AI-Aware Platform Engineering for Payment Systems: Governing AI-Generated Code in PCI-DSS Compliant CI/CD Pipelines
DOI:
https://doi.org/10.63282/3050-9416.IJAIBDCMS-V7I2P120Keywords:
PCI-DSS 4.0, AI-Generated Code, Platform Engineering, CI/CD Pipeline Security, SLSA Provenance, Supply Chain Security, Code Governance, Internal Developer Platform, LLM Code Generation, Payment Systems ComplianceAbstract
The adoption of AI coding assistants in production software development has introduced failure modes – hallucination of software dependencies, iterative security degradation, and provenance opacity – that existing compliance frameworks were not designed to govern. PCI-DSS 4.0, mandatory as of March 31, 2025, expands compliance scope to include CI/CD pipelines but contains no provisions for AI-generated code as a distinct risk class. Ipropose the AI-Aware Compliance Gateway (AACG), a platform engineering framework that classifies AI-generated artifacts at commit time, extends SLSA v1.1 provenance attestation to capture AI generation metadata, and maps PCI-DSS 4.0 requirements to AI-specific control gates enforced at defined pipeline stage transitions. The framework implements a dual-authority review model with five deterministic escalation conditions, ensuring graduated human oversight for AI code touching payment-critical functions without requiring replacement of existing pipeline infrastructure. Structured case analysis across three payment system scenarios – credential hallucination in webhook handlers, supply chain attacks via hallucinated CI plugins, and iterative cryptographic degradation in tokenization logic – demonstrates that AACG intercepts failure classes invisible to provenance-agnostic compliance pipelines. The framework satisfies four stated properties: PCI-DSS coverage completeness, provenance immutability, escalation determinism, and developer experience preservation. AACG provides payment system organizations with a concrete governance architecture for the intersection of AI-assisted development and continuous compliance and establishes a methodology for extending AI-aware compliance governance to adjacent regulated domains.
References
1. GitHub, Inc., “Research: Quantifying GitHub Copilot’s Impact in the Enterprise with Accenture,” GitHub Blog, May 2024. https://github.blog/news-insights/research/research-quantifying-github-copilots-impact-in-the-enterprise-with-accenture
2. PCI Security Standards Council, “Payment Card Industry Data Security Standard: Requirements and Testing Procedures, Version 4.0,” PCI SSC, Mar. 2022. https://www.pcisecuritystandards.org/document_library/
3. H. Pearce, B. Ahmad, B. Tan, B. Dolan-Gavitt, and R. Karri, “Asleep at the Keyboard? Assessing the Security of GitHub Copilot’s Code Contributions,” in Proc. IEEE Symp. Security Privacy (S&P), San Francisco, CA, USA, May 2022, pp. 754–768, doi: 10.1109/SP46214.2022.9833571.
4. N. Perry, M. Srivastava, D. Kumar, and D. Boneh, “Do Users Write More Insecure Code with AI Assistants?” in Proc. ACM SIGSAC Conf. Computer Communications Security (CCS), Copenhagen, Denmark, 2023, pp. 2785–2799, doi: 10.1145/3576915.3623157.
5. L. Spracklen et al., “We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs,” in Proc. USENIX Security Symp., Philadelphia, PA, USA, 2025, arXiv:2406.10279.
6. S. Shukla and H. Joshi, “Security Degradation in Iterative AI Code Generation: A Systematic Analysis of the Paradox,” in Proc. IEEE Int. Symp. Technology Society (ISTAS), 2025, arXiv:2506.11022.
7. PCI Security Standards Council, “New Guidance: Integrating Artificial Intelligence into PCI Assessments,” PCI SSC Blog, 2024. https://blog.pcisecuritystandards.org/new-guidance-integrating-artificial-intelligence-into-pci-assessments
8. National Institute of Standards and Technology, “Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities,” NIST Spec. Publ. 800-218, Feb. 2022, doi: 10.6028/NIST.SP.800-218.
