07-Security-Testing / 07.07.Payment-Compliance-Requirements07.07.Payment Compliance Requirements
07.07. Payment Compliance Requirements
1. Zero-Card-Data Policy
The CPT application and all its components (API, WUI, Redis, GCS) must never touch or store raw cardholder data (CHD).
1.1 Specification: Stripe Integration
- Mandatory Flow: Must use
Stripe Checkout (hosted by Stripe).
- Prohibited Flow:
Stripe Elements or direct API calls with card data.
- Verification: If
STRIPE_SECRET_KEY is used, ensure it is only used for create_checkout_session and verify_payment.
1.2 Specification: PayPal Integration
- Mandatory Flow: Standard Redirect/Popup flow.
- Prohibited Flow: Direct server-side handling of card data.
2. PII Protection in Payment State
Any PII (customer email, name) stored during the payment flow must be protected.
2.1 Specification: Encryption at Rest
- Requirement: Use the same
TOKEN_ENCRYPTION_KEY used for Tesla tokens to encrypt customer_email if it is stored in the OrderSession JSON in Redis.
- Implementation: The
PaymentService should call the encryption service before saving to Redis.
3. Auditing & Reconcilliation
Maintain a log of all payment events for audit purposes.
3.1 Specification: Log Integrity
- Log Level: Log all payment lifecycle events at the
INFO level.
- Events:
payment.intent_created (session_id, plan, amount)payment.verify_success (payment_id, provider_transaction_id)payment.verify_failed (payment_id, error_code)
- Constraint: NEVER log raw card numbers, CVVs, or full PII in these logs.
4. Compliance Reporting (SAQ-A)
Maintain documents required for PCI SAQ-A.
4.1 Specification: Annual Review
- Action: Perform an annual review of the architecture to confirm that redirect flows are still the only method used.
- Documentation: Keep a record of the Stripe and PayPal account configuration showing that redirect flows are enabled.