PCI DSS software that gets you compliant and keeps your acquirer happy

Your acquirer just asked for your SAQ or AoC. Your card processor won't onboard you without it. ISO-STANDARD.app is the PCI DSS v4.0 workspace that scopes your CDE, maps the 12 requirements, runs the SAQ workflow and evidences ongoing operation — without a QSA-priced tool.

PCI DSS is a business licence, not a compliance nice-to-have

If you touch cardholder data, your merchant agreement obliges PCI DSS. If you're a service provider, your clients' compliance depends on yours. v4.0 tightens the ratchet: continuous evidence, targeted risk analysis, customised approach — the era of "PDF once a year" is over.

Most SMEs run PCI in a spreadsheet, hoping the acquirer never asks. When they do — or when a card scheme fine lands after an incident — the cost dwarfs the tool.

What's in the box

Scope your CDE properly

Cardholder data flows, systems in scope, connected systems and shared-responsibility split with your processor and PSP.

12 requirements, mapped

Each PCI DSS v4.0 requirement broken into evidence-able sub-controls with owner, cadence and current status.

SAQ workflow

SAQ A, A-EP, B, B-IP, C, C-VT, D-Merchant and D-Service Provider — draft answers against live evidence and export the signed SAQ.

Targeted risk analyses (TRAs)

v4.0's TRA workflow captured, owned and reviewed on a defined frequency — not stashed in someone's inbox.

Segmentation & MFA evidence

Prove CDE segmentation, MFA on all admin and remote access, and quarterly access reviews.

Attestation of Compliance pack

Bundle your AoC, SAQ, network diagram and evidence for the acquirer or client — one link, one download.

Why merchants and service providers choose us

v4.0
Current standard, ready today
8 SAQs
All merchant/service-provider variants
TRA
Targeted risk analyses tracked, not lost
1 link
AoC + SAQ + evidence pack for buyers

How buyers verify you — in minutes, not weeks

Card-schemes, acquirers and enterprise merchants each want a slightly different artifact. One workspace serves all three.

  1. Step 1

    Publish AoC status on your Trust Center

    Prospective merchants see your current AoC, SAQ level and validation date — the questions that used to take a week are answered up front.

  2. Step 2

    Route the AoC under NDA

    Gated download of your full AoC / SAQ with click-through NDA; you know exactly who has it.

  3. Step 3

    Deliver the shared-responsibility matrix

    A precise split of which PCI requirements you cover vs. the merchant or upstream service provider — the answer their QSA needs.

  4. Step 4

    Prove ongoing operation

    Quarterly vulnerability scans, targeted risk analyses and access reviews are logged and dated — recertification is documentation, not archaeology.

The artifacts buyers actually ask for

Every artifact below is generated inside the workspace, versioned, timestamped and shareable via a signed link — no last-minute PDF assembly, no "wait, which version did I send them?"

Signed SAQ (A / A-EP / B / B-IP / C / C-VT / D)
Attestation of Compliance (AoC)
Cardholder data flow diagram (versioned)
Network segmentation evidence for CDE
Targeted Risk Analyses per v4.0
Quarterly vulnerability scan reports (ASV)
MFA coverage report (admin + remote access)
Shared-responsibility matrix for merchants

Who it's for

SaaS or PSP handling cardholder data

Pain: Your merchants ask for an AoC, and your CTO is chasing screenshots at 2am the night before the acquirer call.

With ISO-STANDARD.app: AoC + shared-responsibility matrix live on your Trust Center; merchant reviews take one call, not one month.

Merchant escalating to a larger SAQ

Pain: You've outgrown SAQ A. SAQ D-Merchant looks intimidating and no one in the team has done it before.

With ISO-STANDARD.app: Guided workflow, requirement-by-requirement — evidence collected once and reused for every future SAQ.

Service provider preparing for a Level-1 ROC

Pain: A QSA is arriving in eight weeks and you don't know which requirements are exposed.

With ISO-STANDARD.app: Pre-audit gap view against Level-1 SP scope, remediation tracked, evidence ready — QSA time spent auditing, not chasing.

Deal-close moment
"Our acquirer used to ask for a fresh AoC every renewal. Now they check the Trust Center link, see the validation date, and move on."
CTO, Payments-adjacent SaaS

Answers buyers, procurement and auditors want

Does the platform replace a QSA?+

For SAQ-eligible entities, most self-assessments can be completed without a QSA. For Level-1 or ROC engagements, the platform prepares you and hosts evidence so the QSA works efficiently.

Does it cover PCI DSS v4.0?+

Yes — v4.0 (including v4.0.1 clarifications) is the current baseline; TRAs, customised approach markers and continuous evidence are built in.

Can I run multiple environments (staging / prod / new product)?+

Yes. Each CDE can be scoped independently, with its own diagrams, controls and SAQ answers.

How does it help me sell?+

Merchants and enterprise buyers want the AoC and a shared-responsibility matrix. Publishing both on your Trust Center collapses your sales cycle.

Does it integrate with SOC 2 / ISO 27001 evidence?+

Yes — the same evidence vault, controls and audit log serve every standard, so you're not maintaining three parallel folders.

Related

Read the PCI DSS guide. Pair with ISO 27001 or SOC 2.

Sample PCI DSS evidence you can download now

Redacted samples of the artifacts a QSA (or your acquirer's risk team) will ask for — download to benchmark your own.

Samples are anonymised for public preview. Real exports carry your workspace branding, signed timestamps and per-control mappings.

Get PCI DSS ready — and keep your acquirer happy

Scope your CDE, map the 12 requirements, publish your AoC status, and stop treating PCI as an annual scramble.

Prefer a conversation? Email hello@iso-standard.app — a practitioner responds within one business day.

MM
Michael McCarroll
Founder · 25+ years
IT governance · Information security · AI
Why this platform exists

Enterprise-grade governance — built for the SMEs and consultants enterprise GRC forgets.

I've spent 25 years in corporate governance — aligning technology, controls and compliance with what the business is actually trying to do. Time and again, the same pattern: the organisations that win new clients aren't the ones with the biggest GRC budget. They're the ones who can demonstrate trust on demand. This platform is the tool I wanted for the SMEs and consultants I've worked with — institutional-grade governance without an institutional price tag, built on the way audits and buyer reviews actually happen.