pci-compliance
Implement PCI DSS compliance requirements for secure handling of payment card data and payment systems. Use when securing payment processing, achieving PCI compliance, or implementing payment card security measures.
64
44%
Does it follow best practices?
Impact
98%
1.28xAverage score across 3 eval scenarios
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/payment-processing/skills/pci-compliance/SKILL.mdQuality
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is well-structured with a clear 'Use when' clause and targets a distinct compliance niche (PCI DSS), making it easy to distinguish from other skills. However, it could be stronger by listing more specific concrete actions (e.g., network segmentation, encryption, access control) and including additional natural trigger terms users might use like 'credit card security' or 'cardholder data environment'.
Suggestions
Add specific concrete actions such as 'encrypt cardholder data, segment card data environments, configure firewalls, manage access controls, conduct vulnerability scans' to improve specificity.
Expand trigger terms in the 'Use when' clause to include common user phrases like 'credit card security', 'cardholder data', 'tokenization', 'SAQ', or 'card data environment'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (PCI DSS compliance, payment card data) and a general action ('implement requirements', 'secure handling'), but does not list multiple specific concrete actions like 'encrypt cardholder data, segment networks, configure firewalls, manage access controls'. | 2 / 3 |
Completeness | Clearly answers both 'what' (implement PCI DSS compliance requirements for secure handling of payment card data) and 'when' (explicit 'Use when' clause covering payment processing, PCI compliance, and payment card security measures). | 3 / 3 |
Trigger Term Quality | Includes relevant keywords like 'PCI DSS', 'payment card data', 'payment processing', 'PCI compliance', and 'payment card security', but misses common variations users might say such as 'credit card', 'cardholder data', 'SAQ', 'tokenization', 'PAN', or 'card data environment'. | 2 / 3 |
Distinctiveness Conflict Risk | PCI DSS is a very specific compliance framework with distinct terminology; this description is unlikely to conflict with general security skills or other compliance skills (e.g., HIPAA, SOC 2) due to the clear payment card focus. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a PCI DSS reference guide or textbook chapter than an actionable skill for Claude. It's heavily padded with information Claude already knows (the 12 PCI requirements, compliance levels, SAQ types) while lacking a clear workflow for actually implementing PCI compliance. The code examples, while partially executable, are fragmented and don't connect into a coherent implementation process.
Suggestions
Replace the reference material (12 requirements, compliance levels, SAQ types) with a focused workflow: e.g., 'Step 1: Determine scope → Step 2: Implement tokenization → Step 3: Validate no prohibited storage → Step 4: Audit logging verification' with explicit validation checkpoints at each step.
Move detailed code examples (encryption, tokenization vault, audit logging) into separate reference files and keep only the most critical pattern (e.g., tokenization via Stripe) in the main skill with links to the rest.
Complete the incomplete code (sanitize_input is just 'pass') or remove it. Ensure all code examples are truly executable rather than illustrative.
Add explicit validation/verification steps: how to test that CVV is not being stored, how to verify encryption is working, how to audit log completeness—these are the high-value additions Claude needs for safe PCI implementation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~300+ lines. Explains basic concepts Claude already knows (what PCI DSS is, what the 12 requirements are, compliance levels, SAQ types). Much of this is reference material readily available to Claude. Comments like 'NEVER send card details to your server' and explanations of what tokenization is are unnecessary padding. | 1 / 3 |
Actionability | Contains executable Python code examples for tokenization, encryption, access control, and audit logging, which is good. However, several code blocks are incomplete (sanitize_input has 'pass', the Stripe client-side example is in a docstring comment), and the code mixes pseudocode patterns (in-memory dict as vault) with production claims. The compliance checklist is a Python dict rather than actionable guidance. | 2 / 3 |
Workflow Clarity | No clear workflow or sequenced process for achieving PCI compliance. The content is organized as a reference dump of isolated code snippets and lists rather than a coherent multi-step process. There are no validation checkpoints, no feedback loops, and no guidance on how to sequence implementation steps. For a compliance skill involving security-critical operations, this is a significant gap. | 1 / 3 |
Progressive Disclosure | Monolithic wall of text with no references to external files. All content is inline regardless of depth or relevance. The SAQ types, compliance levels, 12 requirements list, and detailed code examples for encryption/tokenization/access control could all be split into separate reference files. No navigation structure beyond flat headings. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- wshobson/agents
- Commit
27a7ed9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.