PCI DSS software that gets you compliant and keeps your acquirer happy
Your acquirer just asked for your SAQ or AoC. Your card processor won't onboard you without it. ISO-STANDARD.app is the PCI DSS v4.0 workspace that scopes your CDE, maps the 12 requirements, runs the SAQ workflow and evidences ongoing operation — without a QSA-priced tool.
PCI DSS is a business licence, not a compliance nice-to-have
If you touch cardholder data, your merchant agreement obliges PCI DSS. If you're a service provider, your clients' compliance depends on yours. v4.0 tightens the ratchet: continuous evidence, targeted risk analysis, customised approach — the era of "PDF once a year" is over.
Most SMEs run PCI in a spreadsheet, hoping the acquirer never asks. When they do — or when a card scheme fine lands after an incident — the cost dwarfs the tool.
What's in the box
Scope your CDE properly
12 requirements, mapped
SAQ workflow
Targeted risk analyses (TRAs)
Segmentation & MFA evidence
Attestation of Compliance pack
Why merchants and service providers choose us
How buyers verify you — in minutes, not weeks
Card-schemes, acquirers and enterprise merchants each want a slightly different artifact. One workspace serves all three.
- Step 1
Publish AoC status on your Trust Center
Prospective merchants see your current AoC, SAQ level and validation date — the questions that used to take a week are answered up front.
- Step 2
Route the AoC under NDA
Gated download of your full AoC / SAQ with click-through NDA; you know exactly who has it.
- Step 3
Deliver the shared-responsibility matrix
A precise split of which PCI requirements you cover vs. the merchant or upstream service provider — the answer their QSA needs.
- Step 4
Prove ongoing operation
Quarterly vulnerability scans, targeted risk analyses and access reviews are logged and dated — recertification is documentation, not archaeology.
The artifacts buyers actually ask for
Every artifact below is generated inside the workspace, versioned, timestamped and shareable via a signed link — no last-minute PDF assembly, no "wait, which version did I send them?"
Who it's for
Pain: Your merchants ask for an AoC, and your CTO is chasing screenshots at 2am the night before the acquirer call.
With ISO-STANDARD.app: AoC + shared-responsibility matrix live on your Trust Center; merchant reviews take one call, not one month.
Pain: You've outgrown SAQ A. SAQ D-Merchant looks intimidating and no one in the team has done it before.
With ISO-STANDARD.app: Guided workflow, requirement-by-requirement — evidence collected once and reused for every future SAQ.
Pain: A QSA is arriving in eight weeks and you don't know which requirements are exposed.
With ISO-STANDARD.app: Pre-audit gap view against Level-1 SP scope, remediation tracked, evidence ready — QSA time spent auditing, not chasing.
"Our acquirer used to ask for a fresh AoC every renewal. Now they check the Trust Center link, see the validation date, and move on."
Answers buyers, procurement and auditors want
Does the platform replace a QSA?+
For SAQ-eligible entities, most self-assessments can be completed without a QSA. For Level-1 or ROC engagements, the platform prepares you and hosts evidence so the QSA works efficiently.
Does it cover PCI DSS v4.0?+
Yes — v4.0 (including v4.0.1 clarifications) is the current baseline; TRAs, customised approach markers and continuous evidence are built in.
Can I run multiple environments (staging / prod / new product)?+
Yes. Each CDE can be scoped independently, with its own diagrams, controls and SAQ answers.
How does it help me sell?+
Merchants and enterprise buyers want the AoC and a shared-responsibility matrix. Publishing both on your Trust Center collapses your sales cycle.
Does it integrate with SOC 2 / ISO 27001 evidence?+
Yes — the same evidence vault, controls and audit log serve every standard, so you're not maintaining three parallel folders.
Related
Read the PCI DSS guide. Pair with ISO 27001 or SOC 2.
Sample PCI DSS evidence you can download now
Redacted samples of the artifacts a QSA (or your acquirer's risk team) will ask for — download to benchmark your own.
100% MFA coverage across the IdP and all federated SaaS, phishing-resistant factor distribution and exception log.
PDF · ISO 27001 A.5.17/A.8.5 · SOC 2 CC6.1 · PCI Req 8.4
Monthly authenticated ASV scan of the production perimeter with SLA-tracked remediation and risk acceptance log.
PDF · ISO 27001 A.8.8 · SOC 2 CC7.1 · PCI Req 11.3 · CE+
Reviewer sign-off across AWS, GitHub, Okta, RDS, Datadog, PagerDuty — with findings, remediation and attestation.
PDF · ISO 27001 A.5.15–18 · SOC 2 CC6.2/6.3 · Cyber Essentials
Facilitated ransomware tabletop: participants, decisions, target vs observed timings, gaps identified and closed.
PDF · ISO 27001 A.5.24–27 · SOC 2 CC7.4 · PCI Req 12.10
Samples are anonymised for public preview. Real exports carry your workspace branding, signed timestamps and per-control mappings.
Get PCI DSS ready — and keep your acquirer happy
Scope your CDE, map the 12 requirements, publish your AoC status, and stop treating PCI as an annual scramble.
Prefer a conversation? Email hello@iso-standard.app — a practitioner responds within one business day.