PCI DSS V 4.0.1 Automation Platform

PCI DSS V 4.0.1 Compliance Automation

Threatstealth automates PCI DSS V 4.0.1 compliance with continuous evidence collection, control-by-control mapping, and QSA-ready audit exports across your entire cardholder data environment (CDE).

• 300+ PCI DSS V 4.0.1 sub-requirements — every requirement continuously validated against live environment signals
• CDE scope automation — auto-discover and tag systems that process, store, or transmit cardholder data
• Continuous evidence collection — timestamped, immutable artifacts for every control check, updated hourly
• QSA-ready export — generate a complete RoC-aligned evidence bundle in one click for your assessor
• Gap remediation queue — open findings with owner assignment, SLA tracking, and compensating control documentation
• v4.0 customised approach — support for the new Customised Approach requirements with risk acceptance workflows

PCI DSS V 4.0.1 Overview: What Changed and What It Means

PCI DSS Version 4.0.1, published in June 2024 as a minor revision of v4.0, is the current mandatory standard for all organisations that process, store, or transmit payment cardholder data. The transition from v3.2.1 to v4.0 introduced significant changes including 64 new requirements, the new Customised Approach pathway allowing organisations to demonstrate equivalent security through alternative controls, and the elevation of multi-factor authentication requirements across all CDE administrative access. All organisations were required to complete transition from v3.2.1 by March 2024, and all new future-dated requirements in v4.0 became mandatory by March 2025.

• 64 new requirements — additional controls introduced in PCI DSS v4.0 beyond those in v3.2.1
• Customised Approach — new pathway allowing demonstration of PCI DSS objectives through alternative controls
• MFA expansion — multi-factor authentication now required for all access into the CDE, not just administrative access
• Phishing protection — new requirements for phishing-resistant authentication mechanisms for targeted users
• Targeted risk analysis — new requirement for organisations to document risk-based decisions for certain controls

CDE Scope Automation and Cardholder Data Environment Mapping

PCI DSS scope definition — identifying which systems are in-scope as part of the cardholder data environment — is the foundation of the entire compliance programme. Scope creep is the most common PCI DSS compliance failure mode: systems inadvertently connected to the CDE without being brought into compliance scope. Threatstealth's CDE scope automation continuously scans the network and application topology to discover systems with connectivity to known CDE systems, flagging potential in-scope systems for administrator review. All confirmed in-scope systems are tagged in the asset inventory and automatically included in evidence collection and control validation runs.

• Topology scanning — continuous discovery of systems with network connectivity to confirmed CDE assets
• CDE asset tagging — all confirmed in-scope systems tagged for automatic inclusion in compliance evidence collection
• Scope change alerting — notification when new systems are discovered with CDE connectivity requiring scope assessment
• Network segmentation validation — automated checks confirming segmentation controls between CDE and out-of-scope systems
• Scope documentation export — formatted CDE scope documentation for inclusion in the Report on Compliance (RoC)

Requirement 6 and 11: Vulnerability Management and Security Testing

PCI DSS Requirements 6 and 11 cover the vulnerability management and security testing obligations that are among the most operationally intensive for compliance programmes. Requirement 6.3.3 mandates that all software components are protected from known vulnerabilities — alignment with the CISA KEV catalogue and EPSS-based prioritisation satisfies the risk-based vulnerability management intent of this requirement. Requirement 11 mandates quarterly external and internal network vulnerability scanning, annual penetration testing, and continuous intrusion detection. Threatstealth automates the evidence collection for all scanning and testing activities, timestamping scan results and linking them to the specific PCI DSS sub-requirement they satisfy.

• Req 6.3.3 — automated evidence that all software components are assessed for known vulnerabilities using KEV/EPSS
• Req 11.3.1 — quarterly internal vulnerability scanning results with found/fixed tracking and evidence export
• Req 11.3.2 — quarterly external vulnerability scanning by ASV (Approved Scanning Vendor) evidence management
• Req 11.4.1 — annual penetration testing scope documentation, results tracking, and finding remediation evidence
• Req 11.6 — change detection mechanism evidence for payment page integrity monitoring

QSA-Ready Report on Compliance Export and Assessor Collaboration

The Report on Compliance (RoC) is the primary deliverable for PCI DSS Level 1 merchant and service provider assessments. Producing RoC-ready evidence traditionally requires months of pre-assessment preparation — gathering scan results, penetration test reports, policy documents, system configuration evidence, and interview preparation materials. Threatstealth's QSA-ready export generates a complete, structured evidence bundle for every PCI DSS v4.0.1 requirement satisfied by continuous monitoring, formatted to align with the PCI Security Standards Council's RoC reporting template. This reduces pre-assessment preparation from months to days and allows QSA assessors to complete their review efficiently through direct portal access.

• RoC-aligned evidence structure — evidence organised by requirement number matching QSA reporting template format
• One-click evidence bundle — complete PCI DSS evidence package for the full assessment period generated automatically
• QSA assessor portal — read-only evidence access for the QSA firm without engineering team mediation
• Compensating control documentation — structured workflow for documenting and evidencing approved compensating controls
• Customised Approach worksheets — documentation templates for the PCI DSS v4.0 Customised Approach pathway