payment-pci-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePCI Compliance & Secure Proxy
PCI DSS合规与Secure Proxy
When this skill applies
本技能适用场景
Use this skill when:
- Building a payment connector that accepts credit cards, debit cards, or co-branded cards
- The connector needs to process card data or communicate with an acquirer
- Determining whether Secure Proxy is required for the hosting environment
- Auditing a connector for PCI DSS compliance (data storage, logging, transmission)
Do not use this skill for:
- PPP endpoint contracts and response shapes — use
payment-provider-protocol - Idempotency and duplicate prevention — use
payment-idempotency - Async payment flows (Boleto, Pix) and callbacks — use
payment-async-flow
使用本技能的场景:
- 构建支持信用卡、借记卡或联名卡的支付连接器
- 连接器需要处理卡片数据或与收单机构通信
- 判断托管环境是否需要使用Secure Proxy
- 审核连接器的PCI DSS合规性(数据存储、日志记录、传输)
请勿在以下场景使用本技能:
- PPP端点契约和响应格式 — 使用
payment-provider-protocol - 幂等性与重复请求预防 — 使用
payment-idempotency - 异步支付流程(Boleto、Pix)与回调 — 使用
payment-async-flow
Decision rules
决策规则
- If the connector is hosted in a non-PCI environment (including all VTEX IO apps), it MUST use Secure Proxy.
- If the connector has PCI DSS certification (AOC signed by a QSA), it can call the acquirer directly with raw card data.
- Check for in the Create Payment request — if present, Secure Proxy is active and MUST be used.
secureProxyUrl - Card tokens (,
numberToken,holderToken) are only valid when sent through thecscToken— the proxy replaces them with real data before forwarding to the acquirer.secureProxyUrl - Only (first 6 digits),
card.bin, andcard.numberLengthmay be stored. Everything else is forbidden.card.expiration - Card data must never appear in logs, databases, files, caches, error trackers, or APM tools — even in development.
- 如果连接器托管在非PCI环境(包括所有VTEX IO应用),则必须使用Secure Proxy。
- 如果连接器拥有PCI DSS认证(由QSA签署的AOC),则可以直接向收单机构发送原始卡片数据。
- 检查创建支付请求中的— 若存在,则Secure Proxy已激活,必须使用。
secureProxyUrl - 卡片令牌(、
numberToken、holderToken)仅在通过cscToken发送时有效 — 代理会在转发给收单机构前将其替换为真实数据。secureProxyUrl - 仅可存储(前6位)、
card.bin和card.numberLength,其余所有卡片数据均禁止存储。card.expiration - 卡片数据绝不能出现在日志、数据库、文件、缓存、错误追踪工具或APM工具中 — 即使在开发环境也不行。
Hard constraints
硬性约束
Constraint: MUST use secureProxyUrl for non-PCI environments
约束:非PCI环境必须使用secureProxyUrl
If the connector is hosted in a non-PCI environment (including all VTEX IO apps), it MUST use the from the Create Payment request to communicate with the acquirer. It MUST NOT call the acquirer directly with raw card data. If a field is present in the request, Secure Proxy is active and MUST be used.
secureProxyUrlsecureProxyUrlWhy this matters
Non-PCI environments are not authorized to handle raw card data. Calling the acquirer directly bypasses the Gateway's secure data handling, violating PCI DSS. This can result in data breaches, massive fines ($100K+ per month), loss of card processing ability, and legal liability.
Detection
If the connector calls an acquirer endpoint directly (without going through ) when is present in the request, STOP immediately. All acquirer communication must go through the Secure Proxy.
secureProxyUrlsecureProxyUrlCorrect
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
const { paymentId, secureProxyUrl, card } = req.body;
if (secureProxyUrl) {
// Non-PCI: Route through Secure Proxy
const acquirerResponse = await fetch(secureProxyUrl, {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-PROVIDER-Forward-To": "https://api.acquirer.com/v2/payments",
"X-PROVIDER-Forward-MerchantId": process.env.ACQUIRER_MERCHANT_ID!,
"X-PROVIDER-Forward-MerchantKey": process.env.ACQUIRER_MERCHANT_KEY!,
},
body: JSON.stringify({
orderId: paymentId,
payment: {
cardNumber: card.numberToken, // Token, not real number
holder: card.holderToken, // Token, not real name
securityCode: card.cscToken, // Token, not real CVV
expirationMonth: card.expiration.month,
expirationYear: card.expiration.year,
},
}),
});
const result = await acquirerResponse.json();
// Build and return PPP response...
