pci-dss-audit
PCI-DSS Audit
This skill performs static code analysis for PCI-DSS v4.0 compliance violations across JavaScript/TypeScript, Python, Java, Go, and C#/.NET projects. It identifies 12 common PCI-DSS code-level anti-patterns — unprotected cardholder data, weak encryption of PANs, missing audit trails, insufficient access controls, and more — mapping each finding to CWE and PCI-DSS v4.0 requirement numbers with concrete UNSAFE/SAFE code pairs for remediation.
Scope: This skill covers application-code-level controls only. It does NOT audit infrastructure, network segmentation, physical security, or organizational policies — those require separate assessment tools and processes.
When to Use
- When the user asks to "audit PCI compliance", "check PCI-DSS", or "review payment card handling"
- When the user mentions "PCI audit", "cardholder data", "PAN protection", or "payment security"
- When scanning code that handles credit card numbers, CVVs, expiration dates, or payment tokens
- When reviewing code that stores, processes, or transmits cardholder data
- When a pull request modifies payment processing, card storage, or checkout flows
- When the user asks about "card data in logs", "PAN masking", "payment encryption", or "audit logging"
- When preparing for a PCI-DSS v4.0 Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC)
When NOT to Use
More from kalshamsi/claude-security-skills
socket-sca
Supply chain analysis via Socket.dev CLI. Use when asked to scan dependencies for supply chain risks, run Socket SCA, audit npm/pip packages, detect typosquatting, or find malicious dependencies.
2crypto-audit
Use when reviewing code for weak encryption, hardcoded cryptographic keys, insecure TLS/SSL configuration, broken hashing, bad randomness, or any cryptographic implementation concern — regardless of language.
2bandit-sast
Use when scanning Python code for security vulnerabilities, running Bandit, performing Python SAST, auditing Python security bugs, or reviewing Python source for injection, weak crypto, or insecure deserialization.
2security-headers-audit
Use when reviewing HTTP security headers, checking a Content-Security-Policy, auditing CORS or HSTS configuration, evaluating X-Frame-Options or Permissions-Policy, inspecting header middleware, or hardening a web application's response headers.
2devsecops-pipeline
Generate GitHub Actions security CI/CD pipelines. Use when asked to generate security pipeline, DevSecOps workflow, CI/CD security, GitHub Actions security, create security workflow, add security scanning to CI, or set up automated security checks.
2security-test-generator
Use when writing security tests for a web application, building a vulnerability regression suite, creating pentest-style automated tests, generating runnable injection/XSS/auth test code, or adding security coverage to an existing test suite.
2