Security & Privacy

PCI DSS v4.0

Deep PCI DSS v4.0 audit — maps code to all 12 requirements for cardholder data protection, encryption, access control, and network security.

How to use this audit

Paste your code below and results will stream in real time. Each finding includes severity ratings, line references, and fix suggestions. You can export the report as Markdown or JSON.

Your code is analyzed and discarded — it is not stored on our servers.

Workspace Prep Prompt

Paste this into your preferred code assistant (Claude, Cursor, etc.). It will structure your code into the ideal format for this audit — then paste the result here.

▶Preview prompt

I'm preparing for a **PCI DSS v4.0** code-level assessment. Please help me collect the relevant files.

## PCI DSS context (fill in)
- SAQ type: [e.g. SAQ A, SAQ A-EP, SAQ D, full ROC]
- Payment integration: [e.g. Stripe Elements, Braintree Drop-in, direct card handling, tokenization]
- Cardholder data stored: [e.g. "none — fully tokenized", "PAN stored encrypted", "card-on-file for subscriptions"]
- Current PCI status: [e.g. "first assessment", "annual recertification", "post-breach remediation"]
- Known concerns: [e.g. "not sure if we store SAD", "key rotation not automated", "test card numbers in logs"]

## Files to gather

### 1. Payment processing code
- Checkout / payment form components
- Server-side payment API routes (charge, refund, subscription)
- Payment SDK integration (Stripe, Braintree, Adyen)
- Tokenization logic and webhook handlers

### 2. Cardholder data handling
- Any code that touches PAN, CVV, expiry, or cardholder name
- Card-on-file / saved payment method logic
- Data masking or truncation functions
- Database schema for payment-related tables

### 3. Encryption, key management, access control, logging
- Encryption at rest and in transit (TLS config, column-level encryption)
- Key generation, storage, rotation scripts and KMS/HSM integration
- RBAC for payment admin functions and MFA setup
- Audit logging for payment operations (what is logged vs redacted)

Keep total under 30,000 characters.

▶View audit instructions

Audit Instructions

Audit history is stored in your browser's localStorage as unencrypted text. Do not submit proprietary credentials or sensitive data.

0 / 60,000 · ~0 tokens

Related Security & Privacy audits

Security

Identifies vulnerabilities, attack surfaces, and insecure patterns — the issues that cause breaches.

SQL Auditor

Finds injection risks, N+1 queries (database calls that multiply with data size), missing indexes, and transaction issues.

Privacy / GDPR

Checks code and data flows for PII exposure, consent gaps, and GDPR/CCPA compliance.

Dependency Security

Scans for CVEs, outdated packages, license risks, and supply-chain vulnerabilities.

Auth & Session Review

Deep-dives on authentication flows, JWT (login tokens)/session handling, OAuth, and credential security.