What is PCI DSS compliance software?

PCI DSS compliance software unifies PCI DSS 4.0.1 (12 core requirements + 64 sub-requirements), the PCI Security Standards Council suite (PCI 3DS, PA-DSS / SSF, PCI Card Production), state laws (MA 201 CMR 17, NV 603A), the new DSS 4.0 Targeted Risk Analysis methodology, the Customized Approach, NIST CSF 2.0, ISO 27001:2022, SOC 2 Type II, and AICPA Trust Services Criteria on a single survey-based platform. It replaces parallel GRC platforms, ASV portals, segmentation spreadsheets, and QSA reconciliation binders with one ROC-ready evidence trail.

How does RiskWatch handle the new DSS 4.0 Targeted Risk Analysis?

DSS 4.0 introduced the Targeted Risk Analysis for the 18 controls that allow customer-defined frequencies (anti-malware, vulnerability scans, access reviews, etc.). RiskWatch ships the TRA methodology pre-built with templated workflow, threat-source / likelihood / impact analysis, and customer-defined frequency justification. Evidence is shared with the related DSS controls and the broader risk register.

Does RiskWatch handle CDE scoping + segmentation?

Yes. CDE auto-discovery captures cardholder-data flows across systems and channels. Connected-system inventory, §1.2.1 firewall rules, §1.2.4 segmentation evidence, and the §11.4.5 quarterly segmentation pen-test cycle (required for service providers) are tracked from the same vault. Segmentation map + scope-reduction evidence shipping to QSAs in days, not weeks.

How does the Customized Approach work in DSS 4.0?

DSS 4.0 introduced the Customized Approach as an alternative compliance path. Instead of meeting the prescriptive sub-requirement, organizations document the control objective, define their custom approach, perform a Targeted Risk Analysis, and demonstrate equivalent or stronger control. RiskWatch templates the Customized Approach workflow per control, captures control-objective documentation, and generates the QSA submission packet.

Does RiskWatch handle the 64 'future-dated' sub-controls?

Yes. The 64 future-dated sub-controls became enforceable March 31, 2025. RiskWatch tracks each future-dated control individually with implementation guidance, evidence requirements, and a transition timeline. Organizations running gap analysis against the new controls had visibility well before the enforcement date.

How does RiskWatch fit alongside QSA firms like Coalfire, Schellman, or A-LIGN?

RiskWatch sits between you and your QSA, not in place of one. QSAs perform the validation. RiskWatch handles the evidence collection, scoring, and pre-submission readiness. Most clients use it to compress QSA prep from 12–16 weeks to 4–6 weeks because the evidence vault is QSA-ready continuously rather than reassembled annually.

Does RiskWatch support SAQ + ROC validation paths?

Yes. SAQ A, A-EP, B, B-IP, C, C-VT, D-Merchant, D-Service-Provider, and P2PE-HW are all supported with templated workflows. ROC for Level 1 merchants + service providers runs from the same evidence vault. The same control assessment scores against the SAQ requirement and the ROC requirement simultaneously.

How does RiskWatch handle §6.4.3 client-side scripts and §11.6.1 HTTP request validation?

Both are new in DSS 4.0 and challenging for eCommerce merchants. §6.4.3 requires inventory + change-management of all client-side scripts on payment pages. §11.6.1 requires HTTP request validation to detect tampering. RiskWatch ships templates for both, integrates with subresource integrity (SRI) tooling, and captures script-inventory evidence + tampering-detection evidence continuously.

How long does PCI implementation typically take?

Most Level 1 merchants and service providers go live in 30 days for the platform itself. Pre-built libraries for DSS 4.0, the 18 TRA controls, the Customized Approach, PCI 3DS, PA-DSS / SSF, plus state-law overlays and white-glove implementation handle the heavy lift. Multi-channel, multi-merchant, and service-provider deployments add 2–4 weeks for scoping. The actual ROC + ASV cycle depends on QSA cadence, RiskWatch typically compresses prep from 16 weeks to 6.

