Sushegaad
diff --git a/‎.claude-plugin/marketplace.json‎
Lines changed: 14 additions & 1 deletion b/‎.claude-plugin/marketplace.json‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎INSTALLATION.md‎
Lines changed: 11 additions & 5 deletions b/‎INSTALLATION.md‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎PCI Compliance - Claude Skill/PCI-Compliance-README.md‎
Lines changed: 132 additions & 0 deletions b/‎PCI Compliance - Claude Skill/PCI-Compliance-README.md‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎PCI Compliance - Claude Skill/PCI-Compliance.skill‎
23 KB b/‎PCI Compliance - Claude Skill/PCI-Compliance.skill‎
23 KB
diff --git a/‎README.md‎
Lines changed: 30 additions & 3 deletions b/‎README.md‎
Lines changed: 30 additions & 3 deletions
diff --git a/‎plugins/pci-compliance/.claude-plugin/plugin.json‎
Lines changed: 22 additions & 0 deletions b/‎plugins/pci-compliance/.claude-plugin/plugin.json‎
Lines changed: 22 additions & 0 deletions
@@ -1,7 +1,7 @@
 {
   "$schema": "https://anthropic.com/claude-code/marketplace.schema.json",
   "name": "grc-skills",
-  "description": "Claude Code skills for Governance, Risk & Compliance — ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, and NIST CSF.",
+  "description": "Claude Code skills for Governance, Risk & Compliance — ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, and PCI DSS.",
   "owner": {
     "name": "Hemant Naik",
     "email": "hemant.naik@gmail.com"
@@ -84,6 +84,19 @@
       "homepage": "https://sushegaad.github.io/Claude-Skills-Governance-Risk-and-Compliance/",
       "category": "compliance",
       "keywords": ["nist-csf", "cybersecurity-framework", "csf20", "risk-management", "cybersecurity", "grc", "gap-assessment", "profiles", "tiers"]
+    },
+    {
+      "name": "pci-compliance",
+      "source": "./plugins/pci-compliance",
+      "description": "PCI DSS v4.0.1 compliance advisor — CDE scoping, SAQ selection, gap assessments, control implementation guidance, QSA audit preparation, and remediation planning.",
+      "version": "0.1.0",
+      "author": {
+        "name": "Hemant Naik",
+        "email": "hemant.naik@gmail.com"
+      },
+      "homepage": "https://sushegaad.github.io/Claude-Skills-Governance-Risk-and-Compliance/",
+      "category": "compliance",
+      "keywords": ["pci-dss", "pci-compliance", "payment-security", "cardholder-data", "cde", "saq", "qsa", "grc"]
     }
   ]
 }
@@ -1,6 +1,6 @@
 # Installation Guide — GRC Skills for Claude Code
 
-This guide covers how to install the GRC Skills marketplace in [Claude Code](https://claude.ai/claude-code), the AI-powered CLI for developers. The marketplace provides six compliance skills as Claude Code plugins — each one extends Claude Code with deep, framework-specific expertise for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, and NIST CSF.
+This guide covers how to install the GRC Skills marketplace in [Claude Code](https://claude.ai/claude-code), the AI-powered CLI for developers. The marketplace provides seven compliance skills as Claude Code plugins — each one extends Claude Code with deep, framework-specific expertise for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, and PCI DSS.
 
 ---
 
@@ -64,16 +64,20 @@ Once the marketplace is registered, install only the frameworks you need.
 /plugin install nist-csf@grc-skills
 ```
 
+```shell
+/plugin install pci-compliance@grc-skills
+```
+
 Each plugin is installed to a local cache (`~/.claude/plugins/cache`) and activates immediately in new Claude Code sessions.
 
 ---
 
-## 3. Install All Six at Once
+## 3. Install All Seven at Once
 
 To install the full GRC suite in a single command:
 
 ```shell
-/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills
+/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills pci-compliance@grc-skills
 ```
 
 ---
@@ -100,12 +104,13 @@ Add the following to your project's `.claude/settings.json`:
     "fedramp@grc-skills": true,
     "gdpr-compliance@grc-skills": true,
     "hipaa-compliance@grc-skills": true,
-    "nist-csf@grc-skills": true
+    "nist-csf@grc-skills": true,
+    "pci-compliance@grc-skills": true
   }
 }
 ```
 
-Commit this file to your repository. The next time a team member trusts the project folder in Claude Code, the marketplace and plugins will be registered automatically. Only enable the skills your team actually needs — you don't have to include all five.
+Commit this file to your repository. The next time a team member trusts the project folder in Claude Code, the marketplace and plugins will be registered automatically. Only enable the skills your team actually needs — you don't have to include all seven.
 
