pci-tokenization

What problem does it solve?

This Skill removes cardholder PAN exposure from transactional systems by replacing raw card numbers with HSM-backed format-preserving tokens and enforcing strict detokenization controls so that only an isolated Cardholder Data Environment (CDE) can access plaintext PANs.

Core Features & Use Cases

• HSM-backed FPE (FF3-1): Generate Luhn-compliant tokens that preserve PAN format while preventing plaintext exposure.
• Secure Token Vault: Store AES-256-GCM encrypted PAN blobs with SHA-256 pan hashes and masked PANs for display, and enforce token expiry matching card expiry.
• CDE Isolation & RBAC: Enforce Kubernetes network segmentation and method-level security so detokenization occurs only in the CDE with immutable audit logging to Kafka.
• Network Tokenization Integration: Provision and track Visa/Mastercard network tokens for wallet provisioning and lifecycle operations.
• Use Case: Replace card-on-file storage in an e-commerce platform so downstream payment orchestration and ledger systems only handle tokens, and settlement services request detokenization from CDE-only pods.

Quick Start

Tokenize a customer's PAN for e-commerce by invoking the TokenizationService with HSM-backed FF3-1, persist the token and masked PAN in the TokenVault, and emit an immutable audit event.