RiskWatch
PCI DSS v4.0.1 · CDE scoping · QSA-ready

PCI scope drives cost. Reduce it.

Most teams PCI-treat their whole network because they don’t have the segmentation map. The single highest-ROI move in PCI is reducing the cardholder data environment — fewer systems in scope, fewer §3 requirements to meet on each. Audit cost drops 60–80%.

  • All 12 PCI DSS v4.0.1 requirements + Business-as-Usual mandate
  • CDE scoping wizard with §1.2 segmentation validation
  • QSA-ready scope diagram + ROC evidence vault + AOC export
  • For procurement: cloud / on-prem / hybrid deployment pricing
Start 30-day free trialWatch 4-min platform tour
No credit card · v4.0.1 library + CDE scoping ship day 1
app.riskwatch.com / pci-dss
Live · 12 reqs
PCI DSS v4.0.1 · compliance
0/100
0 vs Q3
Build & maintain (R1–2)94%
Protect data (R3–4)92%
Vuln mgmt (R5–6)78%
Open findings9
SAQs in scope
0 types
CDE systems
0 in scope
QSA reviews due
0 90d
Customized Approach
0 controls
Top open findings · by days to close
Req 8.3 · MFA on all admin
0d
Req 11.4 · Pen test annual
0d
Req 6.4 · WAF on public apps
0d
Req 12.10 · IR plan test
0d
Req 3.5 · Key custodian rotation
0d
Trusted by merchants and service providers preparing for QSA audits
Coca-Cola
Bose
Puma
Charter
First Citizens Bank
SVB
Fidelity National
Black Knight
Coca-Cola
Bose
Puma
Charter
First Citizens Bank
SVB
Fidelity National
Black Knight
Coca-Cola
Bose
Puma
Charter
First Citizens Bank
SVB
Fidelity National
Black Knight
What it is

What is PCI DSS compliance software?

Scope drives cost. Smaller CDE = fewer §3 requirements on fewer systems. RiskWatch’s CDE scoping wizard maps every system to its scope tier, validates §1.2 segmentation continuously, and produces the QSA-ready scope diagram + ROC + AOC. Aligned to PCI DSS v4.0.1 — all 12 requirements, every SAQ tier, both Defined and Customized Approach scoring. Audit cost drops 60–80% when fewer systems carry the §3 burden.

Why teams move to RiskWatch

March 31, 2025 came and went. 90% of merchants wanted an extension.

Industry surveys found 93% of merchants saying v4.0 changes are “significant” and 90% concerned about meeting the deadline. The deadline arrived. Here's where the gaps actually are — based on what merchants and service providers report after the fact.

Pain #1

March 31, 2025 came and went. 90% wanted an extension.

Industry data: 93% of respondents flagged v4.0 changes as significant; 90% were concerned about hitting the deadline. All 50+ new requirements pre-loaded. Customized Approach path with the Targeted Risk Analysis worksheet so you can document compensating logic when the Defined Approach isn't feasible.

Pain #2

PAN in your CDE you can find. PAN in shadow IT — you're still liable.

Cardholder data discovery is the merchant pain v4.0 made urgent: PAN buried in endpoints, SaaS exports, support tickets, shadow IT. PAN-discovery integration with DLP + structured/unstructured scanning across your environment. Evidence captured per system, mapped to scope decisions.

Pain #3

Annual QSA audit was the old model. v4.0 demands BaU.

v4.0.1 explicitly mandates Business-as-Usual — controls operating continuously, evidence captured 365 days a year, log review daily, FIM weekly, scans quarterly. Evidence pulled continuously from your existing tooling — SIEM, EDR, FIM, vulnerability scanners — and auto-mapped to the requirement that needs it.

12×
PCI DSS v4.0.1 requirements
Build · Protect · VulnMgmt · Access · Monitor · Policy
8
SAQ types covered
A · A-EP · B · B-IP · C · C-VT · D-Merchant · D-SP
2×
Scoring approaches supported
Defined Approach + Customized Approach
The PCI DSS platform

Every module a PCI program needs — in one platform.

Sixteen modules sharing the requirement library, CDE inventory, evidence vault, and audit trail. Built around the QSA workflow so the AOC is always 30 days away, not 90.