 ---
 
@@ -151,6 +156,7 @@ To remove the marketplace entirely:
 | `gdpr-compliance` | GDPR / UK GDPR | Code audits, privacy notices, DPAs, DPIAs, data flow reviews, article-cited Q&A |
 | `hipaa-compliance` | HIPAA | Document generation, technical safeguards for cloud, breach response guidance |
 | `nist-csf` | NIST CSF 2.0 / 1.1 | Gap assessments, organisational profiles, implementation tiers, roadmaps, cross-framework mapping |
+| `pci-compliance` | PCI DSS v4.0.1 | CDE scoping, SAQ selection, gap assessments, control guidance, QSA audit prep, remediation planning |
 
 ---
 
 
@@ -0,0 +1,132 @@
+# PCI DSS Compliance Skill
+
+> A Claude skill for security, compliance, and engineering teams to navigate PCI DSS v4.0.1 — from CDE scoping and SAQ selection through gap assessments, QSA audit preparation, and remediation planning.
+
+---
+
+## 1. What Does the Skill Do?
+
+The PCI DSS skill turns Claude into an expert PCI DSS compliance advisor and QSA-trained consultant. It provides structured, actionable guidance across the full PCI DSS compliance lifecycle — from defining cardholder data environment (CDE) scope and selecting the right SAQ type, through gap assessments against all 12 requirements, remediation planning, and QSA audit preparation.
+
+The skill covers **PCI DSS v4.0.1** (June 2024 — current version), including all new requirements that became mandatory on March 31, 2025 — expanded MFA, payment page script integrity controls, phishing protection, automated log review, and targeted risk analysis. It also supports teams transitioning from the retired **PCI DSS v3.2.1**.
+
+Outputs are tailored to the task: CDE scoping narratives, structured gap assessment tables with evidence requirements, SAQ selection decisions with rationale, control-level implementation guidance with QSA evidence tips, and full policy documents with PCI DSS control citations.
+
+---
+
+## 2. Intended Audiences
+
+- **CISOs and Security Managers** overseeing PCI DSS compliance programmes for merchants or service providers
+- **Compliance Analysts and GRC Teams** performing gap assessments, maintaining SAQ documentation, or preparing for annual QSA audits
+- **Software Developers and Engineers** building payment systems, e-commerce applications, or integrations that touch cardholder data
+- **Architects** designing or reviewing systems that interact with the CDE — network segmentation, tokenisation, P2PE, cloud environments
+- **Small and Mid-Size Merchants** (Level 2–4) completing their annual SAQ and wanting expert guidance on what controls are needed and why
+- **Service Providers** managing their PCI DSS Level 1 or Level 2 obligations and TPSP due diligence
+
+---
+
+## 3. Common Use Cases
+
+| Use Case | Example Prompt |
+|----------|---------------|
+| **CDE scoping** | "Help me scope our CDE. We have a cloud-based e-commerce platform that uses Stripe for payments. What's in scope?" |
+| **SAQ selection** | "We're a Level 3 merchant accepting e-commerce payments only. We redirect customers to PayPal's hosted checkout. Which SAQ do we need?" |
+| **Gap assessment** | "Run a PCI DSS v4.0.1 gap assessment. We're an SAQ D merchant. Here's our current environment..." |
+| **v4.0 new requirements** | "What are the new requirements in PCI DSS v4.0 that became mandatory in March 2025?" |
+| **MFA guidance** | "What does Req 8.4.2 mean for our internal staff accessing CDE systems?" |
+| **Payment page scripts** | "How do we comply with Req 6.4.3 and 11.6.1 for our e-commerce payment page?" |
+| **Policy generation** | "Write an Incident Response Plan aligned to PCI DSS Req 12.10." |
+| **Remediation roadmap** | "We have 12 non-compliant controls from our last assessment. Help me build a remediation roadmap." |
+| **TPSP management** | "What does PCI DSS require for managing third-party service providers?" |
+| **Key management** | "How do we implement PCI DSS Req 3.7 for encryption key management?" |
+
+---
+
+## 4. How to Use the Skill
+
+Once the skill is installed in Claude, it activates automatically whenever you ask about PCI DSS, payment card security, CDE, SAQs, ROC, QSA assessments, cardholder data, or related topics. You do not need to reference the skill by name.
+
+### Tips for best results
+
+**Specify your merchant or service provider level** — this determines your validation requirements (SAQ vs ROC) and tailors the guidance. For example:
+
+> "We're a Level 2 merchant with 2 million transactions per year. We use a hosted payment page (redirect). What SAQ applies and what do we need to demonstrate?"
