Why this matters
Least-privilege access reduces insider and lateral-movement risk for CHD.
Any code path that reads, decrypts, or exchanges PAN tokens must require an explicit authorization policy (e.g., role "pci:read_token") and log access without PAN. Deny by default. (PCI DSS 4.0 Req. 7 & 10)
Least-privilege access reduces insider and lateral-movement risk for CHD.
Side-by-side examples engineers can pattern-match during review.
// ❌ open endpoint
[HttpGet("/tokens/{id}")]
public IActionResult Get(string id){ return Ok(store.Get(id)); }// ✅ restricted endpoint
[Authorize(Policy = "pci:read_token")]
[HttpGet("/tokens/{id}")]
public IActionResult Get(string id){ audit.Log("pci_token_read", new { id }); return Ok(store.Get(id)); }[Authorize] // no policy[Authorize(Policy="pci:read_token")]From the same buckets as this rule.
Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.
Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)