Compliance Manager Guardian

Purpose & Scope

Apply this skill when modifying core/security/compliance-manager.js.

The Compliance Manager provides:

• PCI-DSS data protection (card data masking, encryption)
• GDPR compliance (pseudonymization, consent management, data minimization)
• PSD2 compliance (Strong Customer Authentication)
• SOX audit trail requirements
• HIPAA health data protection
• Multi-regulation validation framework
• Secure audit logging

Non-Negotiables (Never Do)

Compliance Validators

• Never disable or bypass compliance validators.
• Never weaken validation rules (for example, making required checks optional).
• Never skip validation for "trusted" sources.
• Never add bypass flags or debug modes that skip compliance.

PCI-DSS Rules

• Never log these PCI fields (even in debug mode):
  • cvv, cvv2, cvc, cvc2, cid, cav2
  • pin, pinBlock
  • track1, track2, magneticStripe
• Never weaken card masking:
  • Must show only first 6 and last 4 digits.
  • Middle digits must be masked with *.
• Never reduce encryption below AES-256-GCM.
• Never store CVV/PIN after authorization.

GDPR Rules

• Never process personal data without consent check.
• Never skip pseudonymization for personal identifiers.
• Never retain personal data beyond retention period.
• Never disable data minimization for analytics.

PSD2 Rules

• Never reduce SCA requirements below 2 factors.
• Never bypass SCA for amounts over threshold.
• Never skip transaction monitoring for high-value transactions.
• Never disable cumulative amount tracking.

Audit Logging

• Never skip audit logging for sensitive operations.
• Never delete or modify existing audit entries.
• Never log sensitive data in audit trails (mask first).
• Never disable audit persistence.

Security Rollback

• Never rollback security fixes without security team approval.
• Never lower security levels in production.

Required Patterns (Must Follow)

Card Number Masking

javascript
1// Must mask showing only first 6 and last 4
2maskCardNumber(cardNumber) {
3    const cleaned = cardNumber.replace(/\D/g, '');
4    const first6 = cleaned.substring(0, 6);
5    const last4 = cleaned.substring(cleaned.length - 4);
6    const masked = '*'.repeat(cleaned.length - 10);
7    return `${first6}${masked}${last4}`;
8}
9// Example: 4111111111111111 -> 411111******1111

Data Encryption

javascript
1// Must use AES-256-GCM
2encryptSensitiveData(data) {
3    const algorithm = 'aes-256-gcm';  // Do not change
4    const key = process.env.ENCRYPTION_KEY;
5    if (!key) throw new Error('ENCRYPTION_KEY is required');
6
7    // 12-byte IV is recommended for GCM
8    const iv = crypto.randomBytes(12);
9
10    // Prefer @onasis/security-sdk for key handling if available
11    // If ENCRYPTION_KEY is a passphrase, derive a 32-byte key via scrypt.
12    const keyBuf = (key.length === 64 && /^[0-9a-f]+$/i.test(key))
13        ? Buffer.from(key, 'hex')
14        : crypto.scryptSync(key, 'onasis-gateway', 32);
15
16    const cipher = crypto.createCipheriv('aes-256-gcm', keyBuf, iv);
17    cipher.setAAD(Buffer.from('compliance-encryption'));
18
19    const plaintext = typeof data === 'string' ? data : JSON.stringify(data);
20    const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
21    const authTag = cipher.getAuthTag();
22
23    return {
24        encrypted: ciphertext.toString('base64'),
25        iv: iv.toString('hex'),
26        authTag: authTag.toString('hex'),
27        algorithm
28    };
29}

Strong Customer Authentication

javascript
1// Must require 2+ factors
2validateSCA(data) {
3    const factors = [];
4
5    if (data.password || data.pin) factors.push('knowledge');
6    if (data.deviceId || data.token) factors.push('possession');
7    if (data.biometric || data.fingerprint) factors.push('inherence');
8
9    return factors.length >= 2;  // PSD2 requirement
10}

Defense in Depth

javascript
1// Must apply all applicable protections
2enforceDataHandling(serviceId, data, operation) {
3    let processedData = { ...data };
4
5    if (service?.compliance?.pci) {
6        processedData = this.applyPCIProtections(processedData, operation);
7    }
8    if (service?.compliance?.gdpr) {
9        processedData = this.applyGDPRProtections(processedData, operation);
10    }
11    if (service?.compliance?.psd2) {
12        processedData = this.applyPSD2Protections(processedData, operation);
13    }
14
15    return processedData;
16}

Audit Entry Creation

javascript
1// Must create audit entry for all compliance events
2logAuditEntry(action, details) {
3    const entry = {
4        timestamp: new Date(),
5        action,
6        details,
7        id: crypto.randomUUID()
8    };
9
10    this.auditLog.push(entry);
11    this.emit('audit:logged', entry);
12    this.persistAuditEntry(entry);  // Must persist
13}

Prohibited Fields Registry

Integration Points

Compliance Validation Checklist

Before deploying changes:

• Card data properly masked (first 6, last 4 only).
• CVV/PIN never logged or stored.
• Encryption uses AES-256-GCM.
• SCA requires 2+ factors.
• Audit entries created for all operations.
• GDPR consent check in place.
• Data minimization applied for analytics.
• No PII in metric labels.
• Audit log persisted to secure storage.