PCI Dashboard

12 requirements at a glance

Per-requirement compliance %, top open findings, evidence freshness, ASV scan status, MFA coverage.

Requirement Library

All 12 reqs · v4.0.1

70+ sub-requirements with testing procedures, Defined and Customized Approach paths, evidence templates per control.

CDE Scoping

Auto-discover the cardholder env

CMDB sync (ServiceNow, Lansweeper) maps systems as in-scope, connected-to, or out-of-scope. Visualize boundary diagrams.

SAQ Workflows

A through D-SP

Right-sized SAQ assigned by acceptance channel and processing model. Auto-fill from prior assessments.

ROC Evidence Vault

QSA-ready by design

Evidence linked to requirements, requirements to testing procedures, testing procedures to QSA report sections.

Customized Approach

v4.0 Targeted Risk Analysis

Document the customized approach with risk analysis, control objective, and compensating control logic per Req 12.3.1.

Cardholder Data Discovery

Find PAN where it shouldn't be

DLP integration plus structured-data scans surface PAN, track-1/track-2, CVV in places it doesn't belong.

Continuous Monitoring

Business-as-Usual evidence

v4.0.1 BaU controls — log review, FIM monitoring, IDS/IPS — fed continuously from your security tools.

Vulnerability Tracking

Req 6.3 + Req 11

CVE-aware finding management, ASV scan integration, internal scan tracking, pen-test schedule.

Cross-Framework Mapping

PCI + ISO 27001 + SOC 2

Each requirement maps to ISO 27001 Annex A, SOC 2 trust services, NIST CSF — score once, satisfy multiple.

Incident Response

Req 12.10.1 playbooks

IR plan, breach-detection procedures, forensic evidence preservation, card-brand notification templates.

Remediation Tasks

Findings → assigned work

Convert findings into tracked tasks with owner, due date, evidence-of-close. Bidirectional Jira/ServiceNow sync.

ASV Scan Integration

Req 11.3 quarterly

External ASV scan results auto-mapped to Req 11.3 evidence. Trend pass/fail across quarters.

Audit Trail

"Who scored Req 8.3?" answered instantly

Timestamped log of every control score, evidence upload, scoping change. QSA-admissible for ROC review.

Policy Library

Req 12 policies pre-built

12 ready-to-tailor PCI policies — info security, AUP, vendor management, incident response — with attestation tracking.

Acquirer Reporting

AOC + ROC submission

Pre-formatted Attestation of Compliance for acquirers. Self-Assessment Questionnaires for the major card brands.

All 12 requirements · v4.0.1

Build · Protect · Monitor · Govern.

v4.0.1 is the most prescriptive PCI DSS to date — and the deadline for full compliance was March 31, 2025. RiskWatch covers all 12 requirements with 70+ sub-requirements, both Defined and Customized Approach paths, the new MFA requirements (Req 8.3 expanded), and the Business-as-Usual continuous-control philosophy.

  • Build & Maintain Secure Networks (R1–2)firewall config standards, default-password elimination, network segmentation testing
  • Protect Cardholder Data (R3–4)PAN storage minimization, encryption at rest and in transit, key management
  • Vulnerability Management (R5–6)antivirus + EDR coverage, secure SDLC, patch cadences, public-facing app protection
  • Access Control (R7–9)least privilege, unique IDs, MFA on all admin (Req 8.3 v4.0 expansion), physical CDE controls
  • Monitor & Test (R10–11)log management, FIM, IDS/IPS, ASV quarterly scans, penetration testing
  • Information Security Policy (R12)policy library, vendor mgmt, incident response, awareness training
See all 12 requirements
PCI DSS v4.0.1 · 12 requirements
Req 1
Install and maintain network security controls
94%
Req 2
Apply secure configurations to all components
91%
Req 3
Protect stored account data
92%
Req 4
Protect cardholder data with strong cryptography
88%
Req 5
Protect from malicious software
84%
Req 6
Develop and maintain secure systems
78%
Req 8
Identify users and authenticate access (MFA)
72%
Req 11
Test security of systems and networks
81%
All 12 requirements →QSA-ready ROC in 2 clicks
One assessment
Control library
ISO 27001
SOC 2
HIPAA
NIST CSF
PCI DSS
GDPR
Cross-framework mapping

PCI DSS + ISO 27001 + SOC 2 + NIST.