For Level 1 Merchants + Service Providers + Multi-Channel Retailers

One platform for DSS 4.0 controls, CDE scoping, and Targeted Risk Analysis across every payment channel.

Q: Does RiskWatch handle multi-channel + multi-merchant retailers?

Yes. Multi-channel retailers (brick-and-mortar + eCommerce + mail-order + telephony) and service providers with multiple merchants in scope run per-channel CDE posture with rollup to the consolidated ROC. Per-channel SAQs + per-merchant evidence + consolidated dashboard all coexist in the same platform.

Payment-accepting organizations face one of the most prescriptive compliance stacks in the industry: PCI DSS 4.0.1 (12 requirements + 64 sub-requirements), CDE scoping + segmentation, the new Targeted Risk Analysis, the Customized Approach, ROC + SAQ + ASV scan validation, and the additional PCI 3DS, PA-DSS / SSF, and Card Production overlays. RiskWatch handles all of it as one survey-based assessment platform sized for PCI Compliance Managers running multi-channel retail + eCommerce + service-provider organizations.

Start 30-day free trial Download the DSS 4.0 + CDE scoping pack

Risk

CDE · Vendor · Scope

Compliance

DSS 4.0 · 12 Reqs · TRA

Validation

SAQ · ROC · ASV

One Score

94 / 100

ROC-ready posture

ROC-ready

DSS 4.0 · CDE · ROC-readyLive

Trusted by Level 1 merchants, service providers, and multi-channel retailers managing PCI DSS 4.0, CDE scoping + segmentation, Targeted Risk Analysis, ROC + SAQ + ASV scan validation, and the broader PCI Security Council framework suite across POS + eCommerce + mail-order + telephony channels.

4.8G2 Crowd·118+

4.7Capterra·82+

4.8Gartner Peer Insights·Voice of Customer

Why PCI Compliance Managers Pick RiskWatch

RiskWatch turns DSS 4.0, CDE scoping, TRA, and Customized Approach into one program.

RiskWatch runs PCI DSS 4.0, CDE scoping + segmentation, the Targeted Risk Analysis, the Customized Approach, PCI 3DS, PA-DSS / SSF, Card Production, and the broader cross-mapped frameworks as one program on one platform, scored against the same controls library, and tracked through a single QSA-ready evidence trail. Built for PCI Compliance Managers where one team covers every payment channel, every CDE boundary, and every assessment cycle, without enterprise-bank GRC overhead.

CDE scoping + segmentation in one library

Auto-discovery of cardholder-data flows, segmentation evidence per §1.2.1 and §1.2.4, and the §11.4.5 / §11.4.6 segmentation pen test cycle share evidence, no parallel scoping spreadsheets.

Targeted Risk Analysis methodology built in

DSS 4.0's TRA workflow for the 18 controls that allow customer-defined frequencies (anti-malware, vulnerability scans, access reviews) is templated and tracked. Customized Approach control-objective documentation runs from the same vault.

Multi-channel + multi-merchant built in

Multi-channel retailers and service providers with multiple merchants in scope run per-channel CDE posture with rollup to the consolidated ROC. White-glove implementation in 30 days, not 6 months.

The PCI DSS Regulatory Landscape

DSS 4.0 changed PCI more than any release since 2.0.

PCI DSS 4.0 (effective March 31, 2024) and 4.0.1 (released June 2024) introduced the Targeted Risk Analysis, the Customized Approach, expanded scope on multi-factor authentication, new requirements for client-side scripts (§6.4.3) and HTTP request validation (§11.6.1), and stricter password and key-management rules. The 64-control 'future-dated' subset became enforceable March 31, 2025. Brand fines + acquirer assessments remain the enforcement layer (Visa, Mastercard, Amex, Discover, JCB), with CHD breach incidents driving 6-figure to 8-figure penalties. Each merchant level wants its own validation cycle.

