PCI DSS · v4.0 · QSA-aligned
The cardholder data environment, instrumented end to end.
12 requirements, 300+ sub-requirements, one mapped scope. Segmentation evidence, ASV scans, compensating controls, and QSA exports run from a single graph.
The twelve requirements
Six control objective groups, twelve top-level requirements
v4.0 introduced customized testing approaches. We support both defined and customized — every choice is logged.
Secure configurations
Build & Maintain a Secure NetworkProtect stored account data
Protect Account DataSecure transmissions
Protect Account DataAnti-malware
Maintain a Vulnerability Mgmt ProgramDevelop & maintain secure systems
Maintain a Vulnerability Mgmt ProgramRestrict access by need-to-know
Implement Strong Access ControlIdentify users & authenticate
Implement Strong Access ControlRestrict physical access
Implement Strong Access ControlLog & monitor all access
Monitor & Test NetworksTest security regularly
Monitor & Test NetworksSupport information security policy
Information Security PolicyMerchant levels
Four levels. Different audit obligations.
Testing & validation cadence
What needs to run, and when
Cadence is monitored and surfaced in the workspace. Late tests open exception workflows automatically.
- ASV scans (external)Quarterly + on change
- Internal vuln scansQuarterly + on change
- Penetration testingAnnual + on significant change
- Segmentation testingEvery 6 months · Service Providers
- Wireless detectionQuarterly
- Critical alert testingContinuous · 24×7
Walk into your QSA review with the package built
Map the CDE, automate scan tracking, and freeze evidence packages auditors accept first-pass.