bootstrap/profiles/domains/fintech-security.json

{
  "name": "Fintech Security Compliance",
  "description": "PCI DSS and financial security requirements for fintech applications",
  "domainKeywords": ["payment", "financial", "banking", "credit", "debit", "transaction", "pci", "fintech"],
  "compliance": {
    "regulations": ["PCI DSS", "PSD2", "SOX", "KYC", "AML"],
    "scope": "Applications processing payment card data",
    "requirements": [
      "Secure cardholder data",
      "Encrypt transmission of cardholder data",
      "Protect stored cardholder data",
      "Maintain vulnerability management program",
      "Implement strong access control measures",
      "Regularly monitor and test networks",
      "Maintain information security policy"
    ]
  },
  "dataClassification": {
    "pan": {
      "definition": "Primary Account Number (Credit/Debit card number)",
      "storage": "Never store full PAN unless absolutely necessary",
      "masking": "Show only last 4 digits",
      "encryption": "AES-256 if storage required",
      "transmission": "Always encrypted with TLS 1.2+"
    },
    "sadData": {
      "definition": "Sensitive Authentication Data",
      "types": ["CVV2", "PIN", "Track data"],
      "storage": "Never store SAD after authorization",
      "handling": "Process but do not retain"
    },
    "cardholderData": {
      "definition": "PAN + cardholder name, service code, expiration date",
      "minimization": "Store only if business need exists",
      "retention": "Purge when no longer needed",
      "access": "Restrict access to authorized personnel only"
    }
  },
  "securityPatterns": {
    "encryption": {
      "algorithm": "AES-256 for data at rest",
      "keyManagement": "Hardware Security Modules (HSMs) preferred",
      "transmission": "TLS 1.2+ for data in transit",
      "tokenization": "Replace PAN with non-sensitive tokens"
    },
    "authentication": {
      "mfa": "Multi-factor authentication mandatory",
      "passwordPolicy": "Complex passwords, regular rotation",
      "sessionManagement": "Secure session handling with timeout",
      "biometric": "Support for biometric authentication"
    },
    "authorization": {
      "rbac": "Role-based access control",
      "segregationOfDuties": "Separate roles for sensitive operations",
      "leastPrivilege": "Minimum necessary access principle",
      "approval": "Multi-person approval for high-value transactions"
    },
    "fraudPrevention": {
      "riskScoring": "Real-time transaction risk assessment",
      "monitoring": "Anomaly detection and behavioral analytics",
      "alerts": "Immediate alerts for suspicious activities",
      "blocking": "Automatic blocking of fraudulent transactions"
    }
  },
  "implementationPatterns": {
    "backend": {
      "paymentProcessing": {
        "tokenization": "Use payment tokens instead of card data",
        "validation": "Validate all payment inputs",
        "logging": "Log transactions without sensitive data",
        "encryption": "Encrypt cardholder data before storage"
      },
      "apiSecurity": {
        "rateLimit": "Implement rate limiting",
        "apiKeys": "Secure API key management", 
        "signing": "Request signing for sensitive operations",
        "monitoring": "Monitor API usage patterns"
      },
      "database": {
        "encryption": "Database-level encryption for sensitive fields",
        "access": "Database access controls and monitoring",
        "backup": "Encrypted backups with secure key management",
        "masking": "Data masking for non-production environments"
      }
    },
    "frontend": {
      "paymentForms": {
        "https": "Always use HTTPS for payment pages",
        "validation": "Client-side validation with server confirmation",
        "autocomplete": "Disable autocomplete for sensitive fields",
        "iframes": "Use secure iframes for payment card input"
      },
      "dataHandling": {
        "noStorage": "Never store payment data in browser",
        "masking": "Mask card numbers in UI",
        "timeout": "Session timeout for payment pages",
        "clearData": "Clear payment data from memory after use"
      }
    }
  },
  "testingRequirements": {
    "coverage": {
      "minimum": "90% for payment processing modules",
      "focus": "Security controls and fraud prevention"
    },
    "security": [
      "Penetration testing quarterly",
      "Vulnerability scanning monthly",
      "Code review for all payment code",
      "Test encryption implementation",
      "Validate tokenization process"
    ],
    "compliance": [
      "PCI DSS compliance validation",
      "Test access controls",
      "Validate audit logging",
      "Test incident response procedures",
      "Verify data retention policies"
    ]
  },
  "context7Libraries": [
    "stripe",
    "bcrypt",
    "jsonwebtoken",
    "helmet",
    "express-rate-limit",
    "crypto"
  ],
  "codeTemplates": {
    "paymentEntity": {
      "description": "Payment entity with tokenization",
      "template": "@Entity()\nexport class Payment {\n  @Tokenized()\n  @Column()\n  cardToken: string;\n\n  @Column()\n  lastFourDigits: string;\n\n  @Encrypted()\n  @Column()\n  amount: number;\n}"
    },
    "transactionLog": {
      "description": "Secure transaction logging",
      "template": "await this.auditService.logTransaction({\n  transactionId: transaction.id,\n  userId: user.id,\n  amount: transaction.amount,\n  currency: transaction.currency,\n  status: 'COMPLETED',\n  riskScore: riskAssessment.score,\n  timestamp: new Date()\n});"
    },
    "fraudCheck": {
      "description": "Fraud prevention check",
      "template": "const riskScore = await this.fraudService.assessRisk({\n  userId: user.id,\n  amount: transaction.amount,\n  location: transaction.location,\n  deviceFingerprint: request.deviceId\n});\n\nif (riskScore > FRAUD_THRESHOLD) {\n  await this.alertService.triggerFraudAlert(transaction);\n}"
    }
  },
  "complianceChecklist": [
    "Cardholder data is encrypted at rest and in transit",
    "Sensitive authentication data is not stored",
    "Access to cardholder data is restricted and monitored",
    "Strong cryptography and security protocols are used",
    "Antivirus software is maintained",
    "Secure systems and applications are developed",
    "Access to data is restricted by business need-to-know",
    "Unique IDs are assigned to each person with computer access",
    "Physical access to cardholder data is restricted",
    "All access to network resources is logged and monitored",
    "Security systems and processes are regularly tested",
    "Information security policy is maintained"
  ],
  "riskAssessment": [
    "Unauthorized access to payment data",
    "Data breaches and card data theft",
    "Fraud and unauthorized transactions",
    "System vulnerabilities and exploits",
    "Insider threats and malicious employees",
    "Third-party payment processor risks",
    "Network security vulnerabilities",
    "Application security weaknesses",
    "Physical security of payment systems",
    "Business continuity and disaster recovery"
  ],
  "regulatoryReporting": [
    "PCI DSS compliance reports",
    "Suspicious activity reports (SARs)",
    "Currency transaction reports (CTRs)",
    "Know Your Customer (KYC) documentation",
    "Anti-Money Laundering (AML) compliance",
    "Data breach notification requirements",
    "Consumer privacy disclosures",
    "Financial audit requirements",
    "Incident response documentation",
    "Third-party risk assessments"
  ]
}