Most PCI DSS requirements have direct equivalents in ISO 27001 Annex A and SOC 2 trust services. RiskWatch maps every requirement to its counterpart so a single set of evidence satisfies multiple audits — PCI DSS for the QSA, ISO 27001 for certification, SOC 2 for the customer.

  • ISO 27001:2022 Annex AReq 1–2 maps to A.8.20–A.8.24, Req 3–4 to A.8.24, Req 7–8 to A.5.16/A.8.5
  • SOC 2 trust servicesPCI Req 6 → CC8.1, Req 8 → CC6.1/CC6.2, Req 10 → CC7.2, Req 12 → CC1
  • NIST CSF 2.0PCI requirements mapped to Govern, Protect, Detect, Respond, Recover
  • NIST 800-53 r5PCI Req 8 → IA family, Req 10 → AU family, Req 11 → SI family
  • HIPAA Security Rulefor healthcare merchants — PCI Req 8 ↔ §164.312(d)
Six requirement groups

The PCI DSS structure, organized.

Item 1
Build & Maintain (R1–2)

Network security controls, secure configurations, default-password elimination

Item 2
Protect Cardholder Data (R3–4)

PAN storage, encryption at rest and in transit, key management

Item 3
Vulnerability Mgmt (R5–6)

Anti-malware, secure SDLC, patch cadences, public-facing app security

Item 4
Monitor & Test (R10–11)

Log management, FIM, IDS/IPS, ASV scans, pen testing, BaU monitoring

§1.2 · CDE scoping

Scope drives cost. Smaller CDE = fewer requirements on fewer systems.

The single highest-ROI move in PCI is reducing the cardholder data environment. Most teams PCI-treat their whole network because they don't have the segmentation map. Auto-discovery + segmentation validation moves systems from CDE → connected → out-of-scope, with QSA-aligned evidence per §1.2.4 and §11.4.5.

  • Auto-discoveryscanner identifies systems that store, process, or transmit cardholder data
  • Segmentation validation§1.2.4 firewall rule analysis + §11.4.5 pen-test evidence captured
  • Quarterly re-validation§11.4.6 schedule with reminders; segmentation drift surfaced before the QSA finds it
  • QSA-ready scope diagramauto-generated network diagram with CDE, connected, and out-of-scope systems labeled
PCI DSS v4.0.1 · scope reduction
270 systems · only 14 in CDE. Scope drives cost.
Cardholder Data Environment14 systems
Stores, processes, or transmits cardholder data
All §3 requirements
Connected systems9 systems
Connect to or impact CDE security · §1.2.1
Subset · §1, §2, §6, §10, §11
Segmented out247 systems
No connectivity to CDE per §1.2.4 segmentation tests
Out of PCI scope
Segmentation validation · QSA review
Network segmentation rules verified§1.2.1
Firewall rules deny CDE traffic from out-of-scope§1.2.4
Penetration test confirms isolation§11.4.5
Quarterly segmentation re-validation scheduled§11.4.6
PCI-treating fewer systems = audit cost ↓ 60–80%Scope is the lever. Use it.
How it works

From scoping to AOC signed in five stages.

Most teams complete CDE scoping in their first week. Stage 4 runs continuously per the v4.0.1 BaU mandate. Stage 5 is on-demand the moment your QSA needs the ROC.

1
Stage 01·Day 1–3

Scope the CDE

CMDB sync auto-discovers in-scope, connected-to, and out-of-scope systems. Boundary diagrams render automatically.

2
Stage 02·Day 4–10

Pick SAQ + Approach

SAQ A through D-SP based on acceptance channel and processing model. Defined or Customized Approach per requirement.

3
Stage 03·Week 2–4

Score and collect evidence

12 requirements scored question-by-question. Evidence linked to controls, controls linked to testing procedures.

4
Stage 04·Continuous

BaU controls running

v4.0.1 Business-as-Usual mandate satisfied — log review, FIM, IDS, ASV scans feed continuously to the platform.

Stage 05·On-demand

Submit ROC + AOC

QSA-ready ROC export, Attestation of Compliance for the acquirer, SAQ for self-assessing merchants — in two clicks.

Customer stories

The QSA audit that stopped requiring a war room.

