AuditCoreAuditCore
PCI DSS v4.0 / v4.0.1

PCI DSS compliance
evidence in 5 minutes.

If your service stores, processes, or transmits cardholder data, PCI DSS isn't optional. AuditCore covers the technical requirements (6.x secure development, 11.3 internal vulnerability scans) so your QSA gets evidence on day one instead of week six.

TL;DR

PCI DSS v4.0 ships with 12 top-level requirements. Roughly half are technical (configuration, coding, scanning, monitoring) and half are organizational (policy, training, vendor management). AuditCore automates the technical half — what changes scan-to-scan and what you need recurring evidence for.

We do NOT replace an ASV (Approved Scanning Vendor) for the quarterly external scan required by 11.3.2. We produce equivalent-shape evidence + the deeper internal scan (11.3.1) that ASVs typically don't do. Talk to your QSA about combining AuditCore output with an ASV scan if you're in scope for 11.3.2.

Requirement → AuditCore scanner coverage

Each requirement of the standard mapped to the AuditCore scanners that contribute evidence. Full = automated end-to-end; partial = covers part, manual review for rest; manual= AuditCore doesn't automate (process / paperwork / org-only).

IDRequirementCoverageScanners
1.x
Network security controls
Firewall + segmentation rules. AuditCore sees externally-exposed ports + headers but not your internal segmentation.
partial
NmapScannerHeaderAnalyzer
2.x
Secure configuration
Default passwords, unnecessary services. We detect exposed admin paths, default WordPress configs, leftover debug endpoints.
full
SensitiveFilesScannerWordPressScannerHeaderAnalyzer
4.x
Strong cryptography in transit
TLS configuration, weak ciphers, expired certs, Heartbleed.
full
SSLyzeScanner
6.2
Bespoke and custom software is developed securely
Code-level vulnerabilities — SQL injection, XSS, command injection, path traversal, etc.
full
ZapScannerNucleiScannerSqlmapScannerSemgrepScannerPathTraversalScannerCmdiScannerXxeScannerSstiScanner
6.3.1
Security vulnerabilities are identified and addressed
CVE detection in dependencies, known-vuln signatures, OWASP Top 10.
full
NucleiScannerTrivyScannerGitleaksScannerZapScanner
6.4.1
Public-facing web applications are protected
Continuous DAST against production. Headers, CSP, cookie flags, common bypasses.
full
HeaderAnalyzerCookieAnalyzerCorsCheckerZapScannerNucleiScanner
8.x
Strong authentication + session management
JWT alg:none, session fixation, weak session cookies, BOLA/BFLA cross-role access.
full
JwtAnalyzerSessionTesterAuthReplayOAuthTester
11.3.1
Internal vulnerability scans (quarterly + after change)
Authenticated + unauthenticated scan against internal scope. AuditCore runs against any URL — production or staging.
full
ZapScannerNucleiScannerNmapScannerNiktoScanner
11.3.2
External ASV-grade scans (quarterly)
Must be performed by a PCI-approved scanning vendor. AuditCore is not an ASV.
Combine an ASV (Qualys, Trustwave, etc.) for the quarterly external requirement with AuditCore for continuous internal + change-driven scans.
manual
11.4
Penetration testing
Network + application-layer pen-test, segmentation testing. AuditCore covers application-layer; segmentation tests are still manual.
partial
AuthReplayBusinessLogicScannerSmartApiScannerGraphqlDeepScanner
12.x
Information security policy + program
Documented policies, training, incident response procedures.
manual

Sample findings AuditCore surfaces for this standard

Real findings types our scanners produce. Each maps to one or more of the requirements above.

criticalTLS 1.0/1.1 still enabled (req 4.2.1)

PCI DSS v3.2.1 retired TLS 1.0; v4.0 retires 1.1. Any cardholder-data endpoint accepting these fails an ASV scan.

criticalSession cookie missing Secure + HttpOnly flags (req 6.4.3)

Session token theft via XSS or downgrade attack — the most common path to cardholder data exfiltration.

highSQL injection on checkout/order lookup endpoint (req 6.2.4)

Direct path to cardholder database. A single positive finding is a v3 PCI violation severe enough to suspend merchant agreement.

highAdmin panel /wp-admin discoverable + default path (req 2.2.6)

PCI requires that vendor defaults be changed. WordPress sites with the default /wp-admin and no rate-limit are an obvious brute-force target.

mediumStrict-Transport-Security header missing (req 4.2.1)

Without HSTS a TLS-stripping MITM can downgrade the connection, defeating req 4 cryptography in transit.

