Payment Card Industry Data Security Standard. The same gate attaches whatever you're building — a reviewer agent reads the rule, your code, and your tests, and blocks the merge if a requirement is missing.
Card brands levy $5,000–$100,000 per month for non-compliance, plus the breach itself: forensic audit, card reissuance, and potential loss of the ability to process cards.
Post-breach assessments routinely run into the millions once forensics, reissuance and fraud reimbursement are tallied — PCI-DSS is contractual, so the card networks enforce it directly, not a regulator.
The risk is rarely ignorance of the rule — it's the gap between knowing it and enforcing it on every pull request. Storing the full PAN unencrypted, a flat (un-segmented) network that puts the whole estate in scope, and skipped quarterly scans — each is a pattern a reviewer can catch in the diff, before it reaches production. That gap is what the pci-reviewer fires gate:pci-scope on detected payment flows closes.
GreatCTO detects your project's archetype, overlays the matching reviewer agent, and attaches the PCI-DSS gates. The reviewer reads the regulation text, your code, and your tests, then emits a verdict per requirement — with a diff if anything's missing.
Stack signals, manifests, and README keywords identify the project type. PCI-DSS gates attach when the code paths that carry the obligation are in scope.
The reviewer prompt encodes each requirement above as a check. When a PR touches a relevant code path, the gate fires with the specific check that matters.
Each gate decision is logged to .great_cto/gates.log with timestamp, reviewer, verdict, and rationale. Auditors get a tidy CSV; no scramble at audit time.
When an auditor flags something, the lesson promotes to ~/.great_cto/decisions.md after the 3rd similar finding and ships in the next project's Step 0.
PCI-DSS doesn't care what you're building — and neither does the gate. The same enforcement attaches whether your project is a fintech API, a healthcare app, a marketplace, an MLOps pipeline, or an internal tool:
It does not certify you. PCI-DSS compliance requires human accountability — a sign-off, a review, in some cases an external auditor. GreatCTO ships the evidence; you still own the attestation.
It does not substitute legal review. The reviewer encodes commonly accepted readings of the regulation, not your specific jurisdictional interpretation. For high-stakes cases, lawyer involvement is still load-bearing.
It does not eliminate gaps in the requirements list. The list above is the surface area covered programmatically. Override the reviewer prompt in agents/ for your specifics.
Every box on the diagram is a clickable link to the agent's source on GitHub.
A pack rollout with gates auto-wired. Timeline, costs, artifacts.
The pci-reviewer fires gate:pci-scope on detected payment flows prompt is auditable. Read it, override it, fork it.
$ npx great-cto init
Free, MIT, runs locally. The reviewer agent ships with the npm package — no SaaS portal, no compliance-vendor lock-in.
Startups have often reached out to me with the same problem: their team could ship a regulated feature in days, but the compliance setup aro
Not a complaint about lawyers. A breakdown of where the six weeks actually go, and which parts of it are mechanical.
Per-feature, per-MVP, per-quarter numbers. Hardware ratios, runway math, and the honest places where the savings stop.
Regex vs LLM-based archetype detection, the false-positive count, and why I keep rejecting the obvious fix.