DSS 4.0.1

PCI DSS 4.0.1 (June 2024), 12 reqs · 64 sub-reqs · 18 TRA controls

PCI Security Standards Council

Mar 2025

Future-dated subset of DSS 4.0 became enforceable, 64 new sub-controls

PCI DSS 4.0 transition timeline

TRA

Targeted Risk Analysis, new methodology for 18 customer-defined-frequency controls

PCI DSS 4.0 TRA guidance

§11.4.5

Segmentation pen-test required at least annually for service providers

PCI DSS 4.0 §11.4 series

Three Domains, One Platform

PCI DSS risk lives in three concrete domains

RiskWatch covers all three. Each domain has a dedicated workflow, scoring model, and remediation queue. They share data so a single CDE assessment satisfies DSS 4.0 §3, the corresponding TRA, the segmentation pen test, and the QSA-required evidence trail simultaneously.

Risk

CDE + Vendor + Scope Risk

Survey-based risk assessment across cardholder-data flows, CDE boundaries, vendor + service-provider posture, and scope reduction.

CDE auto-discovery captured
Vendor PCI posture scored
Scope reduction tracked

Explore Risk Management

Compliance

DSS 4.0 + 12 Reqs + TRA

All 12 PCI DSS 4.0 requirements + 64 sub-requirements, Targeted Risk Analysis, and the Customized Approach in one cross-mapped library.

12 reqs + 64 sub-reqs scored
TRA workflow templated
Customized Approach ready

Explore Compliance Management

Validation

SAQ + ROC + ASV

SAQ self-assessment (A through D + P2PE-HW), ROC for Level 1 merchants + service providers, and ASV quarterly scans tracked in one place.

SAQ workflow templated
ROC evidence vault live
ASV scan results tracked

Explore Cybersecurity

§1.2.1 + §11.4.5 · CDE Scoping Spotlight

Smaller CDE = fewer §3 requirements on fewer systems.

Most merchants over-PCI-treat their network because they don't have the segmentation map. CDE auto-discovery + scope reduction is the highest-ROI move in PCI DSS 4.0. The CDE Scoping wizard maps cardholder-data flows, distinguishes CDE / Connected / Out-of-scope systems per §1.2.1 + §1.2.4, and tracks the §11.4.5 quarterly segmentation pen-test cycle required for service providers.

PCI DSS v4.0.1 · scope reduction

270 systems · only 14 in CDE. Scope drives cost.

Cardholder Data Environment14 systems

Stores, processes, or transmits cardholder data

→ All §3 requirements

Connected systems9 systems

Connect to or impact CDE security · §1.2.1

→ Subset · §1, §2, §6, §10, §11

Segmented out247 systems

No connectivity to CDE per §1.2.4 segmentation tests

→ Out of PCI scope

Segmentation validation · QSA review

Network segmentation rules verified§1.2.1

Firewall rules deny CDE traffic from out-of-scope§1.2.4

Penetration test confirms isolation§11.4.5

Quarterly segmentation re-validation scheduled§11.4.6

PCI-treating fewer systems = audit cost ↓ 60–80%Scope is the lever. Use it.

The Coverage Gap

Most PCI software covers one requirement

GRC platforms handle policies + reviews. ASV vendors run quarterly scans. Network segmentation tools handle §1.2 boundaries. QSA firms run the assessment. Each does one job. PCI Compliance Managers still operate four parallel programs.

Platform Category	DSS 4.0	CDE Scoping	Targeted Risk	ASV Scans	ROC/SAQ	Multi-merchant
Generic GRCServiceNow GRC, Archer	Partial	·	Partial	·	Partial	Partial
PCI Specialty ToolsControlScan, Aperia	Yes	Partial	Partial	Yes	Yes	Partial
ASV Scan VendorsTrustwave, Qualys ASV	·	·	·	Yes	·	·
Segmentation ToolsIllumio, Akamai Guardicore	·	Yes	·	·	·	·
QSA Consulting FirmsCoalfire, Schellman, A-LIGN	Yes	Yes	Yes	·	Yes	Partial
Spreadsheets & Email	·	·	·	·	·	·
RiskWatchThe unified ROC-ready platform	Yes	Yes	Yes	Yes	Yes	Yes

RiskWatch is the only platform covering all six PCI compliance domains: DSS 4.0 controls, CDE scoping + segmentation, the new Targeted Risk Analysis, ASV scan tracking, ROC/SAQ validation, and multi-merchant coordination. GRC platforms cover policies. ASV vendors run scans. Segmentation tools handle boundaries. Each does one job. RiskWatch unifies all six in one survey-based assessment workflow.