}
}Wrong
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
const { paymentId, secureProxyUrl, card } = req.body;
// WRONG: Calling acquirer directly, bypassing Secure Proxy
// This connector is non-PCI but handles card data as if it were PCI-certified
const acquirerResponse = await fetch("https://api.acquirer.com/v2/payments", {
method: "POST",
headers: {
"Content-Type": "application/json",
"MerchantId": process.env.ACQUIRER_MERCHANT_ID!,
},
body: JSON.stringify({
orderId: paymentId,
payment: {
// These are tokens but sent directly to acquirer — acquirer can't read tokens!
// And if raw data were here, this would be a PCI violation
cardNumber: card.numberToken,
holder: card.holderToken,
securityCode: card.cscToken,
},
}),
});
// This request will fail: acquirer receives tokens instead of real card data
// And the Secure Proxy was completely bypassed
}如果连接器托管在非PCI环境(包括所有VTEX IO应用),则必须使用创建支付请求中的与收单机构通信。严禁直接向收单机构发送原始卡片数据。如果请求中存在字段,则表示Secure Proxy已激活,必须使用。
secureProxyUrlsecureProxyUrl重要性
非PCI环境未被授权处理原始卡片数据。直接调用收单机构会绕过网关的安全数据处理机制,违反PCI DSS规范。这可能导致数据泄露、每月高达10万美元的罚款、失去卡片处理能力以及法律责任。
检测方式
如果连接器在请求存在的情况下,直接调用收单机构端点(未通过),请立即停止。所有与收单机构的通信必须通过Secure Proxy进行。
secureProxyUrlsecureProxyUrl正确示例
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
const { paymentId, secureProxyUrl, card } = req.body;
if (secureProxyUrl) {
// Non-PCI: Route through Secure Proxy
const acquirerResponse = await fetch(secureProxyUrl, {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-PROVIDER-Forward-To": "https://api.acquirer.com/v2/payments",
"X-PROVIDER-Forward-MerchantId": process.env.ACQUIRER_MERCHANT_ID!,
"X-PROVIDER-Forward-MerchantKey": process.env.ACQUIRER_MERCHANT_KEY!,
},
body: JSON.stringify({
orderId: paymentId,
payment: {
cardNumber: card.numberToken, // Token, not real number
holder: card.holderToken, // Token, not real name
securityCode: card.cscToken, // Token, not real CVV
expirationMonth: card.expiration.month,
expirationYear: card.expiration.year,
},
}),
});
const result = await acquirerResponse.json();
// Build and return PPP response...
}
}错误示例
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
const { paymentId, secureProxyUrl, card } = req.body;
// WRONG: Calling acquirer directly, bypassing Secure Proxy
// This connector is non-PCI but handles card data as if it were PCI-certified
const acquirerResponse = await fetch("https://api.acquirer.com/v2/payments", {
method: "POST",
headers: {
"Content-Type": "application/json",
"MerchantId": process.env.ACQUIRER_MERCHANT_ID!,
},
body: JSON.stringify({
orderId: paymentId,
payment: {
// These are tokens but sent directly to acquirer — acquirer can't read tokens!
// And if raw data were here, this would be a PCI violation
cardNumber: card.numberToken,
holder: card.holderToken,
securityCode: card.cscToken,
},
}),
});
// This request will fail: acquirer receives tokens instead of real card data
// And the Secure Proxy was completely bypassed
}Constraint: MUST NOT store raw card data
约束:严禁存储原始卡片数据
The connector MUST NOT store the full card number (PAN), CVV/CSC, cardholder name, or any card token values in any persistent storage — database, file system, cache, session store, or any other durable medium. Card data must only exist in memory during the request lifecycle.
Why this matters
Storing raw card data violates PCI DSS Requirement 3. A data breach exposes customers to fraud. Consequences include fines of $5,000–$100,000 per month from card networks, mandatory forensic investigation costs ($50K+), loss of ability to process cards, class-action lawsuits, and criminal liability in some jurisdictions.
