Skip to content

Add PCI TPSP AOC service coverage gates#1720

Open
DENGXUELIN wants to merge 1 commit into
UnitOneAI:mainfrom
DENGXUELIN:improve/pci-tpsp-aoc-service-coverage-1607
Open

Add PCI TPSP AOC service coverage gates#1720
DENGXUELIN wants to merge 1 commit into
UnitOneAI:mainfrom
DENGXUELIN:improve/pci-tpsp-aoc-service-coverage-1607

Conversation

@DENGXUELIN
Copy link
Copy Markdown

@DENGXUELIN DENGXUELIN commented Jun 8, 2026

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: pci-dss-review
Skill path: skills/compliance/pci-dss-review/

What Was Wrong

The PCI DSS review skill did not force reviewers to prove that a third-party service provider AOC actually covers the exact consumed payment service before reducing merchant scope. That can miss cases where a provider AOC is current but excludes hosted fields, payment-page scripts, token vaults, webhook handling, or the specific PCI DSS requirements the merchant still owns.

What This PR Fixes

This PR adds TPSP responsibility and AOC service-coverage gates that require:

  • exact consumed-service matching before scope reduction
  • requirement-level responsibility mapping for Req 6.4.3, 11.6.1, 12.8.5, 12.9.1, and 12.9.2
  • provider-side change drift checks for scripts, hosted fields, gateway APIs, token vaults, webhooks, contacts, and AOC scope changes
  • SAQ eligibility rationale tied to PAN/SAD data-flow evidence
  • explicit output fields for TPSP/AOC findings

Evidence

Before (skill misses this / false positive on this):

A merchant can cite a current payment provider AOC and assume payment-page scope reduction without proving that the consumed hosted fields, payment scripts, token vault, and webhook services are included in that AOC.

After (now correctly handled):

The skill now requires service-level AOC coverage, payment data-flow proof, requirement-level responsibility mapping, provider change-drift evidence, and SAQ eligibility support before scope reduction is accepted.

Test Cases Added/Updated

  • Added vulnerable test cases (tests/vulnerable/)
  • Added benign test cases (tests/benign/)
  • Existing tests still pass

Added:

  • skills/compliance/pci-dss-review/tests/vulnerable/tpsp-aoc-service-mismatch.md
  • skills/compliance/pci-dss-review/tests/benign/outsourced-hosted-page-current-aoc.md

Validation performed locally:

  • git merge-tree --write-tree origin/main HEAD
  • git diff --check origin/main...HEAD
  • Markdown fence-balance check for changed files
  • ASCII check for added lines

Bounty Tier

  • Minor ($50) - Doc update, small logic tweak, typo fix
  • Moderate ($100) - New edge case coverage, FP reduction with evidence
  • Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: PayPal; details can be provided privately after maintainer acceptance.

Closes #1607

@DENGXUELIN DENGXUELIN mentioned this pull request Jun 8, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] pci-dss-review: add TPSP responsibility and AOC service-coverage gates

1 participant

@DENGXUELIN