+
+**Describe your payment environment** — channels (card-present, e-commerce, MOTO), third-party processors used, whether you store any cardholder data, and which systems are in scope.
+
+**Reference specific requirements** — for targeted guidance, reference the requirement number (e.g., `Req 8.4.2`, `Req 6.4.3`) to get more focused and actionable responses.
+
+### Example interaction
+
+```
+You:     We're a Level 3 e-commerce merchant. We use a JavaScript payment widget from
+         Stripe embedded in our checkout page. Do we qualify for SAQ A?
+
+Claude:  No — because you control the checkout page that hosts the Stripe widget and
+         your JavaScript can affect how the widget behaves, you do not meet SAQ A
+         criteria. You are likely SAQ A-EP. Key requirements include:
+         - Req 6.4.3: Inventory all scripts on your payment page; implement
+           Content Security Policy (CSP) or Sub-Resource Integrity (SRI)
+         - Req 11.6.1: Deploy tamper detection for HTTP headers and payment page content
+         - Req 11.3: Quarterly ASV scans
+         Here is the full SAQ A-EP control scope and what you need to implement...
+```
+
+---
+
+## 5. Skill Implementation Details
+
+### Architecture
+
+```
+pci-compliance/
+├── SKILL.md                           # Core skill logic and workflows
+└── references/
+    ├── pci-dss-requirements.md        # All 12 requirements with sub-controls and evidence
+    ├── pci-dss-saq-guide.md           # SAQ selection guide, all SAQ types, ROC/AOC/ASV
+    └── pci-dss-v4-changes.md          # v3.2.1 → v4.0/v4.0.1 migration guide and change log
+```
+
+### What's in SKILL.md
+
+- **Persona**: Claude adopts the role of a PCI DSS compliance advisor and QSA-trained consultant
+- **Output format matrix**: Maps each task type to a specific output format
+- **CDE core concepts**: PAN, SAD, account data types, scope reduction strategies (tokenisation, P2PE, segmentation)
+- **Merchant and service provider levels**: Validation requirements per level
+- **Defined vs Customised Approach**: When each applies and what's required
+- **SAQ quick reference**: All 8 SAQ types with ~control counts
+- **5 core workflows**: CDE Scoping, Gap Assessment, SAQ Selection, Control Implementation, Policy Generation
+- **v4.0 changes table**: Key differences from v3.2.1
+- **Compensating controls**: How they work and when they apply
+
+### What's in the reference files
+
+| File | Contents |
+|------|----------|
+| `pci-dss-requirements.md` | All 12 requirements with sub-controls, QSA evidence requirements, and common gaps |
+| `pci-dss-saq-guide.md` | SAQ selection decision tree, all 8 SAQ types with eligibility criteria, ROC/AOC/ASV/QSA/ISA reference |
+| `pci-dss-v4-changes.md` | Version timeline, all new v4.0 requirements (future-dated → mandatory), key conceptual changes, migration checklist |
+
+### Inputs used to build the skill
+
+- **PCI DSS v4.0.1** (PCI SSC, June 2024) — all 12 requirements and sub-requirements
+- **PCI DSS v4.0** (PCI SSC, March 2022) — including future-dated requirements and Customised Approach
+- **PCI DSS Summary of Changes v3.2.1 to v4.0** (PCI SSC) — change log and migration reference
+- **PCI DSS SAQ documents v4.0** — all 8 SAQ types with eligibility criteria
+- **PCI SSC ROC Template v4.0.1** — assessment structure reference
+- **PCI SSC Targeted Risk Analysis guidance** — TRA methodology and requirements
+
+### Skill trigger phrases
+
+`PCI DSS` · `PCI compliance` · `payment card` · `cardholder data` · `CDE` · `SAQ` · `ROC` · `AOC` · `QSA` · `ASV scan` · `PAN storage` · `SAD` · `tokenisation` · `P2PE` · `Requirement 1` through `Requirement 12` · `v4.0` · `merchant level` · `service provider` · `network segmentation` · `payment page` · `web skimming` · `Magecart` · `TPSP` · `key management` · `PCI scope`
+
+---
+
+## 6. Author
+
+**Skill designed by:** Hemant Naik
+[LinkedIn](https://www.linkedin.com/in/tanaji-naik/) · [hemant.naik@gmail.com](mailto:hemant.naik@gmail.com)
+**Built with:** Claude (Anthropic) using the Claude Skills framework
+**Date:** March 2026
+**Skill version:** 0.1.0
+**Standard coverage:** PCI DSS v4.0.1 (June 2024) and PCI DSS v4.0 (March 2022)
@@ -1,11 +1,11 @@
 # Claude Skills for Governance, Risk & Compliance (GRC)
-Expert-level compliance guidance for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, and NIST CSF — powered by Claude Skills.
+Expert-level compliance guidance for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, and PCI DSS — powered by Claude Skills.
 
