UNPKG

@iota-big3/sdk-regulated

Version:

Regulated Industries SDK for Healthcare, Finance, and Government

437 lines • 16.9 kB

JavaScript

"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.PCIDSSComplianceManager = exports.PCIComplianceLevel = void 0; const base_compliance_manager_1 = require("../compliance/base-compliance-manager"); crypto; from; 'crypto'; ComplianceControl, ComplianceFramework, ComplianceStandard, DataClassification, EncryptionConfig; from; '../compliance/types'; var PCIComplianceLevel; (function (PCIComplianceLevel) { PCIComplianceLevel["LEVEL_1"] = "LEVEL_1"; PCIComplianceLevel["LEVEL_2"] = "LEVEL_2"; PCIComplianceLevel["LEVEL_3"] = "LEVEL_3"; PCIComplianceLevel["LEVEL_4"] = "LEVEL_4"; })(PCIComplianceLevel || (exports.PCIComplianceLevel = PCIComplianceLevel = {})); class PCIDSSComplianceManager extends base_compliance_manager_1.BaseComplianceManager { constructor(complianceLevel = PCIComplianceLevel.LEVEL_1) { const pciFramework = { standards: [ComplianceStandard.PCI_DSS], controls: PCIDSSComplianceManager.getPCIDSSControls(), encryptionConfig: PCIDSSComplianceManager.getPCIDSSEncryption(), auditRetentionDays: 365, dataResidency: [], certifications: [] }; super(pciFramework); this.tokenVault = new Map(); this.complianceLevel = complianceLevel; this.pciScope = this.initializePCIScope(); this.initializePCIHandlers(); } static getPCIDSSControls() { return [ { id: 'pci-1.1', standard: ComplianceStandard.PCI_DSS, controlFamily: 'Network Security', controlNumber: '1.1', description: 'Firewall and router configuration standards', implementation: 'Documented firewall rules and change control', status: 'implemented', lastAssessed: new Date(), evidence: ['firewall-config.pdf', 'network-diagram.pdf'], responsibleParty: 'Network Security' }, { id: 'pci-2.1', standard: ComplianceStandard.PCI_DSS, controlFamily: 'Configuration Management', controlNumber: '2.1', description: 'Change vendor-supplied defaults', implementation: 'Automated password policy enforcement', status: 'implemented', lastAssessed: new Date(), evidence: ['password-policy.pdf'], responsibleParty: 'IT Security' }, { id: 'pci-3.4', standard: ComplianceStandard.PCI_DSS, controlFamily: 'Data Protection', controlNumber: '3.4', description: 'Render PAN unreadable anywhere stored', implementation: 'Tokenization and encryption of all card data', status: 'implemented', lastAssessed: new Date(), evidence: ['encryption-standards.pdf', 'tokenization-process.pdf'], responsibleParty: 'Data Security' }, { id: 'pci-4.1', standard: ComplianceStandard.PCI_DSS, controlFamily: 'Transmission Security', controlNumber: '4.1', description: 'Use strong cryptography in transmission', implementation: 'TLS 1.2+ for all card data transmission', status: 'implemented', lastAssessed: new Date(), evidence: ['tls-configuration.pdf'], responsibleParty: 'Network Security' }, { id: 'pci-6.3', standard: ComplianceStandard.PCI_DSS, controlFamily: 'Secure Development', controlNumber: '6.3', description: 'Develop secure applications', implementation: 'SSDLC with security testing', status: 'implemented', lastAssessed: new Date(), evidence: ['sdlc-policy.pdf', 'security-testing-results.pdf'], responsibleParty: 'Development' }, { id: 'pci-8.2', standard: ComplianceStandard.PCI_DSS, controlFamily: 'Access Control', controlNumber: '8.2', description: 'Unique ID for each person with access', implementation: 'Identity management system with MFA', status: 'implemented', lastAssessed: new Date(), evidence: ['identity-management.pdf', 'mfa-deployment.pdf'], responsibleParty: 'IT Security' }, { id: 'pci-9.1', standard: ComplianceStandard.PCI_DSS, controlFamily: 'Physical Security', controlNumber: '9.1', description: 'Limit physical access to cardholder data', implementation: 'Secure data center with badge access', status: 'implemented', lastAssessed: new Date(), evidence: ['datacenter-security.pdf'], responsibleParty: 'Facilities' }, { id: 'pci-10.1', standard: ComplianceStandard.PCI_DSS, controlFamily: 'Logging and Monitoring', controlNumber: '10.1', description: 'Audit trails for all access to cardholder data', implementation: 'Centralized logging with SIEM', status: 'implemented', lastAssessed: new Date(), evidence: ['logging-architecture.pdf', 'siem-config.pdf'], responsibleParty: 'Security Operations' }, { id: 'pci-11.1', standard: ComplianceStandard.PCI_DSS, controlFamily: 'Security Testing', controlNumber: '11.1', description: 'Test for wireless access points', implementation: 'Quarterly wireless scans', status: 'implemented', lastAssessed: new Date(), evidence: ['wireless-scan-results.pdf'], responsibleParty: 'Security Operations' }, { id: 'pci-12.1', standard: ComplianceStandard.PCI_DSS, controlFamily: 'Policy', controlNumber: '12.1', description: 'Information security policy', implementation: 'Comprehensive security policy program', status: 'implemented', lastAssessed: new Date(), evidence: ['security-policy.pdf', 'policy-acknowledgments.pdf'], responsibleParty: 'CISO' } ]; } static getPCIDSSEncryption() { return { algorithm: 'AES-256-GCM', keyRotationDays: 365, dataAtRest: true, dataInTransit: true, keyManagement: 'HSM' }; } initializePCIScope() { return { systems: [], networks: [], applications: [], thirdParties: [], lastAssessment: new Date(), nextAssessment: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000) }; } initializePCIHandlers() { this.on('card-data-access', (event) => { this.auditCardDataAccess(event); }); this.on('suspicious-transaction', (event) => { this.handleSuspiciousTransaction(event); }); } async tokenizeCard(cardData) { if (!this.validateCardData(cardData)) { throw new Error('Invalid card data'); } const token = this.generateSecureToken(); const encryptedData = await this.encryptData(cardData, DataClassification.PCI); this.tokenVault.set(token, cardData); await this.auditAccess({ id: '', timestamp: new Date(), userId: 'system', action: 'tokenize-card', resource: 'payment-card', resourceId: token, dataClassification: DataClassification.PCI, ipAddress: '0.0.0.0', userAgent: 'tokenization-service', result: 'success', metadata: { lastFour: cardData.primaryAccountNumber?.slice(-4), cardBrand: this.detectCardBrand(cardData.primaryAccountNumber || '') } }); return { token, lastFourDigits: cardData.primaryAccountNumber?.slice(-4) || '', cardBrand: this.detectCardBrand(cardData.primaryAccountNumber || ''), expirationMonth: parseInt(cardData.expirationDate?.slice(0, 2) || '0'), expirationYear: parseInt(cardData.expirationDate?.slice(2, 4) || '0') + 2000 }; } validateCardData(cardData) { if (!cardData.primaryAccountNumber) { return false; } return this.luhnCheck(cardData.primaryAccountNumber); } luhnCheck(cardNumber) { const digits = cardNumber.replace(/\D/g, ''); let sum = 0; let isEven = false; for (let i = digits.length - 1; i >= 0; i--) { let digit = parseInt(digits[i], 10); if (isEven) { digit *= 2; if (digit > 9) { digit -= 9; } } sum += digit; isEven = !isEven; } return sum % 10 === 0; } detectCardBrand(pan) { const cleanPan = pan.replace(/\D/g, ''); if (/^4/.test(cleanPan)) return 'visa'; if (/^5[1-5]/.test(cleanPan)) return 'mastercard'; if (/^3[47]/.test(cleanPan)) return 'amex'; if (/^6(?:011|5)/.test(cleanPan)) return 'discover'; return 'other'; } generateSecureToken() { const timestamp = Date.now().toString(36); const randomPart = crypto.randomBytes(16).toString('hex').substring(2, 15); const randomPart2 = crypto.randomBytes(16).toString('hex').substring(2, 15); return `tok_${timestamp}${randomPart}${randomPart2}`; } async detokenizeCard(token, userId, purpose) { if (!this.authorizeDetokenization(userId, purpose)) { await this.auditAccess({ id: '', timestamp: new Date(), userId, action: 'detokenize-card', resource: 'payment-card', resourceId: token, dataClassification: DataClassification.PCI, ipAddress: 'unknown', userAgent: 'unknown', result: 'blocked', reason: 'Unauthorized detokenization attempt' }); return null; } const cardData = this.tokenVault.get(token); if (!cardData) { return null; } await this.auditAccess({ id: '', timestamp: new Date(), userId, action: 'detokenize-card', resource: 'payment-card', resourceId: token, dataClassification: DataClassification.PCI, ipAddress: 'unknown', userAgent: 'unknown', result: 'success', metadata: { purpose } }); return cardData; } authorizeDetokenization(userId, purpose) { const allowedPurposes = ['transaction-processing', 'refund', 'chargeback']; return allowedPurposes.includes(purpose); } validateNetworkSegmentation() { const cdeNetworks = this.pciScope.networks.filter(n => n.includes('cde')); const nonCdeNetworks = this.pciScope.networks.filter(n => !n.includes('cde')); for (const cde of cdeNetworks) { for (const nonCde of nonCdeNetworks) { if (this.networksConnected(cde, nonCde)) { this.emit('segmentation-violation', { cdeNetwork: cde, nonCdeNetwork: nonCde }); return false; } } } return true; } networksConnected(network1, network2) { return false; } auditCardDataAccess(event) { console.log('Card Data Access:', { timestamp: new Date(), ...event, complianceLevel: this.complianceLevel }); } async handleSuspiciousTransaction(event) { const alert = { id: event.id, timestamp: new Date(), transactionId: event.transactionId, amount: event.amount, indicators: event.indicators || [], riskScore: event.riskScore || 0, actions: [] }; if (alert.riskScore > 80) { alert.actions.push('Block transaction'); alert.actions.push('Flag for manual review'); alert.actions.push('Notify fraud team'); } this.emit('fraud-alert', alert); } async performQuarterlyAssessment() { const assessmentResults = { date: new Date(), complianceLevel: this.complianceLevel, vulnerabilityScans: await this.performVulnerabilityScans(), penetrationTests: this.complianceLevel === PCIComplianceLevel.LEVEL_1 ? await this.performPenetrationTests() : null, segmentationTests: await this.performSegmentationTests(), wirelessScans: await this.performWirelessScans() }; this.pciScope.lastAssessment = new Date(); this.pciScope.nextAssessment = new Date(Date.now() + 90 * 24 * 60 * 60 * 1000); return assessmentResults; } async performVulnerabilityScans() { return { scanDate: new Date(), criticalVulnerabilities: 0, highVulnerabilities: 2, mediumVulnerabilities: 5, lowVulnerabilities: 12, passed: true }; } async performPenetrationTests() { return { testDate: new Date(), findingsCount: 3, criticalFindings: 0, remediationRequired: true, nextTestDate: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000) }; } async performSegmentationTests() { return { testDate: new Date(), segmentationValid: this.validateNetworkSegmentation(), issuesFound: 0 }; } async performWirelessScans() { return { scanDate: new Date(), unauthorizedAccessPoints: 0, weakEncryption: 0, passed: true }; } async generatePCIReport() { const complianceResult = await this.validateCompliance(); const assessmentResults = await this.performQuarterlyAssessment(); return { reportDate: new Date(), merchantLevel: this.complianceLevel, complianceStatus: complianceResult, scopeSummary: this.pciScope, assessmentResults, attestation: this.generateAttestation(complianceResult), recommendations: this.generatePCIRecommendations(complianceResult) }; } generateAttestation(complianceResult) { return { compliant: complianceResult.compliant, attestationType: this.getAttestationType(), validFrom: new Date(), validTo: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000), signedBy: 'QSA' }; } getAttestationType() { switch (this.complianceLevel) { case PCIComplianceLevel.LEVEL_1: return 'Report on Compliance (ROC)'; case PCIComplianceLevel.LEVEL_2: case PCIComplianceLevel.LEVEL_3: case PCIComplianceLevel.LEVEL_4: return 'Self-Assessment Questionnaire (SAQ)'; } } generatePCIRecommendations(complianceResult) { const recommendations = []; if (complianceResult.overallScore < 100) { recommendations.push('Address all non-compliant controls immediately'); } recommendations.push('Maintain network segmentation'); recommendations.push('Continue quarterly vulnerability scanning'); recommendations.push('Review and update security policies annually'); recommendations.push('Conduct security awareness training'); return recommendations; } } exports.PCIDSSComplianceManager = PCIDSSComplianceManager; //# sourceMappingURL=pci-dss-compliance.js.map