pci-compliance
Implement PCI DSS compliance requirements for secure handling of payment card data and payment systems. Use when securing payment processing, achieving PCI compliance, or implementing payment card security measures.
64
44%
Does it follow best practices?
Impact
98%
1.28xAverage score across 3 eval scenarios
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/payment-processing/skills/pci-compliance/SKILL.mdQuality
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is well-structured with a clear 'Use when' clause and targets a distinct compliance niche (PCI DSS), making it easy to distinguish from other skills. However, it would benefit from listing more specific concrete actions (e.g., network segmentation, encryption, access control) and including additional natural trigger terms users might use (e.g., 'credit card', 'cardholder data', 'tokenization').
Suggestions
Add specific concrete actions such as 'segment cardholder data environments, encrypt PANs, configure firewalls, manage access controls, conduct vulnerability scans' to improve specificity.
Expand trigger terms to include common user variations like 'credit card security', 'cardholder data', 'CDE', 'tokenization', 'SAQ', and 'PAN' in the 'Use when' clause.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (PCI DSS compliance, payment card data) and a general action ('implement requirements', 'secure handling'), but does not list multiple specific concrete actions like 'encrypt cardholder data, segment networks, configure firewalls, manage access controls'. | 2 / 3 |
Completeness | Clearly answers both 'what' (implement PCI DSS compliance requirements for secure handling of payment card data) and 'when' (explicit 'Use when' clause covering payment processing, PCI compliance, and payment card security measures). | 3 / 3 |
Trigger Term Quality | Includes relevant keywords like 'PCI DSS', 'payment card data', 'payment processing', 'PCI compliance', and 'payment card security', but misses common variations users might say such as 'credit card', 'cardholder data environment', 'CDE', 'SAQ', 'tokenization', or 'PAN'. | 2 / 3 |
Distinctiveness Conflict Risk | PCI DSS is a very specific compliance framework with distinct terminology; this description is unlikely to conflict with general security skills or other compliance skills (e.g., HIPAA, SOC 2) due to the clear payment card focus. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads as a PCI DSS reference document rather than an actionable skill for Claude. It is excessively verbose, spending significant tokens on information Claude already knows (the 12 PCI requirements, compliance levels, SAQ types) while lacking a clear workflow for actually implementing or verifying PCI compliance. The code examples are partially useful but inconsistent in completeness, and the entire document would benefit from aggressive trimming and restructuring.
Suggestions
Remove the 12 PCI DSS requirements listing, compliance levels, and SAQ descriptions—Claude already knows these. Focus only on implementation-specific guidance Claude wouldn't know.
Add a clear sequenced workflow for implementing PCI compliance (e.g., 1. Determine scope → 2. Implement tokenization → 3. Validate no prohibited storage → 4. Run compliance checklist) with explicit validation steps.
Split the content: keep a concise overview in SKILL.md and move detailed code examples (tokenization, encryption, audit logging) into referenced files like TOKENIZATION.md and ENCRYPTION.md.
Complete the stub implementations (sanitize_input, get_payment_methods) with executable code or remove them entirely—incomplete functions reduce actionability.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~300+ lines. Much of the content is reference material Claude already knows (PCI DSS 12 requirements, compliance levels, SAQ types, Luhn algorithm). The compliance checklist as a Python dict is unnecessary padding. Comments like 'NEVER send card details to your server' and explanations of what tokenization is are redundant for Claude. | 1 / 3 |
Actionability | Contains executable Python code for encryption, tokenization, and access control, but several functions have incomplete implementations (sanitize_input with just 'pass', get_payment_methods with 'pass'). The Stripe tokenization example mixes JavaScript comments inside a Python method awkwardly. Some code is illustrative rather than truly copy-paste ready. | 2 / 3 |
Workflow Clarity | No clear workflow or sequenced process for achieving PCI compliance. The content reads as a reference dump of individual components without guidance on how to sequence implementation, validate compliance, or handle failures. For a domain involving security-critical operations, the absence of validation checkpoints and feedback loops is a significant gap. | 1 / 3 |
Progressive Disclosure | Monolithic wall of text with no references to external files. All content—from basic requirements listing to advanced custom tokenization vaults—is inlined in a single document. The SAQ descriptions, compliance levels, and full checklist could easily be split into referenced files. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- wshobson/agents
- Commit
91fe43e
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.