Redact CHD in CI and fail builds on PAN patterns

Related rules

From the same buckets as this rule.

• Critical

  Disallow CVV/CVC persistence anywhere

  Never store CVV/CVC or other SAD after authorization in databases, caches, files, or telemetry. Schema/models must not define fields for CVV/CVC; reject writes containing cvv/cvc keys. (PCI DSS 4.0 Req. 3.2.1)

  compliance-pci-dsssecurity-hardening+1
• Critical

  Mask PAN and exclude SAD from logs

  Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.

  compliance-pci-dssobservability-logging+1
• High

  Block real PAN/SAD in fixtures and test data

  Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)

  compliance-pci-dsstesting-quality+1