Real merchants and service providers. Real v4.0.1 transitions. Real QSA sign-offs without the late-night fire drill.

v4.0.1 BaU mandate would have killed our team. The continuous evidence collection from our existing tools means we're always 30 days from a QSA audit, never 90.
RC
Rashida C.
Director of Compliance · Payments service provider · 1,800 employees
QSA prep time
↓ 70%
10 weeks → 3 weeks
Evidence captured
Auto
from CMDB + SIEM
Time-to-deploy
4 weeks
first BaU cycle

Customized Approach was uncharted territory. The targeted risk analysis template alone was worth the migration. Our QSA accepted the methodology without redlines.

TM
Tom M.
CISO · E-commerce merchant · 4,200 employees

We process across 6 acquirers, each with their own SAQ submission template. Acquirer reporting saves us the equivalent of one FTE every quarter.

JF
Jamie F.
Head of Risk · Multi-channel retailer · 12,000 employees

PCI Req 8.3 expanded MFA hit us hard. The MFA-coverage dashboard surfaces every admin without MFA, every elevated session, every legacy gap. We hit 100% before the deadline.

DH
Diana H.
VP InfoSec · FinTech · 950 employees
Cross-mapped frameworks

Plus every framework adjacent to PCI — cross-mapped.

Score one PCI requirement, satisfy ISO 27001, SOC 2, NIST CSF, and HIPAA simultaneously. The same control evidence becomes the same audit deliverable, four times.

PCI DSS v4.0.1
12 reqs · 70+ sub-reqs
PCI 3DS Core
3-D Secure providers
PCI P2PE
Point-to-point encryption
PCI PIN
PIN entry security
ISO 27001:2022
ISMS · Annex A
SOC 2 Type 2
Trust services criteria
NIST CSF 2.0
Outcome-based
NIST 800-53 r5
Federal controls
HIPAA Security
Healthcare merchants
GDPR
EU cardholder data
FFIEC IT
Banking acquirers
GLBA
US financial privacy
SOX 404
Listed payment cos
ISO 22301
BCM for processors
+20 more
Custom on request
Free resources

Take RiskWatch home before you sign anything.

Three downloads. Use them to evaluate, share with your QSA, or build the v4.0.1 transition business case.

Most popular
PCI v4.0.1 Checklist · 30 pages
PCI DSS v4.0.1
12-Requirement Compliance Checklist
R1-2
R3-4
R5-6
R7-9
R10-11
PDF · 30 pages · Print-ready

PCI DSS v4.0.1 Compliance Checklist

Thirty pages covering all 12 PCI DSS v4.0.1 requirements with sub-requirements, testing procedures, and a per-requirement scoring worksheet. Includes the v4.0 → v4.0.1 delta summary.

  • All 12 reqs + 70+ sub-reqs
  • Defined + Customized Approach paths
  • v4.0 → v4.0.1 delta summary
Get the checklist
SAQ Pack · 2026
SAQ Pack
All 8 SAQ types decision tree
RISKWATCH 2026
PDF · SAQ decision tree

SAQ A through D-SP Decision Tree

Which SAQ should you submit? This decision-tree PDF walks through acceptance channels, processing model, and CDE scope to land on the right SAQ — A, A-EP, B, B-IP, C, C-VT, D-Merchant, or D-SP.

  • 8-SAQ decision tree
  • Per-SAQ requirement matrix
  • AOC submission templates
Get the SAQ pack
Buyer's Guide
Buyer's Guide
PCI DSS Compliance Platform
2026 Vendor Comparison
20-page PDF

PCI DSS Compliance Platform Buyer's Guide

Vendor scorecard, ROC-export depth comparison, BaU continuous-monitoring features, pricing by transaction volume, QSA partnerships.

  • Feature matrix · 6 vendors
  • Scorecard template
  • Pricing benchmarks
Get the guide
FAQ

Common questions, answered up front.

About PCI DSS v4.0.1, the 12 requirements, SAQ types, the Customized Approach, and BaU continuous compliance — and how RiskWatch covers all of them.

