GuardRail: PCI DSS

GuardRail: PCI DSS

List view

Quick Start
Welcome
Console & Settings
Release Notes
November 25, 2025 WitnessAI Update
November 18, 2025 WitnessAI Update
November 11, 2025 WitnessAI Update
October 28, 2025 WitnessAI Update
October 23, 2025 WitnessAI Update
October 9, 2025 WitnessAI Update
October 2, 2025 WitnessAI Update
September 30, 2025: WitnessAI Update
September 23, 2025: WitnessAI Update
August 12, 2025: WitnessAI Update
July 31, 2025: WitnessAI Update
July 18, 2025: WitnessAI Update
June 23, 2025: WitnessAI Update
June 9, 2025: WitnessAI Update
April 11, 2025: WitnessAI Release v2.0
Supported Applications & LLMs
User Guide
Home
Discovery
Discovered Apps
App Catalog
Analytics
Conversations
Users
Alerts
Policies
Lists
Private Applications
Settings
Configuration
Access Control
System
Secure AI Portal
User Menu
Policies & GuardRails
Policy Creation
Policy Precedence
File Attachments
GuardRail: Behavioral Activity
GuardRail: PCI DSS
GuardRail: Data Protection
GuardRail: Harmful Response Prevention (Beta)
GuardRail: Model Identity Protection
GuardRail: Model Protection
GuardRail: Organizational Behavior (Beta)
GuardRail: Risk Analysis
Witness Anywhere: Remote Device Security
WA: Remote Device Security
Stunnel
Azure Intune: Single-User VDI
Azure Intune: Multi-User VDI
CrowdStrike (Windows)
GPO (Windows)
Jamf (macOS) (Beta)
SentinelOne
Witness Anywhere: FAQ
Witness Anywhere Overview
Witness Attack
Witness Attack: AI Red Teaming 
Administrator Guide
Accessibility
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Identity Providers
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Network Security
Netskope SWG
Palo Alto Networks NGFW
Prisma Access: DNS Sinkhole
Prisma Access: Explicit Proxy
Zscaler Internet Access
Zscaler Beta
Status Page
API Reference
Input API
Complete API
Text-Completion API
Prompt-Protect API
Encryption

PCI DSS GuardRail

The Payment Card Industry Data Security Standard Guardrail for PCI DSS v4.0.1 provides specialized protection for payment card data across all your AI interactions. This enables your organization to monitor, warn, block, and route potential PCI DSS compliance issues without slowing your adoption of AI tools and applications.
When payment card data is detected in user prompts, the PCI DSS GuardRail will Allow, Warn, Block, or Route prompts according to your preferences, and provide customizable messages to guide or inform users.
In addition, you have the option to anonymize sensitive data before sending user prompts to the destination AI model.

PCI DSS Detections

notion image

Primary Account Number (PAN)

PAN represents any number on a card - Credit or Debit. The format depends on the type of card - Visa, Master, AMEX.

Tokenized & Production

Tokenized Data represents cases where sensitive data like PAN is replaced with a Token.

Magnetic Stripe

Data encoded in the magnetic strip of a credit/debit card. Typically this includes Cardholder Name, Number, CVV etc. Usually includes two stripes - Track 1 for alphanumeric data and Track 2 for numeric data.

Merchant Identification

Identifies the merchant in the transaction.

Transaction Processing

The data part of payment processing.

Financial Institution

Bank Account Information Data

Authentication Credentials

Identifies a bank or other financial institution involved in the payment processing.

Compliance Documentation

Documents that prove adherence to regulations, standards, or internal policies related to data security and privacy.

Using PCI DSS GuardRail Step-by-Step

Step 1: Create a New Policy
1. Navigate to the Policies section.
2. Click Add New Policy.
3. Enter a name and description (e.g. “PCI DSS Policy”).
4. Click Continue to proceed.
 
Step 2: Choose Policy Type
The Policy Type drop-down offers ‘Guardrail’ and ‘Block’:
notion image
Choosing ‘Guardrail’ enables you to choose which detections are active.
Choosing ‘Block’ will block all user prompts containing PCI DSS data.
The descriptive text will remind you:
notion image
 
Add User Groups
1. Click the ‘Sources and Destinations’ tab in the Create Policy left-side menu.
2. Select Assign to New Group.
3. Choose the relevant Users, User Groups, and Lists from the drop-down.
4. Save the changes to add the group to the policy.
Step 3: Configure the Risk Analysis GuardRail
1. Go to the GuardRails tab in the policy editor.
2. Select Risk Analysis GuardRail from the list of available GuardRails.
3. Enable the GuardRail for the policy.
Step 4: Define GuardRail Actions
1. Specify the action to take when the Risk Analysis GuardRail detects risky prompts:
Allow: Permit the prompt to proceed without restriction.
Warn: Display a customizable warning message to alert the user about potential risks.
Block: Prevent the prompt from being processed by the model and provide an explanatory message.
2. Customize the associated message to provide relevant guidance or warnings.
• Example Message: “The detected prompt poses a risk of harmful code generation. This activity is blocked. Please contact your administrator for more information.”
3. Save the configuration.
Step 5: Risk Evaluation Settings
1. Enable and configure risk evaluation for multiple topics, such as:
Data Theft: Detect prompts that attempt to extract sensitive or proprietary information.
Harmful Code Generation: Identify queries that generate insecure, malicious, or unethical code.
Violence: Flag prompts that discuss or promote violent content.
Other High-Risk Topics: Include additional categories as needed, based on organizational requirements.
2. Set thresholds for risk levels (e.g., low, medium, high) to fine-tune the GuardRail’s sensitivity.
Step 6: Test and Save the Policy
1. Test the policy configuration in a controlled environment to ensure it detects and handles risky prompts as expected.
2. Once verified, save the policy to activate the Risk Analysis GuardRail for the assigned User Groups.