9. G. Kim, J. Humble, P. Debois, and J. Willis, The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations. Portland, OR, USA: IT Revolution, 2016.
10. G. Sandoval, H. Pearce, T. Nys, R. Karri, S. Garg, and B. Dolan-Gavitt, “Lost at C: A User Study on the Security Implications of Large Language Model Code Assistants,” in Proc. USENIX Security Symp., Anaheim, CA, USA, 2023, arXiv:2208.09727.
11. A. Krishna, E. Galinkin, L. Derczynski, J. Martin, “Importing Phantoms: Measuring LLM Package Hallucination Vulnerabilities,” arXiv:2501.19012, Jan. 2025.
12. Cloud Native Computing Foundation, “Cloud Native Platforms,” TAG App Delivery White Paper, CNCF, Apr. 2023. https://tag-app-delivery.cncf.io/whitepapers/platforms/
13. Cloud Native Computing Foundation TAG App Delivery, “Platform Engineering Maturity Model,” CNCF, Oct. 2023. https://tag-app-delivery.cncf.io/whitepapers/platform-eng-maturity-model/
14. N. Forsgren, J. Humble, and G. Kim, Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations. Portland, OR, USA: IT Revolution, 2018.
15. National Institute of Standards and Technology, “Security and Privacy Controls for Information Systems and Organizations,” NIST Spec. Publ. 800-53 Rev. 5, Sep. 2020, doi: 10.6028/NIST.SP.800-53r5.
16. Open Source Security Foundation, “SLSA: Supply-chain Levels for Software Artifacts, Version 1.0,” OpenSSF, Apr. 2023. https://slsa.dev/spec/v1.0
17. The White House, “Executive Order on Improving the Nation’s Cybersecurity,” Exec. Order No. 14028, Federal Register, vol. 86, no. 93, pp. 26633–26649, May 2021.
18. European Parliament, “Regulation (EU) 2024/2847 of the European Parliament and of the Council on Horizontal Cybersecurity Requirements for Products with Digital Elements (Cyber Resilience Act),” Official Journal of the European Union, Oct. 2024. http://hctinsight.com/webzine/webzine/202501/file/ce/ce5.pdf
19. Open Web Application Security Project, “OWASP Top 10 for Large Language Model Applications, Version 1.1,” OWASP Foundation, 2023. https://owasp.org/www-project-top-10-for-large-language-model-applications/
20. National Telecommunications and Information Administration, “The Minimum Elements for a Software Bill of Materials (SBOM),” U.S. Dept. of Commerce, Jul. 2021. https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom
21. M. Skelton and M. Pais, Team Topologies: Organizing Business and Technology Teams for Fast Flow. Portland, OR, USA: IT Revolution, 2019.
22. J. Humble and D. Farley, Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation. Boston, MA, USA: Addison-Wesley, 2010.
23. U.S. Department of Health and Human Services, “HIPAA Security Rule: Technical Safeguards,” 45 C.F.R. sec. 164.312, 2003.
24. Congress, “Sarbanes-Oxley Act of 2002,” Pub. L. No. 107-204, 116 Stat. 745, 2002.
25. European Parliament, “Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation),” Official Journal of the European Union, Apr. 2016.
26. A. Noever, “Vulnerability Detection in Large Language Models: Addressing Security Concerns,” Systems, vol. 5, no. 3, p. 71, 2025, doi: 10.3390/systems5030071.
27. M. Salatino, Platform Engineering on Kubernetes. Shelter Island, NY, USA: Manning, 2023.
28. Open Source Security Foundation, “OpenSSF Scorecard: Security Health Metrics for Open Source,” OpenSSF, 2022. https://securityscorecards.dev
29. GitHub, Inc., “The State of the Octoverse 2023,” GitHub, Nov. 2023. https://octoverse.github.com
30. MITRE Corporation, “2023 CWE Top 25 Most Dangerous Software Weaknesses,” MITRE CWE Community, 2023. https://cwe.mitre.org/top25/archive/2023/
