// library
Severity
Bucket
Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.
Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)
On every create/read/update/delete of CHD or tokens, write a structured audit event (who, what, when, result) without full PAN, including only pan_last4. Persist to an append-only/immutable sink. (PCI DSS 4.0 Req. 10)
If PAN must be handled transiently, encrypt in memory with AES-256-GCM using a KMS/HSM-provided key, store only ciphertext or tokens, and zeroize plaintext buffers immediately. Rotate keys per policy. (PCI DSS 4.0 Req. 3)
For web/mobile payment forms, send PAN and CVV directly to the PCI-compliant gateway to obtain a single-use token; submit only the token to your backend. Validate that backend APIs reject requests containing PAN/SAD. (PCI DSS scoping & SAQ A)
Set HTTP headers for payment entry points and CHD-adjacent responses to prevent storage: Cache-Control: no-store, Pragma: no-cache, and appropriate privacy headers. Ensure intermediaries cannot cache PAN-related flows.
Pin cryptography libraries to vetted versions (e.g., BouncyCastle FIPS) and generate a CycloneDX SBOM as part of the build. Reject PRs introducing floating or insecure versions. (PCI DSS 4.0 Req. 6 & supply chain)
Accept only short-lived tokens from the gateway (JWT/JWE or opaque) and validate signature/expiry; do not persist tokens beyond business need. Never attempt to reconstruct PAN from tokens. (PCI DSS data minimization)
13 rules