Why this matters
Tamper-evident audit trails enable incident response and forensics.
On every create/read/update/delete of CHD or tokens, write a structured audit event (who, what, when, result) without full PAN, including only pan_last4. Persist to an append-only/immutable sink. (PCI DSS 4.0 Req. 10)
Tamper-evident audit trails enable incident response and forensics.
Side-by-side examples engineers can pattern-match during review.
info!("read_pan", pan = full_pan);event!(Level::INFO, target = "audit", action = "token.read", user_id = uid, pan_last4 = last4, result = "success");info!("audit", pan = full_pan)event!(Level::INFO, target="audit", pan_last4=last4)From the same buckets as this rule.
Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.
Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)