Detection
If the code writes card number, CVV, cardholder name, or token values to a database, file, cache (Redis, VBase), or any persistent store, STOP immediately. Only (first 6 digits) and may be stored.
card.bincard.numberLengthCorrect
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
const { paymentId, card, secureProxyUrl } = req.body;
// Only store non-sensitive card metadata
await paymentStore.save(paymentId, {
paymentId,
cardBin: card.bin, // First 6 digits — safe to store
cardNumberLength: card.numberLength, // Length — safe to store
cardExpMonth: card.expiration.month, // Expiration — safe to store
cardExpYear: card.expiration.year,
// DO NOT store: card.numberToken, card.holderToken, card.cscToken
});
// Use card tokens only in-memory for the Secure Proxy call
const acquirerResult = await callAcquirerViaProxy(secureProxyUrl, card);
// Return response — card data is now out of scope
res.status(200).json(buildResponse(paymentId, acquirerResult));
}Wrong
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
const { paymentId, card } = req.body;
// CRITICAL PCI VIOLATION: Storing full card data in database
await database.query(
`INSERT INTO payments (payment_id, card_number, cvv, holder_name)
VALUES ($1, $2, $3, $4)`,
[paymentId, card.number, card.csc, card.holder]
);
// This single line can result in:
// - $100K/month fines from card networks
// - Mandatory forensic audit ($50K+)
// - Loss of card processing ability
// - Criminal liability
}连接器严禁将完整卡号(PAN)、CVV/CSC、持卡人姓名或任何卡片令牌值存储在任何持久化存储中 — 包括数据库、文件系统、缓存、会话存储或任何其他持久介质。卡片数据只能在请求生命周期内存在于内存中。
重要性
存储原始卡片数据违反PCI DSS第3项要求。数据泄露会使客户面临欺诈风险。后果包括卡组织每月5000至10万美元的罚款、强制 forensic 调查费用(5万美元以上)、失去卡片处理能力、集体诉讼,以及在某些司法管辖区的刑事责任。
检测方式
如果代码将卡号、CVV、持卡人姓名或令牌值写入数据库、文件、缓存(Redis、VBase)或任何持久化存储,请立即停止。仅可存储(前6位)和。
card.bincard.numberLength正确示例
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
const { paymentId, card, secureProxyUrl } = req.body;
// Only store non-sensitive card metadata
await paymentStore.save(paymentId, {
paymentId,
cardBin: card.bin, // First 6 digits — safe to store
cardNumberLength: card.numberLength, // Length — safe to store
cardExpMonth: card.expiration.month, // Expiration — safe to store
cardExpYear: card.expiration.year,
// DO NOT store: card.numberToken, card.holderToken, card.cscToken
});
// Use card tokens only in-memory for the Secure Proxy call
const acquirerResult = await callAcquirerViaProxy(secureProxyUrl, card);
// Return response — card data is now out of scope
res.status(200).json(buildResponse(paymentId, acquirerResult));
}错误示例
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
const { paymentId, card } = req.body;
// CRITICAL PCI VIOLATION: Storing full card data in database
await database.query(
`INSERT INTO payments (payment_id, card_number, cvv, holder_name)
VALUES ($1, $2, $3, $4)`,
[paymentId, card.number, card.csc, card.holder]
);
// This single line can result in:
// - $100K/month fines from card networks
// - Mandatory forensic audit ($50K+)
// - Loss of card processing ability
// - Criminal liability
}Constraint: MUST NOT log sensitive card data
约束:严禁记录敏感卡片数据
The connector MUST NOT log card numbers, CVV/CSC values, cardholder names, or token values to any logging system — console, file, monitoring service, error tracker, or APM tool. Even in debug mode. Even in development.
Why this matters
Logs are typically stored in plaintext, retained for extended periods, and accessible to many team members. Card data in logs is a PCI DSS violation and a data breach. Log aggregation services (Datadog, Splunk, CloudWatch) may store data across multiple regions, amplifying the breach scope.