Recommended tier

Pro ($299)

Pro tier unlocks the full pentest suite needed for PCI evidence: ZAP active scan, Nuclei templates, SQL injection testing, JWT analysis, subdomain discovery. Enterprise adds BOLA/BFLA + business logic for higher-risk endpoints.

What AuditCore doesn't cover

Honest scope — these items are part of the standard but require process, paperwork, or org-level controls outside what a web scanner can verify. Use a manual auditor / compliance consultant for these.

  • 11.3.2 external ASV scan (quarterly) — engage an Approved Scanning Vendor
  • Internal network segmentation testing (1.2, 1.3) — requires physical/network access
  • Physical security of the cardholder data environment (req 9)
  • Documented information security policy and training program (req 12)
  • Incident response plan documentation and tabletop exercises (req 12.10)
  • Quarterly internal segmentation tests if you're a service provider (req 11.4.5)

FAQ

Does AuditCore replace a PCI QSA?+

No. A QSA (Qualified Security Assessor) reviews your full PCI program — policy, training, vendor management, sampling — and produces the Report on Compliance (RoC). AuditCore produces the technical evidence the QSA asks for during the audit: vulnerability scan results, configuration evidence, change-driven re-scans. We make the QSA's job (and yours) faster.

Is AuditCore an ASV?+

No, and we don't market as one. ASVs go through PCI Council certification and run a specific quarterly external scan template (req 11.3.2). AuditCore is a continuous internal/external scanner that covers req 6 (secure development) + 11.3.1 (internal vulnerability scans) + 11.4 (application-layer pen-test inputs). Many teams use AuditCore continuously + Qualys/Trustwave for the quarterly ASV scan.

We're a SaaS that takes Stripe checkout — does PCI even apply to us?+

If Stripe.js / Stripe Checkout is hosted on Stripe's domain (typical iframe / redirect) you qualify for SAQ A — the lightest PCI questionnaire — because cardholder data never touches your servers. AuditCore is still valuable: SAQ A still requires controls 6.4 (public-facing web app protection), 12.x (policy), and your TLS / headers must be sound. If you handle card data directly (SAQ D), the full requirement list above applies.

How often should I rescan for PCI evidence?+

PCI v4 requires internal scans quarterly AND after any significant change (6.4.1, 11.3.1). With AuditCore, set up scheduled scans (Pro+) to run weekly or on every deploy via the GitHub Action — this gives you continuous evidence rather than four snapshots per year, which auditors prefer.

Can I export findings in a PCI-friendly format?+

PDF report includes severity (CVSS), CWE mapping, affected URL, evidence, and fix recommendation — the shape PCI auditors expect. The report shows which requirement each finding maps to in the executive summary section, so you can hand it directly to your QSA. White-label PDFs available on Business tier if your auditor wants your branding.

What's new in PCI DSS v4.0 vs v3.2.1?+

Three things that matter for scanning: (1) authenticated scans for internal vulnerability scanning (11.3.1.2) — AuditCore supports credentialed scans on Business tier; (2) Targeted Risk Analysis for any 'as defined' frequency — gives you flexibility but requires you to document why your scan cadence is sufficient; (3) the Customized Approach allowing alternative controls — useful if your stack doesn't fit the standard wording. All v4.0 deadlines are now in force (March 2025 was the final transition).

Start the audit in 60 seconds

Free 1-page audit, no credit card. Upgrade to Pro ($299) when you need the full standard coverage.