Skip to main content

PCI-DSS compliance profile

Salesforce orgs holding payment-card data fall under PCI-DSS scope. The standard requires that the Primary Account Number (PAN), the card-verification value (CVV / CVC / CV2 / CID), the expiry date, the cardholder name, and the magnetic-stripe tracks are either not stored at all or stored under specific protections (encrypted at rest, masked on display, never logged).

vulkro-sf antipatterns --compliance=pci broadens the PII detection set used by:

Field classes added

PatternWhy it's PCI-relevant
CardNumber__c / PAN__c / CCNumber__c / CreditCardNumber__c / CCN__cPrimary Account Number. Storing the full PAN requires encryption + PCI scope.
CVV__c / CVC__c / CV2__c / CID__c / CardSecurityCode__cCard-verification value. PCI-DSS Requirement 3.2 forbids storing CVV after authorisation.
CardExpiry__c / CardExpiration__c / ExpirationDate__cExpiration date. Stored with PAN puts the record in scope.
CardholderName__c / CardHolder__cCardholder name. Combined with PAN, it's full cardholder data.
Track1__c / Track2__c / MagStripe__cMagnetic-stripe data. PCI-DSS Requirement 3.2 forbids storing after authorisation.
RoutingNumber__c / ABA__c / IBAN__c / BankAccount__c / AchAccount__c / SwiftCode__cBanking identifiers that move money. Out-of-scope for PCI-DSS itself but commonly co-located.

Stack with HIPAA

The two profiles compose:

vulkro-sf antipatterns . --compliance=hipaa,pci

This is the right shape for a healthcare-payments service (a clinic that bills cards has both PHI and cardholder data on the same records).

Where to go next

  • HIPAA profile - the sibling profile for protected health information.
  • GDPR right-to-erasure - AP-049 catches PII writes that have no paired delete path, which a PCI Requirement 3 review will also flag.
  • Compliance overview - how the profiles compose with the rest of the readiness report.
  • SOC 2 map - per-detector mapping to the SOC 2 Trust Services Criteria.