Detection
If the code contains , , , , or any logging call that includes , , , , , , or the full request body without redaction, STOP immediately. Redact or omit all sensitive fields before logging.
console.logconsole.errorlogger.infologger.debugcard.numbercard.csccard.holdercard.numberTokencard.holderTokencard.cscTokenCorrect
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
const { paymentId, card, paymentMethod, value } = req.body;
// Safe logging — only non-sensitive fields
console.log("Processing payment", {
paymentId,
paymentMethod,
value,
cardBin: card?.bin, // First 6 digits only — safe
cardNumberLength: card?.numberLength, // Safe
});
// NEVER log the full request body for payment requests
// It contains card tokens or raw card data
}
function redactSensitiveFields(body: Record<string, unknown>): Record<string, unknown> {
const redacted = { ...body };
if (redacted.card && typeof redacted.card === "object") {
const card = redacted.card as Record<string, unknown>;
redacted.card = {
bin: card.bin,
numberLength: card.numberLength,
expiration: card.expiration,
// All other fields redacted
};
}
return redacted;
}Wrong
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
// CRITICAL PCI VIOLATION: Logging the entire request body
// This includes card number, CVV, holder name, and/or token values
console.log("Payment request received:", JSON.stringify(req.body));
// ALSO WRONG: Logging specific card fields
console.log("Card number:", req.body.card.number);
console.log("CVV:", req.body.card.csc);
console.log("Card holder:", req.body.card.holder);
// ALSO WRONG: Logging tokens (they reference real card data)
console.log("Card token:", req.body.card.numberToken);
}连接器严禁将卡号、CVV/CSC值、持卡人姓名或令牌值记录到任何日志系统中 — 包括控制台、文件、监控服务、错误追踪工具或APM工具。即使在调试模式或开发环境也不行。
重要性
日志通常以明文存储,保留时间较长,且可供多名团队成员访问。日志中的卡片数据违反PCI DSS规范,属于数据泄露。日志聚合服务(Datadog、Splunk、CloudWatch)可能在多个区域存储数据,扩大泄露范围。
检测方式
如果代码包含、、、或任何记录、、、、、的日志调用,或未经过脱敏就记录完整请求体,请立即停止。在记录前必须脱敏或省略所有敏感字段。
console.logconsole.errorlogger.infologger.debugcard.numbercard.csccard.holdercard.numberTokencard.holderTokencard.cscToken正确示例
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
const { paymentId, card, paymentMethod, value } = req.body;
// Safe logging — only non-sensitive fields
console.log("Processing payment", {
paymentId,
paymentMethod,
value,
cardBin: card?.bin, // First 6 digits only — safe
cardNumberLength: card?.numberLength, // Safe
});
// NEVER log the full request body for payment requests
// It contains card tokens or raw card data
}
function redactSensitiveFields(body: Record<string, unknown>): Record<string, unknown> {
const redacted = { ...body };
if (redacted.card && typeof redacted.card === "object") {
const card = redacted.card as Record<string, unknown>;
redacted.card = {
bin: card.bin,
numberLength: card.numberLength,
expiration: card.expiration,
// All other fields redacted
};
}
return redacted;
}错误示例
typescript
async function createPaymentHandler(req: Request, res: Response): Promise<void> {
// CRITICAL PCI VIOLATION: Logging the entire request body
// This includes card number, CVV, holder name, and/or token values
console.log("Payment request received:", JSON.stringify(req.body));
// ALSO WRONG: Logging specific card fields
console.log("Card number:", req.body.card.number);
console.log("CVV:", req.body.card.csc);
console.log("Card holder:", req.body.card.holder);
// ALSO WRONG: Logging tokens (they reference real card data)
console.log("Card token:", req.body.card.numberToken);
}Preferred pattern
推荐模式
Secure Proxy data flow:
text
1. Gateway → POST /payments (with secureProxyUrl + tokenized card data) → Connector
2. Connector → POST secureProxyUrl (tokens in body, X-PROVIDER-Forward-To: acquirer URL) → Gateway
3. Gateway replaces tokens with real card data → POST acquirer URL → Acquirer
4. Acquirer → response → Gateway → Connector
5. Connector → Create Payment response → GatewayDetect Secure Proxy mode:
