Free interactive tool

PCI-DSS v4.0 Readiness Checker

Answer 12 questions about your payment stack. Get a PCI-DSS v4.0 readiness checklist mapping your answers to specific Requirements (REQ 1-12). Identifies gaps + tells you how to close them. Download as markdown.

5 minutes. No signup. Runs entirely in your browser — your answers never leave the page.

Question 1 of 120/12 answered

1
Do you use a tokenizing payment processor (Stripe, Paystack, Flutterwave, Adyen, etc.)?
If yes, you never touch raw card data — the processor returns a token. This is the SAQ A path and dramatically reduces your scope.
2
Confirm: NO full PAN, CVV, or magnetic-stripe data is stored in your database, logs, or backups (even briefly)?
Tokens, last-4-digits, and BIN-prefixes are fine. PCI-DSS Req 3 forbids storing CVV/CVC after authorization, ever. Storing full PAN unencrypted = audit failure regardless of intent.
3
Does your payment form use the processor's hosted iframe or redirect (NOT your own form posting card data through your server)?
If you POST card details to your own server (even briefly before tokenizing), you're in SAQ D scope — much harder. Stripe Elements, Stripe Checkout, Paystack popup all qualify as iframe.
4
Is all payment-flow traffic on TLS 1.2 or higher with no fallback to TLS 1.0/1.1 or SSL?
PCI-DSS Req 4 requires strong cryptography for transmission. Your nginx / load-balancer should explicitly disable TLS 1.0 and 1.1.
5
Does your payment page implement SRI (Subresource Integrity) on third-party scripts and a strict Content-Security-Policy?
PCI-DSS v4.0 Req 6.4.3 + 11.6.1 added e-skimming controls — script-src must be locked down on payment pages, with monitoring for unauthorized changes.
6
Is MFA enforced for ALL administrative access to systems handling cardholder data (payment dashboards, gateway portals, infrastructure)?
PCI-DSS v4.0 Req 8.4 — MFA required for all non-console administrative access. Includes remote SSH, cloud consoles, and your payment processor's admin UI.
7
Are all payment-related events (payment attempts, successes, failures, refunds, disputes) logged with actor + timestamp?
PCI-DSS Req 10 — audit trails required for all events touching cardholder data. Most processors log this on their side; you also need logs for your own state changes (e.g. order created, refund issued).
8
Are payment audit logs retained for at least 1 year, with the most recent 3 months immediately searchable?
PCI-DSS Req 10.7 — minimum retention. Most cloud log services (CloudWatch, Datadog, Splunk) handle this with a tiered storage policy.
9
Do you run external vulnerability scans on internet-facing systems at least quarterly (and after significant changes)?
PCI-DSS Req 11.3 — quarterly scans by an ASV (Approved Scanning Vendor) for SAQ D. Self-scans suffice for SAQ A.
10
Do you patch critical security vulnerabilities within 30 days of disclosure?
PCI-DSS Req 6.3 — critical patches must be applied within 30 days. Track via Dependabot / Snyk / pip-audit and verify deploys actually shipped.
11
Do you have a written incident response plan that specifically addresses suspected payment data breaches?
PCI-DSS Req 12.10 — incident response plan required, must be tested annually. Should include: who to call (acquirer + processor), evidence preservation, customer notification.
12
Are your payment processor and other PCI-relevant vendors named in a written agreement that includes their PCI-DSS responsibilities?
PCI-DSS Req 12.8 — vendor management. Stripe, Paystack, etc. provide an Attestation of Compliance (AoC) on request — keep it on file.

Frequently asked

Is this a real PCI-DSS audit?: No. This is a self-assessment checklist. Real PCI-DSS Reports on Compliance (RoC) require a QSA (Qualified Security Assessor). For lower-scope merchants, a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AoC) submitted to your acquiring bank.
Which SAQ does this map to?: Mostly SAQ A-EP and SAQ D-Merchant — the typical scope for SaaS using a tokenizing payment processor (Stripe, Paystack, Flutterwave, etc.). Full Level 1 merchants running their own card vault are out of scope; that's a different audit entirely.
What's new in PCI-DSS v4.0?: v4.0 (2022, effective 2024) adds e-skimming controls (Req 6.4.3 + 11.6.1 — Subresource Integrity + tighter Content-Security-Policy on payment pages), expanded MFA requirements (Req 8.4 — all admin access), and risk-based prioritisation. We've baked these into the questions.
How does Archiet relate?: Archiet generates production-ready apps with payment integrations (Stripe, Paystack, Flutterwave) wired to a tokenizing flow — never touches raw PAN/CVV — and ships SECURITY.md + audit-log middleware + RBAC + TLS hardening defaults. It closes most of the gaps this tool identifies on the application-code side. Infrastructure-side controls (cloud security groups, ASV scanning) remain your responsibility.
Where does my data go?: Nowhere. The checker runs entirely in your browser. There's no signup, no telemetry, no server call. Refresh the page and your answers are gone.

Loading…

PCI-DSS v4.0 Readiness Checker

5 minutes. No signup. Runs entirely in your browser — your answers never leave the page.

Frequently asked

Is this a real PCI-DSS audit?

No. This is a self-assessment checklist. Real PCI-DSS Reports on Compliance (RoC) require a QSA (Qualified Security Assessor). For lower-scope merchants, a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AoC) submitted to your acquiring bank.

Which SAQ does this map to?

Mostly SAQ A-EP and SAQ D-Merchant — the typical scope for SaaS using a tokenizing payment processor (Stripe, Paystack, Flutterwave, etc.). Full Level 1 merchants running their own card vault are out of scope; that's a different audit entirely.

What's new in PCI-DSS v4.0?

v4.0 (2022, effective 2024) adds e-skimming controls (Req 6.4.3 + 11.6.1 — Subresource Integrity + tighter Content-Security-Policy on payment pages), expanded MFA requirements (Req 8.4 — all admin access), and risk-based prioritisation. We've baked these into the questions.

How does Archiet relate?

Archiet generates production-ready apps with payment integrations (Stripe, Paystack, Flutterwave) wired to a tokenizing flow — never touches raw PAN/CVV — and ships SECURITY.md + audit-log middleware + RBAC + TLS hardening defaults. It closes most of the gaps this tool identifies on the application-code side. Infrastructure-side controls (cloud security groups, ASV scanning) remain your responsibility.

Where does my data go?

Nowhere. The checker runs entirely in your browser. There's no signup, no telemetry, no server call. Refresh the page and your answers are gone.