PCI-DSS v4.0 expanded the requirements list, tightened the documentation burden, and shortened the timeline for compensating controls. If your acquirer just asked for your SAQ, or your QSA just sent you a 60-page evidence request, or you're trying to figure out which SAQ even applies to you — start here.
PCI-DSS reads like 12 simple requirements. Then you start reading sub-controls and you find 260+ specific things you need to do, many of which require evidence formats your team has never produced. The CDE scoping question alone — 'what touches cardholder data?' — is harder than it sounds, and getting it wrong means either a much larger compliance scope than you needed or a finding that should have been avoidable.
Vault is built around getting the scoping right, then doing the documentation cleanly, then having an answer ready when the QSA arrives.
Guided assessment across all 12 PCI requirements with sub-control breakdowns. CDE scoping logic that walks you through the actual decision (not the diagram you'll regret). SAQ type routing — A, A-EP, B, B-IP, C, C-VT, D-Merchant, D-Service Provider, P2PE — based on your environment. Evidence packet export. Full Tammie advisor access.
Everything in Self-Service, plus async Registered Practitioner review of your segmentation, your CDE boundary, and your completed SAQ before you submit it to your acquirer or QSA. The single highest-leverage hour we can spend with you.
For merchants and service providers who'd rather hand off the work. We run the engagement: scope, segmentation validation, control implementation guidance, evidence build, SAQ delivery, and (for service providers) Attestation of Compliance preparation. Includes ongoing maintenance and prep for your annual reassessment.
Trained on all 12 requirements, the v3.2.1 to v4.0 transition language, the SAQ matrix, and the v4.0.1 future-dated controls. Ask her to interpret a sub-control, draft a compensating control rationale, or sanity-check your CDE scoping.
Each of the 12 requirements expands into its sub-controls — every one gets its own assessment surface with evidence expectations and scoring. You build defensible documentation requirement by requirement.
The scoping decision is the most consequential thing you'll do in PCI; we built a guided process to walk you through it cleanly, document the rationale, and produce a network diagram and data flow that your QSA will recognize.
A Registered Practitioner reviews your scoping, your segmentation, and your completed SAQ before any of it goes to an external party. The cost of a finding on a finalized SAQ is much higher than the cost of a review.
PCI is the framework where the cost of mistakes is most directly financial. A bad SAQ submission, a missed compensating control, a scope expansion you didn't see coming — they all show up as money. Vault is designed around the assumption that you'd rather catch them in our review than in your QSA's findings letter.
Twenty minutes of intake, a focused PCI gap analysis tuned to your environment, and a real PDF brief you can take to your acquirer or your board. Roll the $624 into Vault within 14 days.
Get the Brief →