 Benchmarked across 10 test cases (2 per framework) using eval framework — each graded against 7 verifiable assertions by independent agents. Skills scored **99% ± 4%** vs a baseline of 93% ± 7%.
 
 [![Release: v0.1.0](https://img.shields.io/badge/Release-v0.1.0-brightgreen.svg)](../../releases/tag/v0.1.0)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
-[![Skills: 6](https://img.shields.io/badge/Skills-6-green.svg)](#the-skills)
+[![Skills: 7](https://img.shields.io/badge/Skills-7-green.svg)](#the-skills)
 [![Built with Claude](https://img.shields.io/badge/Built%20with-Claude-orange.svg)](https://claude.ai)
 
 ---
@@ -21,6 +21,7 @@ Benchmarked across 10 test cases (2 per framework) using eval framework — each
   - [GDPR](#-gdpr)
   - [HIPAA](#-hipaa)
   - [NIST CSF](#-nist-csf)
+  - [PCI DSS](#-pci-dss)
 - [Potential Use Cases](#potential-use-cases)
 - [How to Install a Skill](#how-to-install-a-skill)
 - [Install via Claude Code Marketplace](#install-via-claude-code-marketplace)
@@ -173,6 +174,25 @@ The NIST CSF skill turns Claude into an expert NIST Cybersecurity Framework advi
 
