pci-compliance
Implement PCI DSS compliance requirements for secure handling of payment card data and payment systems. Use when securing payment processing, achieving PCI compliance, or implementing payment card security measures.
68
52%
Does it follow best practices?
Impact
98%
1.28xAverage score across 3 eval scenarios
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/payment-processing/skills/pci-compliance/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description with a clear 'Use when' clause and strong domain-specific trigger terms that make it easily distinguishable. Its main weakness is the lack of specific concrete actions—it describes the domain well but doesn't enumerate the particular tasks it can perform (e.g., network segmentation, encryption, access control, audit logging).
Suggestions
Add specific concrete actions such as 'encrypt cardholder data, segment cardholder data environments, configure firewalls, manage access controls, conduct vulnerability scans' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (PCI DSS compliance, payment card data) and mentions some actions ('implement requirements', 'secure handling'), but doesn't list multiple specific concrete actions like 'encrypt cardholder data, segment networks, configure firewalls, manage access controls'. | 2 / 3 |
Completeness | Clearly answers both 'what' (implement PCI DSS compliance requirements for secure handling of payment card data and payment systems) and 'when' (explicit 'Use when' clause covering securing payment processing, achieving PCI compliance, or implementing payment card security measures). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'PCI DSS', 'PCI compliance', 'payment card', 'payment processing', 'payment card security'. These cover the main variations a user would naturally use when seeking this skill. | 3 / 3 |
Distinctiveness Conflict Risk | PCI DSS is a very specific compliance framework with distinct trigger terms ('PCI', 'payment card', 'PCI DSS'). Unlikely to conflict with general security or other compliance skills due to the specificity of the domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a PCI DSS reference document than an actionable skill for Claude. It is excessively verbose, spending significant tokens on information Claude already knows (the 12 PCI requirements, compliance levels, SAQ types) while lacking a clear workflow for actually implementing PCI compliance. The code examples are a mixed bag of useful snippets and incomplete stubs, and the entire content is dumped into one monolithic file with no progressive disclosure.
Suggestions
Drastically reduce content by removing the 12 requirements listing, compliance levels, and SAQ descriptions—Claude already knows these. Focus only on implementation-specific guidance Claude wouldn't know (e.g., specific code patterns, project-specific conventions).
Add a clear sequential workflow: e.g., 1) Determine scope → 2) Implement tokenization → 3) Add encryption → 4) Configure access control → 5) Set up audit logging → 6) Validate with checklist, with explicit validation steps between stages.
Complete the stub implementations (sanitize_input, create_payment_method_token) or remove them entirely—incomplete code reduces actionability.
Split into a concise SKILL.md overview with references to separate files for detailed code examples (e.g., TOKENIZATION.md, ENCRYPTION.md, AUDIT_LOGGING.md).
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~350+ lines. Explains basic concepts Claude already knows (PCI DSS 12 requirements, compliance levels, SAQ types). The compliance checklist as a Python dict is padding—it's reference material Claude can generate on demand. Comments like '# NEVER send card details to your server' and '# Your server only sees the token, never the card number' are unnecessary explanations. | 1 / 3 |
Actionability | Contains executable Python code for tokenization, encryption, and access control, which is good. However, several functions have incomplete implementations (sanitize_input is just 'pass', the Stripe client-side code is in a docstring), and the code mixes real implementations with pseudocode-like stubs. The compliance checklist is a data structure, not actionable guidance. | 2 / 3 |
Workflow Clarity | No clear workflow or sequenced process for achieving PCI compliance. The content is organized as a reference dump of individual components (encryption, tokenization, logging) without connecting them into a coherent implementation workflow. No validation checkpoints, no feedback loops, and no guidance on order of operations for implementing PCI compliance. | 1 / 3 |
Progressive Disclosure | Monolithic wall of text with no references to external files and no bundle files to support it. All content—from basic requirements listing to detailed code examples to SAQ descriptions—is crammed into a single file with no navigation structure or layering. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- wshobson/agents
- Commit
34632bc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.