typescript
interface CreatePaymentRequest {
paymentId: string;
value: number;
currency: string;
paymentMethod: string;
card?: {
holder?: string; // Raw (PCI) or absent (Secure Proxy)
holderToken?: string; // Token (Secure Proxy only)
number?: string; // Raw (PCI) or absent (Secure Proxy)
numberToken?: string; // Token (Secure Proxy only)
bin: string; // Always present — first 6 digits
numberLength: number; // Always present
csc?: string; // Raw (PCI) or absent (Secure Proxy)
cscToken?: string; // Token (Secure Proxy only)
expiration: { month: string; year: string };
};
secureProxyUrl?: string; // Present when Secure Proxy is active
secureProxyTokensURL?: string; // For custom token operations
callbackUrl: string;
miniCart: Record<string, unknown>;
}
function isSecureProxyActive(req: CreatePaymentRequest): boolean {
return !!req.secureProxyUrl;
}Build acquirer request using tokens or raw values:
typescript
function buildAcquirerRequest(paymentReq: CreatePaymentRequest) {
const card = paymentReq.card!;
return {
merchantOrderId: paymentReq.paymentId,
payment: {
// Use tokens if Secure Proxy, raw values if PCI-certified
cardNumber: card.numberToken ?? card.number!,
holder: card.holderToken ?? card.holder!,
securityCode: card.cscToken ?? card.csc!,
expirationDate: `${card.expiration.month}/${card.expiration.year}`,
amount: paymentReq.value,
},
};
}Call acquirer through Secure Proxy with proper headers:
typescript
async function callAcquirerViaProxy(
secureProxyUrl: string,
acquirerRequest: object
): Promise<AcquirerResponse> {
const response = await fetch(secureProxyUrl, {
method: "POST",
headers: {
"Accept": "application/json",
"Content-Type": "application/json",
// X-PROVIDER-Forward-To tells the proxy where to send the request
"X-PROVIDER-Forward-To": process.env.ACQUIRER_API_URL!,
// Custom headers for the acquirer — prefix is stripped by the proxy
"X-PROVIDER-Forward-MerchantId": process.env.ACQUIRER_MERCHANT_ID!,
"X-PROVIDER-Forward-MerchantKey": process.env.ACQUIRER_MERCHANT_KEY!,
},
body: JSON.stringify(acquirerRequest),
});
if (!response.ok) {
const errorText = await response.text();
throw new Error(`Secure Proxy call failed: ${response.status} ${errorText}`);
}
return response.json() as Promise<AcquirerResponse>;
}
// For PCI-certified environments, call acquirer directly
async function callAcquirerDirect(acquirerRequest: object): Promise<AcquirerResponse> {
const response = await fetch(process.env.ACQUIRER_API_URL!, {
method: "POST",
headers: {
"Accept": "application/json",
"Content-Type": "application/json",
"MerchantId": process.env.ACQUIRER_MERCHANT_ID!,
"MerchantKey": process.env.ACQUIRER_MERCHANT_KEY!,
},
body: JSON.stringify(acquirerRequest),
});
return response.json() as Promise<AcquirerResponse>;
}Safe logging utility:
typescript
function safePaymentLog(label: string, body: Record<string, unknown>): void {
const safe = {
paymentId: body.paymentId,
paymentMethod: body.paymentMethod,
value: body.value,
currency: body.currency,
orderId: body.orderId,
hasCard: !!body.card,
hasSecureProxy: !!body.secureProxyUrl,
cardBin: (body.card as Record<string, unknown>)?.bin,
// Everything else is intentionally omitted
};
console.log(label, JSON.stringify(safe));
}Secure Proxy数据流:
text
1. Gateway → POST /payments (with secureProxyUrl + tokenized card data) → Connector
2. Connector → POST secureProxyUrl (tokens in body, X-PROVIDER-Forward-To: acquirer URL) → Gateway
3. Gateway replaces tokens with real card data → POST acquirer URL → Acquirer
4. Acquirer → response → Gateway → Connector
5. Connector → Create Payment response → Gateway检测Secure Proxy模式:
typescript
interface CreatePaymentRequest {
paymentId: string;
value: number;
currency: string;
paymentMethod: string;
card?: {
holder?: string; // Raw (PCI) or absent (Secure Proxy)
holderToken?: string; // Token (Secure Proxy only)
number?: string; // Raw (PCI) or absent (Secure Proxy)
