.New("pin mismatch") }
 return nil
 },
}};
client := &http.Client{Transport: tr}
resp, err := client.Get(gatewayURL)

More snippets

Bad

tls.Config{MinVersion: 0}

Good

tls.Config{MinVersion: tls.VersionTLS12}

Related rules

From the same buckets as this rule.

Critical
Disallow CVV/CVC persistence anywhere
Never store CVV/CVC or other SAD after authorization in databases, caches, files, or telemetry. Schema/models must not define fields for CVV/CVC; reject writes containing cvv/cvc keys. (PCI DSS 4.0 Req. 3.2.1)
compliance-pci-dsssecurity-hardening+1
Critical
Mask PAN and exclude SAD from logs
Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.
compliance-pci-dssobservability-logging+1
High
Block real PAN/SAD in fixtures and test data
Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)
compliance-pci-dsstesting-quality+1

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

client := &http.Client{}
resp, _ := client.Get(gatewayURL) // ❌ default TLS; no checks

Prefer

tr := &http.Transport{TLSClientConfig: &tls.Config{
 MinVersion: tls.VersionTLS12,
 ServerName: "api.paygateway.com",
 // Optional pinning example
 VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]x509.Certificate) error {
 cert, _ := x509.ParseCertificate(rawCerts[0])
 spki := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
 want := mustDecodeHex("d4e5...ab")
 if !bytes.Equal(spki[:], want) { return errors.New("pin mismatch") }
 return nil
 },
}};
client := &http.Client{Transport: tr}
resp, err := client.Get(gatewayURL)

More snippets

Bad

tls.Config{MinVersion: 0}

Good

tls.Config{MinVersion: tls.VersionTLS12}

Related rules

From the same buckets as this rule.

Critical

Disallow CVV/CVC persistence anywhere

Never store CVV/CVC or other SAD after authorization in databases, caches, files, or telemetry. Schema/models must not define fields for CVV/CVC; reject writes containing cvv/cvc keys. (PCI DSS 4.0 Req. 3.2.1)

compliance-pci-dsssecurity-hardening+1

Critical

Mask PAN and exclude SAD from logs

Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.

compliance-pci-dssobservability-logging+1

High

Block real PAN/SAD in fixtures and test data

Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)

compliance-pci-dsstesting-quality+1