How It Works

One platform. Continuous compliance across every payment channel.

RiskWatch is a survey-based assessment platform. The work is structured around questionnaires that capture CDE boundaries, the 12 PCI DSS 4.0 requirements, segmentation evidence, and the new TRA + Customized Approach in a consistent format, then scored against every framework you align to.

For PCI DSS, that workflow runs continuously across DSS 4.0.1, the 18 TRA controls, the segmentation pen-test cycle, ASV quarterly scans, and the broader PCI 3DS / PA-DSS / Card Production overlays. A single CDE assessment scores against DSS 4.0 §3, the TRA-required customer-defined frequency, and the cross-mapped SOC 2 + ISO 27001 controls simultaneously.

The same platform runs all of it, surfaces gaps before QSA arrival, assigns remediation owners, and tracks completion. Replace the GRC platform, the ASV portal, the segmentation spreadsheet, and the QSA reconciliation between them.

The Workflow

01
Scope
CDE auto-discovery captures cardholder-data flows. Connected-system inventory, segmentation evidence, and out-of-scope confirmation per §1.2.1 + §1.2.4 documented.
02
Score
Responses score against the 12 DSS 4.0 requirements, the 18 TRA controls, the Customized Approach control objectives, and cross-mapped SOC 2 + ISO 27001 + NIST CSF.
03
Remediate
Gaps become assigned tasks. Owners get deadlines. Vendor + service-provider + 3rd-party tasks cascade to the supplier portal automatically.
04
Validate
Evidence trails export to SAQ A through D, ROC for Level 1 merchants + service providers, ASV quarterly scan reports, and segmentation pen-test artifacts. QSA-ready in minutes.

DSS 4.0TRACDEASVROC/SAQ

Built For Your Role

Who uses RiskWatch in a Level 1 merchant or service provider

PCI Compliance Manager

Owns the enterprise PCI program, QSA relationship, ROC validation cycle, and acquirer reporting.

12 reqs + 64 sub-reqs scored continuously. ROC evidence vault live. QSA pre-audit packages ready. Acquirer reporting on demand.

Director of Information Security

Owns the technical security controls, CDE protection, MFA + encryption + access management aligned to DSS 4.0.

All §6, §7, §8, §10, §11 controls scored. MFA + encryption evidence captured. Access reviews tracked. Pen-test results integrated.

Network Engineering Lead

Owns CDE scoping, segmentation rules, §1 firewall + boundary controls, and the §11.4.5 segmentation pen test.

Segmentation map live. §1.2.1 / §1.2.4 evidence captured. Quarterly segmentation re-validation scheduled. Pen-test integration tracked.

Application Security Lead

Owns §6 secure development, §11.6.1 HTTP request validation, §6.4.3 client-side scripts, and the SDLC + secure coding evidence.

§6.4.3 client-side script inventory live. §11.6.1 HTTP request validation captured. SDLC evidence + code review tracked.

Vendor + Service Provider Lead

Owns the §12.8 service-provider management, the supplier PCI register, and acquirer-facing service-provider reporting.

Service-provider register live. §12.8 evidence captured. AOC retention tracked. Service-provider risk continuously scored.

Audit + Risk Lead

Owns the TRA methodology, internal PCI audit cycle, the Customized Approach control-objective documentation, and brand reporting.

TRA workflow live for 18 controls. Customized Approach docs captured. Internal audit cycle continuous. Brand reporting evidence vault.

Built For Your Segment

PCI segments we serve

Multi-Channel Retailers

Brick-and-mortar + eCommerce + mail-order + telephony retailers running CDE across POS, web, and contact-center channels.

eCommerce + Direct-to-Consumer

Online merchants under SAQ A, A-EP, or D with iframe / redirect / hosted-payment-page architectures and §6.4.3 client-side script obligations.