numberToken?: string; // Token (Secure Proxy only)
bin: string; // Always present — first 6 digits
numberLength: number; // Always present
csc?: string; // Raw (PCI) or absent (Secure Proxy)
cscToken?: string; // Token (Secure Proxy only)
expiration: { month: string; year: string };
};
secureProxyUrl?: string; // Present when Secure Proxy is active
secureProxyTokensURL?: string; // For custom token operations
callbackUrl: string;
miniCart: Record<string, unknown>;
}
function isSecureProxyActive(req: CreatePaymentRequest): boolean {
return !!req.secureProxyUrl;
}使用令牌或原始值构建收单机构请求:
typescript
function buildAcquirerRequest(paymentReq: CreatePaymentRequest) {
const card = paymentReq.card!;
return {
merchantOrderId: paymentReq.paymentId,
payment: {
// Use tokens if Secure Proxy, raw values if PCI-certified
cardNumber: card.numberToken ?? card.number!,
holder: card.holderToken ?? card.holder!,
securityCode: card.cscToken ?? card.csc!,
expirationDate: `${card.expiration.month}/${card.expiration.year}`,
amount: paymentReq.value,
},
};
}通过Secure Proxy调用收单机构并携带正确请求头:
typescript
async function callAcquirerViaProxy(
secureProxyUrl: string,
acquirerRequest: object
): Promise<AcquirerResponse> {
const response = await fetch(secureProxyUrl, {
method: "POST",
headers: {
"Accept": "application/json",
"Content-Type": "application/json",
// X-PROVIDER-Forward-To tells the proxy where to send the request
"X-PROVIDER-Forward-To": process.env.ACQUIRER_API_URL!,
// Custom headers for the acquirer — prefix is stripped by the proxy
"X-PROVIDER-Forward-MerchantId": process.env.ACQUIRER_MERCHANT_ID!,
"X-PROVIDER-Forward-MerchantKey": process.env.ACQUIRER_MERCHANT_KEY!,
},
body: JSON.stringify(acquirerRequest),
});
if (!response.ok) {
const errorText = await response.text();
throw new Error(`Secure Proxy call failed: ${response.status} ${errorText}`);
}
return response.json() as Promise<AcquirerResponse>;
}
// For PCI-certified environments, call acquirer directly
async function callAcquirerDirect(acquirerRequest: object): Promise<AcquirerResponse> {
const response = await fetch(process.env.ACQUIRER_API_URL!, {
method: "POST",
headers: {
"Accept": "application/json",
"Content-Type": "application/json",
"MerchantId": process.env.ACQUIRER_MERCHANT_ID!,
"MerchantKey": process.env.ACQUIRER_MERCHANT_KEY!,
},
body: JSON.stringify(acquirerRequest),
});
return response.json() as Promise<AcquirerResponse>;
}安全日志工具:
typescript
function safePaymentLog(label: string, body: Record<string, unknown>): void {
const safe = {
paymentId: body.paymentId,
paymentMethod: body.paymentMethod,
value: body.value,
currency: body.currency,
orderId: body.orderId,
hasCard: !!body.card,
hasSecureProxy: !!body.secureProxyUrl,
cardBin: (body.card as Record<string, unknown>)?.bin,
// Everything else is intentionally omitted
};
console.log(label, JSON.stringify(safe));
}Common failure modes
常见失败模式
- Direct card handling in non-PCI environment — Calling the acquirer API directly without using the Secure Proxy. The acquirer receives tokens (e.g., ) instead of real card numbers and rejects the transaction. Even if raw data were available, transmitting it from a non-PCI environment is a PCI DSS violation.
#vtex#token#d799bae#number# - Storing full card numbers (PANs) — Persisting the full card number in a database for "reference" or "reconciliation". A single breach of this data can result in $100K/month fines, mandatory forensic audits, and permanent loss of card processing ability.
- Logging card details for debugging — Adding or
console.log(req.body)to troubleshoot payment issues and forgetting to remove it. Card data ends up in log files, monitoring dashboards, and log aggregation services. This is a PCI violation even in development.console.log(card) - Stripping X-PROVIDER-Forward headers — Sending requests to the Secure Proxy without the header. The proxy does not know where to forward the request and returns an error.
