For Security Teams, QSAs, and Compliance Officers handling cardholder data
Map controls to all 12 PCI DSS requirements, manage evidence for SAQ or ROC assessments, and track remediation of identified gaps — continuously, not just before your annual assessment.
PCI DSS v4.0.1 defines 12 requirements organized into six control objectives for protecting cardholder data: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access controls, regularly monitor and test networks, and maintain an information security policy.
Version 4.0 introduced a customized approach alongside the traditional defined approach, giving organizations flexibility in how they meet each requirement — provided they can demonstrate the control objective is met. It also added new requirements around authentication, encryption, and security awareness that become mandatory in March 2025.
“PCI DSS v4.0 is the most significant update in the standard's history. The shift to outcome-based requirements and the customized approach demand better evidence management — not less.”
PCI compliance is often treated as an annual event — a scramble before the QSA arrives. Between assessments, controls drift: network segmentation changes aren't documented, access reviews fall behind schedule, vulnerability scans happen but findings aren't remediated within required timeframes, and evidence of daily log reviews is inconsistent.
The v4.0 transition adds complexity. New requirements around multi-factor authentication, targeted risk analysis for each requirement, and the customized validation approach all demand more structured evidence management than most organizations had in place under v3.2.1.
Thirdsentry maps your controls to all 12 PCI DSS requirements and their sub-requirements. Internal assessments evaluate control effectiveness against each requirement, with AI-powered scoring that identifies gaps and generates risk entries with specific remediation actions.
Evidence collection is continuous: as your team documents controls, performs scans, completes access reviews, or updates configurations, evidence is linked to the specific PCI requirements it satisfies. When assessment time comes — whether SAQ self-assessment or a full ROC — the evidence trail already exists.
For organizations transitioning to v4.0.1, the platform highlights new and changed requirements, tracks implementation progress on future-dated requirements, and supports both the defined approach and customized approach validation methods.
Map controls to all PCI DSS requirements and sub-requirements with gap identification at each level.
Structured assessment workflows for both self-assessment questionnaires and Report on Compliance preparation.
Track implementation of new and changed requirements with deadlines and progress visibility.
Evidence is linked to specific PCI requirements as collected — no end-of-year evidence scramble.
Support for PCI DSS v4.0's targeted risk analysis requirement with documented methodology and results.
Assessment findings become tracked remediation tasks with owners, SLAs, and escalation paths.
Yes. Thirdsentry's PCI DSS framework includes all requirements from v4.0.1, including new requirements that became mandatory in March 2025 and the customized approach validation method.
No. A Qualified Security Assessor is required for ROC assessments. Thirdsentry prepares your organization for the assessment by maintaining continuous evidence, tracking control effectiveness, and ensuring gaps are identified and remediated before the QSA arrives.
Yes. The platform supports both validation methods. For the customized approach, you can document your alternative controls and the evidence that demonstrates the control objective is met.
See how Thirdsentry automates PCI DSS control mapping, evidence collection, and gap analysis — so your team focuses on risk decisions, not compliance overhead.