PCI DSS v4.0.1 Readiness Accelerator

All PCI DSS v4.0 requirements are now fully mandatory as of March 31, 2025. Any organization that stores, processes, or transmits payment card data must comply — no exceptions, no grace period.

12-tab architecture:

Scope & Applicability — org profile, CDE boundary definition, data types with the explicit SAD-never-stored rule.

Cardholder Data Flow — flow inventory with the prohibited SAD storage checklist.

SAQ Type Selector — 12-question decision tree with formula-driven recommendation. Default e-commerce + full redirect + no storage correctly produces SAQ A.

Requirements Tracker — all 12 PCI DSS v4.0.1 domains with 160+ control items, Future-Dated flag per requirement, status dropdowns, and formula-driven summary counts per domain.

Future-Dated Requirements — focused view of the 51 requirements that became mandatory March 2025, with plain-English "what it requires" and effort estimates.

E-commerce Script Security — Req 6.4.3 and 11.6.1 implementation: script inventory, CSP/SRI/WAF controls. The most common gap in e-commerce scopes.

Evidence Register — 45 evidence items a QSA will ask for, mapped to requirements.

Targeted Risk Analysis — TRA template and register for all 8 common TRA topics (now required for customized approach).

Compensating Controls — Appendix B worksheet plus Customized Approach framing.

Remediation Plan — prioritized gap tracker with status validation.

User Guide (27 pages, 13 sections): 2026 reality with deadline callouts, scoping methodology, the SAQ A vs SAQ A-EP trap (most common industry mistake), working the tracker in the right order, high-leverage future-dated requirements, e-skimming controls deep-dive, TRA practical guidance, compensating controls vs Customized Approach, evidence discipline, working with QSAs/ASVs/acquirers, 12 common pitfalls.