# PCI DSS Compliance Profile
# Payment Card Industry Data Security Standard compliance scanning
includes = [
"../base/compliance.toml",
"../base/credentials.toml",
"../base/crypto.toml"
]
# Additional PCI-specific patterns
[[patterns]]
name = "Track Data - Full Magnetic Stripe"
pattern = "%[A-Z]\\d{13,19}\\^[^\\?]+\\?[^\\?]+\\?"
type = "regex"
[[patterns]]
name = "Track Data - CVV/CVC"
pattern = "(?:cvv|cvc|cid|cav)\\s*[:=]?\\s*\\d{3,4}"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Track Data - PIN"
pattern = "(?:pin|pinblock)\\s*[:=]?\\s*\\d{4,}"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Primary Account Number (PAN)"
pattern = "\\b(?:4\\d{15}|5[1-5]\\d{14}|3[47]\\d{13}|6011\\d{12})\\b"
type = "regex"
[[patterns]]
name = "Payment Gateway Configuration"
pattern = "(?:stripe|paypal|square|authorize\\.net|braintree).*(?:api[_-]?key|secret|token)"
case-insensitive = true
type = "regex"
[[signatures]]
name = "PCI Sensitive Data"
query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Credit Card%' OR pattern_name LIKE '%Track Data%' OR pattern_name LIKE '%CVV%' OR pattern_name LIKE '%PIN%'"
[[signatures]]
name = "Unencrypted Card Data"
query = "SELECT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Credit Card%' AND sha256 NOT IN (SELECT sha256 FROM pattern_matches WHERE pattern_name LIKE '%AES%' OR pattern_name LIKE '%Encryption%')"