Compliance Manager Guardian
Purpose & Scope
Apply this skill when modifying core/security/compliance-manager.js.
The Compliance Manager provides:
- PCI-DSS data protection (card data masking, encryption)
- GDPR compliance (pseudonymization, consent management, data minimization)
- PSD2 compliance (Strong Customer Authentication)
- SOX audit trail requirements
- HIPAA health data protection
- Multi-regulation validation framework
- Secure audit logging
Non-Negotiables (Never Do)
Compliance Validators
- Never disable or bypass compliance validators.
- Never weaken validation rules (for example, making required checks optional).
- Never skip validation for "trusted" sources.
- Never add bypass flags or debug modes that skip compliance.
PCI-DSS Rules
- Never log these PCI fields (even in debug mode):
cvv,cvv2,cvc,cvc2,cid,cav2pin,pinBlocktrack1,track2,magneticStripe
- Never weaken card masking:
- Must show only first 6 and last 4 digits.
- Middle digits must be masked with
*.
- Never reduce encryption below AES-256-GCM.
- Never store CVV/PIN after authorization.
GDPR Rules
- Never process personal data without consent check.
- Never skip pseudonymization for personal identifiers.
- Never retain personal data beyond retention period.
- Never disable data minimization for analytics.
PSD2 Rules
- Never reduce SCA requirements below 2 factors.
- Never bypass SCA for amounts over threshold.
- Never skip transaction monitoring for high-value transactions.
- Never disable cumulative amount tracking.
Audit Logging
- Never skip audit logging for sensitive operations.
- Never delete or modify existing audit entries.
- Never log sensitive data in audit trails (mask first).
- Never disable audit persistence.
Security Rollback
- Never rollback security fixes without security team approval.
- Never lower security levels in production.
Required Patterns (Must Follow)
Card Number Masking
javascript1// Must mask showing only first 6 and last 4 2maskCardNumber(cardNumber) { 3 const cleaned = cardNumber.replace(/\D/g, ''); 4 const first6 = cleaned.substring(0, 6); 5 const last4 = cleaned.substring(cleaned.length - 4); 6 const masked = '*'.repeat(cleaned.length - 10); 7 return `${first6}${masked}${last4}`; 8} 9// Example: 4111111111111111 -> 411111******1111
Data Encryption
javascript1// Must use AES-256-GCM 2encryptSensitiveData(data) { 3 const algorithm = 'aes-256-gcm'; // Do not change 4 const key = process.env.ENCRYPTION_KEY; 5 if (!key) throw new Error('ENCRYPTION_KEY is required'); 6 7 // 12-byte IV is recommended for GCM 8 const iv = crypto.randomBytes(12); 9 10 // Prefer @onasis/security-sdk for key handling if available 11 // If ENCRYPTION_KEY is a passphrase, derive a 32-byte key via scrypt. 12 const keyBuf = (key.length === 64 && /^[0-9a-f]+$/i.test(key)) 13 ? Buffer.from(key, 'hex') 14 : crypto.scryptSync(key, 'onasis-gateway', 32); 15 16 const cipher = crypto.createCipheriv('aes-256-gcm', keyBuf, iv); 17 cipher.setAAD(Buffer.from('compliance-encryption')); 18 19 const plaintext = typeof data === 'string' ? data : JSON.stringify(data); 20 const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]); 21 const authTag = cipher.getAuthTag(); 22 23 return { 24 encrypted: ciphertext.toString('base64'), 25 iv: iv.toString('hex'), 26 authTag: authTag.toString('hex'), 27 algorithm 28 }; 29}
Strong Customer Authentication
javascript1// Must require 2+ factors 2validateSCA(data) { 3 const factors = []; 4 5 if (data.password || data.pin) factors.push('knowledge'); 6 if (data.deviceId || data.token) factors.push('possession'); 7 if (data.biometric || data.fingerprint) factors.push('inherence'); 8 9 return factors.length >= 2; // PSD2 requirement 10}
Defense in Depth
javascript1// Must apply all applicable protections 2enforceDataHandling(serviceId, data, operation) { 3 let processedData = { ...data }; 4 5 if (service?.compliance?.pci) { 6 processedData = this.applyPCIProtections(processedData, operation); 7 } 8 if (service?.compliance?.gdpr) { 9 processedData = this.applyGDPRProtections(processedData, operation); 10 } 11 if (service?.compliance?.psd2) { 12 processedData = this.applyPSD2Protections(processedData, operation); 13 } 14 15 return processedData; 16}
Audit Entry Creation
javascript1// Must create audit entry for all compliance events 2logAuditEntry(action, details) { 3 const entry = { 4 timestamp: new Date(), 5 action, 6 details, 7 id: crypto.randomUUID() 8 }; 9 10 this.auditLog.push(entry); 11 this.emit('audit:logged', entry); 12 this.persistAuditEntry(entry); // Must persist 13}
Prohibited Fields Registry
| Field | Regulation | Storage | Logging | Transmission |
|---|---|---|---|---|
| cvv, cvv2, cvc, cvc2 | PCI-DSS 3.2 | Never | Never | HTTPS only |
| pin, pinBlock | PCI-DSS 3.4 | Never | Never | Encrypted |
| track1, track2 | PCI-DSS 3.2 | Never | Never | Never |
| magneticStripe | PCI-DSS 3.2 | Never | Never | Never |
| Full card number | PCI-DSS 3.4 | Encrypted | Masked | Encrypted |
Integration Points
| Component | Integration Method |
|---|---|
| Base Client | Data passed through enforceDataHandling() |
| Metrics Collector | compliance_violations_total metric |
| API Routes | Middleware for request validation |
| Database | Audit entries persisted to audit.compliance_log |
Compliance Validation Checklist
Before deploying changes:
- Card data properly masked (first 6, last 4 only).
- CVV/PIN never logged or stored.
- Encryption uses AES-256-GCM.
- SCA requires 2+ factors.
- Audit entries created for all operations.
- GDPR consent check in place.
- Data minimization applied for analytics.
- No PII in metric labels.
- Audit log persisted to secure storage.
