Compyl
Request Demo
Start here Platform Overview A guided, top-to-bottom tour of the entire GRC platform, one connected system, not point tools. Take the tour → 125+ connectorsIntegrationsConnect your cloud, identity, ticketing & security tools, evidence flows in automatically.Explore integrations →
Govern
Policy ManagementCurrent, control-aligned policiesContract ManagementTrack every obligationAsset ManagementProtect critical assets
Comply & audit
ComplianceTest once, satisfy manyEvidence StudioAutomated, live evidenceTrust CenterShare your security postureUser Access ReviewsFast, accurate access reviews
Risk & third-party
Risk ManagementRisk in dollars, via FAIRThird Party InsightsObjective vendor risk in minutesVendor Risk ManagementManage third-party risk end to end
Compyl AI
Compyl AIAgentic AI across the platformCompyl CopilotAsk your GRC data anythingQuestionnaire AssistAI-drafted questionnaire answers
125+ integrations, connect your stackRequest a demo →
By industryIndustriesGRC tailored to the exact regulators and frameworks your industry answers to, one control library, mapped to all of them.Explore industries →
Financial ServicesSOX, GLBA, PCI, NYDFS, DORAHealthcareHIPAA, HITECH, PHI, BAAsLegalSOC 2, ISO 27001, OCG, privilege
InsuranceNAIC, GLBA, Model Audit RuleEnergy & UtilitiesNERC CIP, IEC 62443, TSAHigher EducationFERPA, GLBA, NIST 800-171
Six industries, mapped to your regulatorsRequest a demo →
One control library Every framework, mapped Map a single control to every framework it satisfies, test once, prove many. See all frameworks →
Popular
SOC 2ISO 27001HIPAAPCI DSS
Standards
GDPRNIST CSFNIST SP 800-53ISO 42001
More
CCPAMASNIS2
Compliance, automated, how Compyl maps controlsRequest a demo →
Latest Inside Compyl 26.2 AI-powered GRC, from risk to audit, what's new in the platform. Read the post →
Learn
All ResourcesBrowse the full GRC libraryGRC Learning CenterThe complete guide to GRCBlogInfoSec & compliance, trendingGuidesStep-by-step playbooks
Watch & grow
Security SessionsOn-demand episodesCase StudiesResults from real teams
Network
Partner NetworkCompyl Connect partners
Company Built by CISOs Our mission: make GRC adapt to how you work, not the other way around. About Compyl →
Company
About UsMission & teamCareersJoin the team
Trust
Our SecurityHow we protect youContact UsTalk to us
Framework · PCI DSS

PCI DSS v4.0 added 50+ new requirements. Don’t discover the gaps at your assessment.

PCI DSS v4.0.1 brought a wave of new, future-dated requirements that are now mandatory, and the annual SAQ or ROC and quarterly scans never stop. Compyl automates evidence for all 12 requirements, keeps your cardholder data scope tight, and flags gaps long before your QSA does.

Request Demo → See how it works
12 requirements
125+ integrations
Continuous scoping
Home › Frameworks › PCI DSS v4.0.1 AUDIT READINESS 96% audit-ready 12 REQUIREMENTS · LIVE PCI DSS GOALS Secure network Req 1–2 Protect data Req 3–4 Access control Req 7–9 Monitor & test 1 GAP EVIDENCE COLLECTED · AUTOMATIC ● live AWS · CloudTrail access logs 2m ago Current Okta · MFA enforcement export 5m ago Current GitHub · change-management records 18m ago Current 1,284 evidence items current 0 manual screenshots · next refresh in 4 min Export pack
PCI DSS Readiness On track Evidence current 96% Controls passing 92% Requirements 11 / 12 Monitored continuously · updated live
What is PCI DSS, and how does Compyl help?

PCI DSS is the payment-card security standard from the PCI Security Standards Council, built on 12 requirements across six goals. It applies to any organization that stores, processes, or transmits cardholder data. The current version, v4.0.1, added many new requirements that became mandatory after March 2025. You validate annually through a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC) from a QSA, plus quarterly network scans.

Compyl automates evidence for all 12 requirements, continuously monitors your controls, helps you shrink and document your cardholder data environment, scores evidence health, and flags gaps, so your SAQ or ROC is a formality instead of an annual fire drill.

The problem

v4.0 moved the goalposts, mid-scramble for most teams

PCI is an annual treadmill of SAQs, ROCs, and quarterly scans, and v4.0.1's new requirements raised the bar. The gaps you can't see become your assessor's findings.

Scope creeps, evidence sprawls

Every new system that touches card data expands your cardholder data environment, and the evidence you must produce. Unmanaged, scope quietly balloons.

v4.0 requirements catch teams out

Targeted risk analyses, expanded MFA, anti-phishing, v4.0.1 added requirements many programs still haven’t fully operationalized.

