Get the FREE Ultimate OpenClaw Setup Guide →

pci-dss-compliance

Scanned
npx machina-cli add skill BagelHole/DevOps-Security-Agent-Skills/pci-dss-compliance --openclaw
Files (1)
SKILL.md
1.4 KB

PCI DSS Compliance

Implement PCI DSS requirements for payment card security.

Requirements

requirements:
  1_firewall:
    - Network segmentation
    - Firewall configuration
    - CDE isolation
    
  3_protect_data:
    - Mask PAN display
    - Encrypt stored data
    - Key management
    
  6_secure_systems:
    - Patch management
    - Secure development
    - Change control
    
  8_access_control:
    - Unique IDs
    - MFA for remote access
    - Password policies
    
  10_logging:
    - Audit trail
    - Time synchronization
    - Log retention (1 year)
    
  11_testing:
    - Vulnerability scans
    - Penetration testing
    - IDS/IPS monitoring

Network Segmentation

Internet --> DMZ --> Firewall --> CDE
                                  |
            Non-CDE <-- Firewall --

Data Protection

encryption:
  at_rest: AES-256
  in_transit: TLS 1.2+
  key_storage: HSM or dedicated key vault
  
tokenization:
  - Replace PAN with token
  - Store mapping securely
  - Reduce CDE scope

Best Practices

  • Minimize CDE scope
  • Use tokenization
  • Quarterly vulnerability scans
  • Annual penetration tests
  • ASV scan certification

Source

git clone https://github.com/BagelHole/DevOps-Security-Agent-Skills/blob/main/compliance/frameworks/pci-dss-compliance/SKILL.mdView on GitHub

Overview

This skill implements PCI DSS requirements to secure payment card data by configuring and enforcing controls around the Cardholder Data Environment (CDE). It covers network segmentation, data protection, access control, logging, and regular testing to maintain compliance when processing cards.

How This Skill Works

It defines the CDE boundaries, enforces firewall and segmentation rules, and applies data protection controls such as encryption in transit and at rest with key management and tokenization to minimize PAN exposure. It also enforces access controls with unique IDs and MFA, requires time synchronization and logging, and governs testing with vulnerability scans and penetration tests.

When to Use It

  • When processing payment card transactions in production
  • When isolating the Cardholder Data Environment from non-CDE networks
  • When protecting card data with masking, encryption, and tokenization
  • During ongoing PCI DSS compliance activities like vulnerability scans and pen tests
  • When configuring audit logging, time synchronization, and external ASV scans for certification

Quick Start

  1. Step 1: Define the CDE scope and map all card data flows
  2. Step 2: Implement firewall rules and network segmentation to isolate the CDE
  3. Step 3: Enable encryption in transit and at rest, deploy tokenization, set up key management, and configure logging and testing cadence

Best Practices

  • Minimize CDE scope to reduce risk
  • Use tokenization to reduce PAN exposure
  • Perform quarterly vulnerability scans
  • Conduct annual penetration tests
  • Obtain ASV scan certification to validate external scans

Example Use Cases

  • An online retailer isolates the CDE via network segmentation and encrypts data at rest and in transit
  • A payment processor uses tokenization to replace PAN with tokens and stores the mapping securely
  • A hospitality POS system enforces unique user IDs and MFA for remote access
  • A merchant configures time synchronization and maintains 1 year of secure log retention
  • A merchant undergoes quarterly vulnerability scans and annual external penetration testing to stay PCI DSS compliant

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers