Compliance
PCI DSS compliance for AI workloads
PAN, CVV, and track data must never reach an LLM unscrubbed. Prism Guardrails strip them at ingestion; Prism X stops employees from pasting them into ChatGPT.
- Luhn-validated PAN detection
- Track data, CVV, and expiry blocked
- PCI DSS 4.0 Req. 3 protection of stored CHD
- Req. 10 audit-log evidence of every AI access event
About this framework
PCI DSS (Payment Card Industry Data Security Standard) is maintained by the PCI Security Standards Council. Version 4.0 became mandatory March 31, 2025. The standard applies to any entity that stores, processes, or transmits cardholder data (CHD) — primary account number (PAN), cardholder name, expiration, service code — and sensitive authentication data (CVV, track, PIN). LLMs handling CHD inherit the same scope and controls as any other system in the cardholder data environment.
Who needs to comply
Industries this applies to
Banking
Issuers and acquirers handling CHD with AI in fraud, dispute, or service flows.
Fintech
Payment apps, BNPL, and processors with AI in authorization or risk.
Merchants
Any merchant using AI on transaction data.
Mapping
PCI DSS 4.0 requirements Prism addresses
| Obligation | Capability | Evidence |
|---|---|---|
| Req. 3 — protect stored cardholder data | Prism Guardrails | PAN/CVV detected and redacted before any storage step |
| Req. 4 — encrypt CHD in transit (out-of-scope flow) | Prism X (block before send) | Employees cannot send PAN to consumer AI tools at all |
| Req. 10 — log access to CHD | Prisms + Prism X Audit Events | Per-event log with redacted snippet, who, when, which tool |
Obligation
Req. 3 — protect stored cardholder data
Capability
Prism Guardrails
Evidence
PAN/CVV detected and redacted before any storage step
Obligation
Req. 4 — encrypt CHD in transit (out-of-scope flow)
Capability
Prism X (block before send)
Evidence
Employees cannot send PAN to consumer AI tools at all
Obligation
Req. 10 — log access to CHD
Capability
Prisms + Prism X Audit Events
Evidence
Per-event log with redacted snippet, who, when, which tool
Read the source
Go straight to the regulator
Not familiar with this framework? These are the authoritative sources, opened in a new tab.
Built for: Merchants, processors, and service providers handling cardholder data with AI in the loop
Related
LLM Guardrails
Real-time detection and enforcement for PII, PHI, prompt injection, content policy violations, and off-topic responses, scoped per agent, per project, per knowledge base.
AI DLP
Pattern-based and contextual detection for PII, PHI, credentials, and confidential markers, with validators that reduce false positives and priority ordering that keeps outcomes explainable.
Shadow AI Audit Log
Structured events back to your tenant support security operations, compliance review, and regulatory evidence, at the granularity your privacy model allows.
GDPR Compliance for AI Workloads
GDPR doesn't change for AI: lawful basis, minimization, and the right to explanation still apply. Prism produces the records each Article expects.
ISO/IEC 42001 AI Management System
ISO 42001 is the first auditable management-system standard for AI. Prism produces the operational evidence each clause asks an internal auditor to see.
AI compliance and risk management for banks
From underwriting copilots to fraud-screening agents, banks need the same model risk discipline they have for traditional models. Prism is built around it.
AI risk management for fintech
Sponsor banks expect SR 11-7 hygiene. CFPB and state AGs care about ECOA. Prism makes both legible without slowing your release pace.
Start tracing in 5 minutes
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.