💳 archetype: commerce

Take payments without taking PCI risk.

Building with Stripe, Shopify, WooCommerce, or Square? GreatCTO auto-detects the commerce archetype and ships PCI-DSS SAQ-A scope reduction, idempotent refund flows, SCA / PSD2, and GDPR cookie consent gates from day one.

$ npx great-cto init Back to home ↗

What you avoid

The 5 commerce bugs that cost real money.

Without GreatCTO

☐Idempotency key reused — duplicate $400 charge
☐PCI scope blew out from SAQ-A to SAQ-D
☐Refund flow not idempotent — refunded twice
☐Webhook signature not verified — replay attack
☐GDPR cookie banner missing — €20M fine risk
☐$200k audit + chargeback storm.

With GreatCTO

✓pci-reviewer signs off scope-reduction (SAQ-A)
✓Idempotency proof required on every payment endpoint
✓Refund + dispute flow gated for idempotency
✓Webhook signature + replay protection auto-checked
✓GDPR consent + cookie banner enforced at gate:ship
✓Audit-ready from commit 1 · zero chargebacks.

Auto-applied gates

Detected: `stripe` + `next.js` →
commerce archetype.

Compliance auto-suggested: pci-dss · gdpr · sca-psd2. Specialist agents activated:

01 · pci-reviewer

PCI-DSS scope reduction

SAQ-A vs SAQ-D decision · idempotency proof · webhook signature · refund/dispute flow · SCA / PSD2 · PSP failover. Pre-implementation sign-off.

02 · security-officer

OWASP A02 + GDPR

Cryptographic failures · cookie consent · data-minimization · breach notification readiness · PII redaction in logs.

03 · code-reviewer

12-angle review

Race conditions on inventory · double-charge prevention · refund idempotency · webhook replay · session fixation.

04 · senior-dev

TDD with audit trail

Every gate approval written to ~/.great_cto/decisions.md — auditor-ready, append-only, queryable across projects.

Domain pack overlays

Likely to overlay on commerce.

Packs auto-attach when CLI detects pack-specific signals (e.g. twilio in deps → voice-pack). Each pack adds its own reviewer agents + human gates on top of the base archetype pipeline.

+ Lending/Credit

ECOA / Reg B, FCRA, NMLS state matrix, MLA, BISG fair-lending

+ EM Fintech

India DPDP, Nigeria CBN, Brazil BCB/LGPD, MAS, OJK, BSP, local rails

Real-world examples

Companies operating as commerce.

4 startups in this space. Click for full pack mapping.

Mercado Libre / Mercado Pago

LATAM commerce + payments

publicAR

Stripe

Payments infrastructure for the internet

growthUS

Eclipse Foods

Dairy alternatives using micelles

series-aUS

Digi-Prex

Online pharmacy operating in India

seedIN

Listed companies operate in this space. Inclusion is based on publicly available product descriptions and does not imply endorsement of or by GreatCTO.