Skip to main content
PCI DSS compliance audit

PCI DSS Compliance Audit Tool

AI-powered PCI DSS v4.0.1 audit that reads your card-data-environment policies, merchant agreements, and service-provider contracts and cites the exact requirement (Req 3.5.1.1, Req 8.4.2, etc.) for every gap. 119 PCI DSS requirements including the 34 future-dated requirements mandatory since 31 March 2025.

Audit a contract free See the 119-article coverage

What PCI DSS covers

Full name: Payment Card Industry Data Security Standard v4.0.1

Jurisdiction: Global — PCI Security Standards Council; enforced by card brands (Visa, Mastercard, Amex, Discover, JCB)

Penalties: Card-brand fines $5,000 – $100,000 per month for non-compliance; per-card forensic-investigation fines $50 – $90; loss of card-processing privileges for repeat or severe non-compliance.

Key PCI DSS articles AuditGuard audits against

AuditGuard's database contains 119 PCI DSS articles. Below are the most-cited sections in real-world enforcement actions. Every AuditGuard finding references a specific article ID.

Req 3.5.1.1 — PAN Encryption (future-dated)

Strong cryptography on stored PAN — mandatory since 31 March 2025. Many older policies still reference TDES.

Req 8.4.2 — MFA on Non-Console Access

Multi-factor authentication for all non-console admin access; "VPN MFA only" no longer sufficient.

Req 6.4.3 — Public-Facing Web Apps

Inventory and authorise all scripts loaded by payment pages; flagged in service-provider contracts.

Req 12.8 — Third-Party Service Providers

Maintain a list, perform due diligence, and ensure written agreements; missing agreements is a top finding.

Req 11.4.4 — Penetration Test Findings

Exploitable vulnerabilities found in pen-testing must be corrected and re-tested.

Req 12.10.1 — Incident Response Plan

Documented plan covering specific incident types; many service-provider contracts omit reference to this.

Who needs a PCI DSS audit

  • Merchants accepting credit or debit card payments (any volume)
  • Service providers in the card-data environment (CDE) — hosting, processing, transmission
  • Software vendors whose code touches PAN, CVV, or track data
  • Compliance officers preparing the annual SAQ (Self-Assessment Questionnaire) or ROC (Report on Compliance)
  • Merchants undergoing card-brand-mandated PCI scope reduction

How AuditGuard audits PCI DSS compliance

  1. Upload your contract, policy, DPA, or BAA (PDF, DOCX, or TXT).
  2. Clause Extractor parses the document and isolates regulation-relevant clauses.
  3. Compliance Validator matches each clause against PCI DSS's 119 articles and identifies violations.
  4. Remediation Generator drafts replacement clause text for each finding.
  5. Critic Verifier cross-checks every citation against the regulation database before delivery.
  6. Download a PDF audit report with executive summary, per-clause findings, and corrected text.

Time to first audit: minutes. Compared with a manual legal review at $500/hour, AuditGuard runs from $5.98/audit on the Growth plan.

Frequently asked questions

Are PCI DSS v4.0.1 future-dated requirements covered?
Yes — all 34 future-dated requirements that became mandatory on 31 March 2025 are in AuditGuard's database, including the more demanding ones on script management (Req 6.4.3), MFA breadth (Req 8.4.2), and customised-approach validation (Appendix E).
Can AuditGuard audit my service-provider agreements?
Yes — under Req 12.8, merchants must maintain written agreements with service providers that include specific PCI DSS responsibility allocations. AuditGuard verifies that each required clause is present and properly scoped.
Does AuditGuard cover PCI DSS Appendices A1, A2, A3?
Yes — Appendix A1 (shared-hosting service providers), A2 (entities using SSL/early TLS — for migration documentation), and A3 (designated entities supplemental validation) are all represented in the 119-article database.
How does this differ from a QSA audit?
A QSA (Qualified Security Assessor) performs the formal Report on Compliance for Level 1 merchants and service providers — AuditGuard does not replace that. AuditGuard audits the document text (policies, contracts, SAQs) and surfaces gaps before the QSA does, so you fix them in advance.

Audit a PCI DSS-bound document today

14-day free trial, no credit card required. Or email a policy to info@auditguard.org for a free one-page gap report.

Start free trial →