PCI DSS v4.0
PCI DSS mapping is included on the Enterprise plan.
Scope
Any AI agent that reaches into the cardholder data environment (CDE) — whether it's a support agent querying transaction records, a developer agent running against a production-adjacent database, or a browser-based copilot summarizing order data — falls under PCI DSS. Behavry maps 8 PCI DSS v4.0 requirements directly to product capabilities so agents are defensible in front of a PCI QSA.
Source: backend/behavry/compliance/pcidss.py. UI: Compliance → PCI DSS.
Covered requirements
| Req | Title | Behavry answer |
|---|---|---|
| 1.2 | Restrict inbound / outbound traffic to the CDE | Inbound Rules domain matcher, Blast Radius URL limits |
| 3.3 | Sensitive authentication data must not be stored after authorization | DLP Scanner (card patterns), Data Protection Pipeline (redact / dispose) |
| 3.5 | PANs are rendered unreadable wherever stored | DLP Scanner auto-redaction |
| 7.2 | Access restriction by business need | Policy Engine, Role hierarchy, Restricted Mode |
| 8.2 | Identification of all users | Agent Identity + Requester Identity Propagation + SSO |
| 8.3 | Strong authentication for all access | Workflow tokens, credential encryption |
| 10.2 | Audit log for all access to cardholder data | Decision Trace, SIEM Connectors |
| 10.4 | Audit log integrity | Hash-chained Decision Trace, Public Evidence Verification |
DLP pattern coverage
The DLP scanner ships with card-specific patterns:
- Primary Account Number (PAN) — Luhn-validated, 13–19 digit, brand detection
- CVV / CVV2 — 3–4 digit pattern alongside PAN proximity
- Track data — magnetic stripe format (not usually seen in AI contexts, included for completeness)
- Expiry dates — proximity-scored alongside PAN
All four patterns are tagged pci:cardholder_data in the DLP taxonomy so policies and inbound rules can target them specifically.
Continuous posture
Same pattern as the other compliance modules: daily status computation, 90-day trend, per-requirement drill-down. Dip events (green → amber) trigger alerts.
Export
GET /api/v1/compliance/pci-dss/export?format=pdf|csv|json
The PDF is formatted for the QSA packaging template: requirement reference, description, evidence sample, responsible party slot.