The annual scramble repeats forever

A SAQ or ROC every year and scans every quarter. Without continuous evidence, each cycle is a manual rebuild from scratch.

How it works

One continuous loop, from connected systems to audit-ready

Compyl runs PCI as an always-on cycle, scope, controls, and evidence stay in sync automatically.

01

Connect

Integrate cloud, identity, code, endpoint, and HR systems.

02

Collect evidence

Pull audit evidence automatically, in real time.

03

Map to requirements

Link every artifact to its PCI DSS requirement.

04

Monitor

Watch controls continuously and flag drift early.

05

Stay audit-ready

Hand auditors a current evidence pack on demand.

Automated evidence

Stop assembling PCI evidence by hand

The cost of PCI isn't the assessment fee, it's the weeks spent gathering proof for all 12 requirements across your cardholder data environment. Compyl collects it continuously and maps it to each requirement.

  • Pull evidence automatically from cloud, identity, code, and endpoint tools
  • Every artifact mapped to the PCI DSS requirement it supports
  • No more screenshots, spreadsheets, or last-minute requests
  • Export a complete, auditor-ready evidence pack on demand
Evidence Studio · PCI DSS ● auto-collecting EVIDENCE CURRENT 1,284 items mapped to controls MANUAL EFFORT 0 screenshots this cycle SOURCE EVIDENCE REQ STATUS AWS Access logs Req 10.2 Current Okta MFA enforcement Req 8.4 Current GitHub Change management Req 6.3 Current CrowdStrike Endpoint protection Req 5.2 Current Datadog Uptime monitoring Req 10.4 Current 125+ integrations feeding evidence, refreshed automatically
Evidence Health · New in 26.2

Know your evidence is audit-ready, automatically

Collecting evidence is only half the battle; stale or incomplete proof is where audits go sideways. New in Compyl 26.2, Evidence Health continuously scores every artifact the moment it changes, so weak evidence surfaces weeks before an audit, not during it.

  • Every artifact scored on relevance, freshness, and completeness
  • An AI summary spells out exactly what's missing and why
  • Re-scores automatically whenever the underlying evidence changes
  • Continuous control monitoring done right, gaps surface with time to fix
Evidence Health · Q2 Access Review New · 26.2 OVERALL HEALTH 84 / 100 Q2 ACCESS REVIEW SCORED ON THREE DIMENSIONS Relevance Healthy · 95 Freshness Aging · 58 Completeness Healthy · 88 AI SUMMARY Evidence is relevant and complete, but aging. Last refreshed 41 days ago; access reviews expected within 90. Auto-refresh scheduled, gap clears ~3 weeks before audit. Re-pull Scored automatically the moment evidence changes · continuous control monitoring
Continuous monitoring

Catch control drift before the auditor does

Your SAQ is a snapshot; PCI risk lives in the other 364 days. Compyl monitors every requirement continuously and turns the moment a control slips into a tracked task, not an assessor's finding.

  • Live posture across all 12 PCI DSS requirements
  • Automatic alerts the moment a control drifts out of compliance
  • Remediation tasks auto-assigned with owners and deadlines
  • A defensible, time-stamped trail across the whole assessment period
Control Monitoring · PCI DSS all requirements · live 92% passing REQUIREMENTS MET CONTROL STATUS Req 8.4 · MFA enforcement Passing Req 10.2 · Audit logging Passing Req 8.2 · Account removal Drifting Req 3.5 · Data encryption Passing Drift detected. Req 8.2 inactive account not disabled 2 accounts idle past the 90-day limit Detected 6 min ago · before any audit sample Remediation task #PCI-412 auto-created Assigned to IT Ops · due in 24h · evidence re-checks on close
Collect once, reuse everywhere

Your PCI DSS work becomes a head start on every other framework

PCI shares the majority of its controls with SOC 2, ISO 27001, HIPAA, and NIST. Compyl cross-maps each control so one piece of evidence satisfies every framework it touches.

  • One control mapped to its equivalent across 70+ frameworks
  • Collect evidence once and reuse it across every report
  • See instantly how PCI readiness translates to SOC 2 or ISO 27001
  • Add the next framework without starting the program over
Cross Mapped Controls · Req 7 47 mapped Req 7 Access control 800-53 14 ISO 27001 12 NIST CSF 9 SOC 2 8 HIPAA 4 Evidence collected once · automatically satisfies 47 controls
The standard

12 requirements, six goals

PCI DSS organizes 12 requirements into six security goals. Compyl maps evidence to each requirement and keeps your cardholder data scope documented.

Req 1–2

Secure network

Install and maintain network security controls and secure configurations everywhere card data flows.

Req 3–4

Protect account data

Protect stored cardholder data and encrypt it in transit across open, public networks.

Req 5–6

Vulnerability management

Protect against malware and develop and maintain secure systems and software.

Req 7–9

Strong access control

Restrict access by need-to-know, authenticate every user, and control physical access.

Req 10–12

Monitor & govern

Log and monitor all access, test security regularly, and maintain an information-security policy.

How you validate

SAQ or ROC, and quarterly scans

How you prove PCI compliance depends on your size and how you take payments. Compyl produces the evidence either path needs.

SAQ

Self-Assessment Questionnaire

Most merchants and service providers self-attest against the requirements that apply to their environment.

Who: smaller merchants & eligible service providers
Cadence: annual self-assessment
Where Compyl helps: pre-filled evidence for every applicable requirement
ROC

Report on Compliance & ASV scans

Larger volumes (typically Level 1) require an on-site assessment by a QSA, plus quarterly external scans by an ASV.

Who: Level 1 (~6M+ transactions/year)
Cadence: annual ROC · quarterly scans
Where Compyl shines: continuous evidence the QSA can sample any day
Why Compyl for PCI DSS

Not a checkbox tool, a continuous compliance engine

Plenty of tools help you fill in a SAQ. Compyl keeps PCI true every day, tight scope, continuous evidence, and gaps caught before your QSA.

01

Continuous, not point-in-time

Evidence and controls stay live year-round, so your SAQ or ROC window is clean by default.

02

One connected system

Controls, evidence, risks, and policies in one platform, not a stack of disconnected tools.

03

125+ integrations

Pulls live data from the stack you already run, so posture reflects reality, not snapshots.

04

Agentic AI

AI maps controls, drafts remediations, and offloads busywork, your team stays in control.

05

Multi-framework by design

PCI evidence carries over to SOC 2, ISO 27001, HIPAA, and NIST without redoing the work.

12
PCI requirements mapped to evidence and CDE scope
125+
Native integrations feeding evidence automatically
Real-time
Evidence collection, no manual screenshots
Year-round
Audit readiness instead of a pre-audit scramble
It has brought a sense of relief to my life because, for the first time, we have a real solution in place that is proactively keeping us protected.
JS
Jon Senior CTO · via G2
Recognized by users on G2

Rated a leader by the teams who use it

G2 High Performer, Mid-Market
G2 Momentum Leader
G2 Fastest Implementation, Go-Live Time
G2 Best Support, Quality of Support
G2 Best Meets Requirements, Mid-Market
Beyond PCI DSS

Secure cardholder data once, extend to every framework that follows

Compyl cross-maps controls so the work you do for PCI DSS carries straight into the next framework on your roadmap.

SOC 2 ISO 27001 HIPAA GDPR PCI DSS NIST CSF NIST SP 800-53 CCPA MAS NIS2 70+ frameworks
FAQ

PCI DSS questions, answered

PCI DSS is the Payment Card Industry Data Security Standard, built on 12 requirements across six security goals. It applies to any organization that stores, processes, or transmits cardholder data. The current version is v4.0.1, and you validate annually through a SAQ or a QSA-issued ROC, plus quarterly network scans.

v4.0 (and the v4.0.1 update) added more than 50 new requirements, including targeted risk analyses, expanded multi-factor authentication, anti-phishing controls, and stronger requirements for service providers. Many were future-dated and became mandatory after March 2025, so programs that haven't operationalized them now have gaps.

A Self-Assessment Questionnaire (SAQ) is a self-attestation used by smaller merchants and eligible service providers. A Report on Compliance (ROC) is an on-site assessment performed by a Qualified Security Assessor, typically required at Level 1 (around 6 million transactions a year). Both are supported by quarterly ASV scans.

Compyl connects to your stack, collects evidence for all 12 requirements, continuously monitors controls, helps shrink and document your cardholder data environment, scores evidence health, and flags gaps, so your SAQ or ROC is a formality instead of a fire drill.

Compyl 26.2 introduced Evidence Health, which continuously scores every piece of evidence on relevance, freshness, and completeness, with an AI summary of what's missing, so gaps surface long before your assessment.

Yes. Compyl cross-maps each control so a single control and its evidence can satisfy PCI DSS alongside SOC 2, ISO 27001, HIPAA, and 70+ other frameworks. Collect once, reuse everywhere it applies.

Security and GRC teams at merchants, payment-handling SaaS companies, and service providers, CISOs, compliance managers, and IT leaders, who need to validate PCI annually and keep it true the rest of the year.

Explore next

Keep building your GRC program

Solution

Policy Management

Keep the policies behind your controls current and aligned.

Learn more → Platform

Integrations

125+ in-house integrations that auto-collect your evidence.

Learn more → Framework

SOC 2

PCI controls map straight into SOC 2, knock out both with one evidence set.

Learn more → Browse

All frameworks

Every framework Compyl maps controls and evidence to.

Learn more →
GRC YOUR WAY

Make PCI DSS a formality, not an annual fire drill

See how Compyl automates evidence for all 12 requirements, keeps your cardholder data scope tight, and flags gaps long before your QSA.

Request a Demo →
By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies
Accept