Service Providers

Acquirers, processors, gateways, hosting providers, and managed services under stricter service-provider PCI requirements (§11.4.5 quarterly segmentation pen-test).

Hospitality + QSR

Hotels, restaurants, and franchises running PCI across centralized + franchisee POS, payment-tokenization, and gift-card programs.

Healthcare + Insurance Payments

Healthcare providers + payers running PCI alongside HIPAA, with patient-payment portals, kiosks, and IVR systems in scope.

B2B + SaaS Billing

B2B SaaS, subscription, and recurring-billing platforms running PCI on tokenized payment flows + Stripe / Adyen / Braintree integrations.

Frameworks We Cover

PCI frameworks built into the library

RiskWatch ships with pre-built libraries for every major PCI Security Standards Council document + state law + cross-mapped framework. Map controls once. Score against the framework that matters this validation cycle.

Regulatory + PCI SSC Frameworks

PCI DSS 4.0.1: Payment Card Industry Data Security Standard 4.0.1 (June 2024), 12 core requirements, 64 sub-requirements, TRA, Customized Approach.
PCI Security Council: PCI SSC ecosystem, supplementary guidance, FAQs, and the broader standard suite (PIN, P2PE, ATM, EMV co-existence).
PCI 3DS: PCI 3DS Core Security Standard, 3D Secure 2.x environment requirements for issuers and ACS providers.
PA-DSS / SSF: Payment Application Data Security Standard (sunsetted) and the PCI Software Security Framework (SSF) replacement for payment software vendors.
PCI Card Production: PCI Card Production Logical + Physical Security Requirements for issuer card production and personalization vendors.
MA 201 CMR 17 / NV 603A: Massachusetts 201 CMR 17 + Nevada NRS 603A, state laws that incorporate PCI DSS by reference for entities holding PII.

Industry + Cross-Mapped Frameworks

PCI DSS 4.0 TRA: Targeted Risk Analysis methodology for the 18 controls allowing customer-defined frequencies, templated workflow.
PCI Customized Approach: DSS 4.0 Customized Approach, alternative compliance path with documented control-objective evidence.
NIST CSF 2.0: Cybersecurity Framework 2.0 (Feb 2024), outcome-based mapping of every PCI DSS control to Govern / Identify / Protect / Detect / Respond / Recover.
ISO 27001:2022: ISMS standard with the 2022 Annex A (93 controls) cross-walk to PCI DSS for international merchants running both.
SOC 2 Type II: AICPA Trust Services Criteria cross-mapping for service providers running SOC 2 alongside PCI DSS.
AICPA Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy, TSCs cross-mapped to DSS 4.0 controls.

Trusted by 1,500+ risk and compliance teams

We were running PCI in a 60-tab spreadsheet, ASV scans in a separate portal, segmentation evidence in Visio, and the QSA submission in Word. Now it's one platform. CDE scoping, all 12 DSS 4.0 reqs, the 18 TRA controls, the §11.4.5 segmentation pen-test cycle, and SOC 2 cross-mapping all run from the same evidence vault. Our last QSA assessment closed with three findings instead of fourteen, and we cut prep time from 16 weeks to 6.

B. Newhouse

PCI Compliance Manager + Director Information Security, Level 1 multi-channel retailer · 4,200 employees · 1,800 stores · CDE spans POS + eCommerce

4 → 1tools consolidated to one platform

14 → 3QSA findings on most recent ROC

16 → 6 wksQSA prep time reduced

Resources

Practical playbooks for PCI Compliance Managers

Checklist

Frequently asked questions

DSS 4.0 · CDE · TRA · ROC-ready

See RiskWatch run a DSS 4.0 + CDE + TRA cycle live

30-minute walkthrough of the PCI library, your channel + CDE inputs, and the QSA-ready evidence-trail output. No slideware, no consulting upsell.

Book a 30-minute walkthrough Talk to a PCI specialist

Or call US: +1 941-500-4525