 ---
 
+### 💳 PCI DSS
+
+**File:** `PCI Compliance - Claude Skill/PCI-Compliance.skill`
+
+The PCI DSS skill turns Claude into an expert PCI DSS compliance advisor covering **PCI DSS v4.0.1** (June 2024 — current version), including all requirements that became mandatory on March 31, 2025. It covers all 12 requirements, all 8 SAQ types, merchant and service provider levels, and key v4.0 changes from v3.2.1.
+
+**What it does:**
+- **Scopes the Cardholder Data Environment (CDE)** — identifies what's in scope, assesses network segmentation, and recommends scope reduction via tokenisation or P2PE
+- **Selects the correct SAQ type** — walks through the decision tree for SAQ A, A-EP, B, B-IP, C, C-VT, P2PE, and D with rationale
+- Conducts structured **gap assessments** across all 12 requirements with QSA evidence requirements and common gaps
+- Provides **control implementation guidance** for any PCI DSS sub-requirement — what to implement, evidence needed, and common pitfalls
+- Generates **PCI DSS-aligned policies** — incident response, access control, cryptography, patch management, data retention, and more
+- Guides **v3.2.1 → v4.0.1 migration** including new requirements for MFA expansion, payment page script integrity (Req 6.4.3), phishing protection (Req 5.4.1), and automated log review (Req 10.4.1.1)
+- Explains **Defined vs Customised Approach** and when to use Targeted Risk Analysis (TRA)
+
+**Trigger phrases:** `PCI DSS`, `PCI compliance`, `cardholder data`, `CDE`, `SAQ`, `ROC`, `QSA`, `ASV scan`, `PAN`, `tokenisation`, `P2PE`, `merchant level`, `payment page`, `Req 8.4.2`, `Req 6.4.3`
+
+---
+
 ## Potential Use Cases
 
 | Scenario | Relevant Skill(s) |
@@ -199,6 +219,12 @@ The NIST CSF skill turns Claude into an expert NIST Cybersecurity Framework advi
 | Migrating a cybersecurity programme from CSF 1.1 to CSF 2.0 | NIST CSF |
 | Mapping ISO 27001 or SOC 2 controls to NIST CSF subcategories | NIST CSF + ISO 27001 / SOC 2 |
 | Writing a Cybersecurity Governance Policy aligned to the CSF GV function | NIST CSF |
+| Scoping a PCI DSS CDE for a cloud-hosted e-commerce platform | PCI DSS |
+| Selecting the right SAQ type for a merchant using a hosted payment page | PCI DSS |
+| Preparing for a Level 1 ROC with a QSA | PCI DSS |
+| Implementing the new PCI DSS v4.0 payment page script integrity requirements | PCI DSS |
+| Extending MFA to all CDE access per Req 8.4.2 | PCI DSS |
+| Managing third-party service providers under PCI DSS Req 12.8 | PCI DSS |
 
 ---
 
@@ -214,6 +240,7 @@ The NIST CSF skill turns Claude into an expert NIST Cybersecurity Framework advi
    | 🇪🇺 GDPR | [gdpr-compliance.skill](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/GDPR%20-%20Claude%20Skill/gdpr-compliance.skill) |
    | 🏥 HIPAA | [hipaa-compliance.skill](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/HIPAA%20-%20Claude%20Skill/hipaa-compliance.skill) |
    | 🛡️ NIST CSF | [NIST Cybersecurity.skill](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/NIST%20Cybersecurity%20framework%20-%20Claude%20Skill/NIST%20Cybersecurity.skill) |
+   | 💳 PCI DSS | [PCI-Compliance.skill](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/PCI%20Compliance%20-%20Claude%20Skill/PCI-Compliance.skill) |
 
 2. Open Claude and navigate to **Customize → Skills**.
 3. Click **Upload Skill** and select the `.skill` file.
@@ -233,7 +260,7 @@ Add the marketplace and install the skills you need directly from the terminal:
 
 ```shell
 /plugin marketplace add Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
-/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills
+/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills pci-compliance@grc-skills
 ```
 
 Teams can pre-wire the marketplace in `.claude/settings.json` so every developer gets the skills automatically when they open the project — no manual install required.
 
@@ -0,0 +1,22 @@
+{
+  "name": "pci-compliance",
+  "description": "PCI DSS v4.0.1 compliance advisor — CDE scoping, SAQ selection, gap assessments, control implementation guidance, QSA audit preparation, and remediation planning.",
+  "version": "0.1.0",
+  "author": {
+    "name": "Hemant Naik",
+    "email": "hemant.naik@gmail.com"
+  },
+  "homepage": "https://sushegaad.github.io/Claude-Skills-Governance-Risk-and-Compliance/",
+  "repository": "https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance",
+  "license": "MIT",
+  "keywords": [
+    "pci-dss",
+    "pci-compliance",
+    "payment-security",
+    "cardholder-data",
+    "cde",
+    "saq",
+    "qsa",
+    "grc"
+  ]
+}