X-PROVIDER-Forward-To - Storing token values — Writing ,
card.numberToken, orcard.holderTokento a database or cache, treating them as "safe" because they are tokens. Tokens reference real card data and must not be persisted.card.cscToken
- 非PCI环境直接处理卡片数据 — 未使用Secure Proxy直接调用收单机构API。收单机构收到的是令牌(例如)而非真实卡号,会拒绝交易。即使有原始数据,从非PCI环境传输也违反PCI DSS规范。
#vtex#token#d799bae#number# - 存储完整卡号(PAN) — 为了"参考"或"对账"将完整卡号持久化到数据库。此类数据的单次泄露可能导致每月10万美元的罚款、强制 forensic 审计,以及永久失去卡片处理能力。
- 为调试记录卡片细节 — 添加或
console.log(req.body)排查支付问题后忘记删除。卡片数据会进入日志文件、监控仪表板和日志聚合服务。即使在开发环境,这也是PCI违规。console.log(card) - 移除X-PROVIDER-Forward请求头 — 向Secure Proxy发送请求时未携带请求头。代理不知道要将请求转发到哪里,会返回错误。
X-PROVIDER-Forward-To - 存储令牌值 — 将、
card.numberToken或card.holderToken写入数据库或缓存,认为它们是"安全的"令牌。但令牌关联真实卡片数据,严禁持久化。card.cscToken
Review checklist
审核清单
- Does the connector use when it is present in the request?
secureProxyUrl - Is set to the acquirer's API URL in Secure Proxy calls?
X-PROVIDER-Forward-To - Are custom acquirer headers prefixed with when going through the proxy?
X-PROVIDER-Forward- - Is only ,
card.bin, andcard.numberLengthstored in the database?card.expiration - Are card numbers, CVV, holder names, and token values excluded from all log statements?
- Is there a redaction utility for safely logging payment request data?
- Does the connector support both Secure Proxy (non-PCI) and direct (PCI-certified) modes?
- Are error responses logged without including the acquirer request body (which contains tokens)?
- 连接器在请求存在时是否使用了该地址?
secureProxyUrl - 通过Secure Proxy调用时,是否将设置为收单机构的API地址?
X-PROVIDER-Forward-To - 通过代理发送自定义收单机构请求头时,是否添加了前缀?
X-PROVIDER-Forward- - 数据库中是否仅存储了、
card.bin和card.numberLength?card.expiration - 所有日志语句中是否排除了卡号、CVV、持卡人姓名和令牌值?
- 是否有用于安全记录支付请求数据的脱敏工具?
- 连接器是否同时支持Secure Proxy(非PCI)和直接调用(PCI认证)两种模式?
- 错误响应日志中是否未包含收单机构请求体(其中包含令牌)?
Related skills
相关技能
- — Endpoint contracts and response shapes
payment-provider-protocol - —
payment-idempotency/paymentIdidempotency and state machinerequestId - — Async payment methods, callbacks, and the 7-day retry window
payment-async-flow
- — 端点契约和响应格式
payment-provider-protocol - —
payment-idempotency/paymentId幂等性和状态机requestId - — 异步支付方式、回调和7天重试窗口
payment-async-flow
Reference
参考资料
- Secure Proxy — Complete Secure Proxy documentation including flow diagrams, request/response examples, custom tokens, and supported JsonLogic operators
- PCI DSS Compliance — PCI certification requirements, AOC submission process, and when Secure Proxy is mandatory
- Implementing a Payment Provider — Endpoint implementation guide including Create Payment request body with secureProxyUrl and tokenized card fields
- Payment Provider Protocol (Help Center) — Protocol overview including PCI prerequisites and Secure Proxy requirements
- Payment Provider Framework — VTEX IO framework for payment connectors (Secure Proxy mandatory for all IO apps)
- PCI Security Standards Council — Official PCI DSS requirements and compliance documentation
- Secure Proxy — 完整的Secure Proxy文档,包含流程图、请求/响应示例、自定义令牌及支持的JsonLogic运算符
- PCI DSS Compliance — PCI认证要求、AOC提交流程及Secure Proxy的强制使用场景
- Implementing a Payment Provider — 支付连接器端点实现指南,包含带有secureProxyUrl和令牌化卡片字段的创建支付请求体
- Payment Provider Protocol (Help Center) — 协议概述,包含PCI前提条件和Secure Proxy要求
- Payment Provider Framework — VTEX IO支付连接器框架(所有IO应用必须使用Secure Proxy)
- PCI Security Standards Council — 官方PCI DSS要求和合规文档