What is PCI DSS compliance software?
PCI DSS compliance software is a platform that helps merchants, service providers, and acquirers achieve and continuously maintain compliance with the PCI Data Security Standard v4.0.1. The 2026 buyer reality is the Business-as-Usual mandate: controls must operate effectively 365 days a year, with continuous evidence collection from SIEM, EDR, FIM, and vulnerability scanners — not annual screenshots before the QSA visits. RiskWatch covers all 12 requirements (70+ sub-requirements), the 8 SAQ types, Customized + Defined Approach scoring, the ROC evidence vault, MFA-everywhere coverage (Req 8.3 expansion), client-side script integrity (Req 6.4.3 + 11.6.1), and unstructured PAN discovery across endpoints + SaaS + shadow IT.
What's new in PCI DSS v4.0.1?
PCI DSS v4.0 (released March 2022) introduced major changes: a Customized Approach path that lets you meet the intent of a control via alternative means with documented Targeted Risk Analysis; expanded multi-factor authentication requirements (Req 8.3 now applies to all access into the CDE, not just admins); the Business-as-Usual mandate requiring continuous control operation rather than point-in-time audits; new requirements for client-side script integrity (Req 6.4.3, 11.6.1) and phishing protection (Req 5.4.1). v4.0.1 (June 2024) refines clarifications and the deadline for full v4.0 compliance was March 31, 2025. RiskWatch ships with the full v4.0.1 library.
Which SAQ should I submit?
Eight SAQ types correspond to different merchant acceptance channels and processing models: SAQ A (e-commerce fully outsourced to PCI-validated third party), A-EP (e-commerce partially outsourced where merchant controls cart/checkout), B (imprint-only or standalone dial-out terminal), B-IP (standalone IP-connected terminal), C (payment-application system connected to internet), C-VT (web-based virtual terminal), D-Merchant (any merchant not eligible for A–C), D-SP (service provider). RiskWatch's SAQ workflow asks the right questions and routes you to the correct SAQ. The decision-tree PDF lead magnet walks through it manually.
What's the difference between Defined and Customized Approach?
v4.0 introduced two scoring paths. The Defined Approach is the traditional method — meet each requirement's testing procedures exactly as written. The Customized Approach lets you meet the requirement's objective through alternative means, but requires a documented Targeted Risk Analysis (per Req 12.3.1) explaining the threat model, the alternative control, and how it achieves the objective. QSAs review and accept the customized approach. RiskWatch supports both — Defined Approach is the default, Customized Approach is an option per requirement with the TRA worksheet built in.
How does CDE scoping work?
Cardholder Data Environment scoping is the foundation of any PCI assessment — you can only audit what you've scoped, and you're liable for what you missed. RiskWatch's CDE Scoping module syncs from your CMDB (ServiceNow, Lansweeper, Tanium) and classifies systems automatically into in-scope (stores, processes, or transmits CHD), connected-to (provides services to in-scope systems), or out-of-scope (no logical connection or data flow). Boundary diagrams render automatically and the QSA can drill from a system to its scope justification.
What does Business-as-Usual mean for v4.0.1?
v4.0.1 explicitly rejects point-in-time-only compliance — controls must be operating continuously throughout the year, not just on the day the QSA visits. The BaU concept covers daily log reviews, weekly file integrity monitoring, monthly user access reviews, quarterly ASV scans, annual pen tests, and continuous IDS/IPS monitoring. RiskWatch's continuous monitoring pulls evidence from your existing security tools (SIEM, EDR, FIM, vulnerability scanners) so BaU evidence accumulates automatically — no annual scramble.
How does cross-framework mapping help?
PCI DSS shares roughly 70% of its control surface with ISO 27001, SOC 2, NIST CSF, and HIPAA. RiskWatch maps every PCI requirement to its counterpart in those frameworks, so a single control answer satisfies multiple audits. Merchants and service providers running PCI alongside ISO 27001 or SOC 2 typically reduce combined audit prep time by 40–60% by starting from a complete PCI assessment.
Is there a free trial?
Yes. The 30-day free trial requires no credit card and includes full access — every PCI DSS v4.0.1 requirement and sub-requirement, all 8 SAQs, the ROC evidence vault, CDE scoping, BaU continuous monitoring, and Customized Approach scoring. You can run a real PCI assessment against your own environment and decide before purchasing.
Ready for v4.0.1 BaU?

Run your first 12-requirement scoring this week.

Start a 30-day free trial — every requirement, all 8 SAQs, the ROC evidence vault, CDE scoping, BaU continuous monitoring, and Customized Approach scoring. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime