← Template libraryMode on clone: log
Industry-specificcriticalv1.0.0 · System
PCI-DSS Cardholder Data Block
Blocks credit card numbers (PAN), CVV, and expiry dates from entering or leaving LLM systems.
📘Clone & start observing
Creates a Guideline policy. Observation only — nothing is blocked until you promote to Strict.
Defaults to template name. Customise to distinguish multiple instances of the same template.
Leave empty to apply broadly via the template's default data-classification / risk-tier filters.
Rationale
PCI-DSS prohibits storing or transmitting cardholder data outside CDE-compliant systems. LLMs are categorically out-of-scope for cardholder data.
Example violation
Prompt: "Please verify this card: 4532 1234 5678 9010, CVV 123, exp 12/27"Triggers (2)
- inputScan prompts
- outputScan responses
Detectors (2)
- regexpan-luhnLuhn-validated card number patterns
- regexcvv-pattern3-4 digit CVV near card-related context
Actions (3)
- blockHard block with PCI-DSS explanation
- logTokenised log only — never log raw PAN
- notifyAlert security team
Tunable parameters (3)
PAN regex (with Luhn)
expertregex🔒 locked
Luhn validation runs after regex match. Do not weaken without sign-off.
Default: ["\\b(?:\\d[ -]*?){13,19}\\b"]
CVV regex
advancedregex
Adjust if your forms use different CVV labels.
Default: ["(?i)cvv\\s*[:=]?\\s*\\d{3,4}"]
Notification channel
basicchannel
Where to send PCI alerts.
Default: "#pci-incidents"
Regulatory references
PCI-DSS v4.0 Req. 3
Template defaults (suggested target after promotion)
Suggested mode
block
Risk tiers
—
Data classifications
—
Departments
—
Cloned policies start in Guideline mode. Use the promotion wizard to flip to Strict once you trust the false-positive rate.