What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

Do we need PCI DSS if we use Stripe/Adyen?

Yes. Even SAQ A merchants must validate annually. Hosted iframe is the easiest scope but still requires validation.

What's new in PCI DSS 4.0 vs 3.2.1?

Customised approach (alternative to defined approach), MFA expanded to all CDE access, anti-phishing controls, payment page integrity monitoring, more frequent reviews for service providers.

Level 1 vs Level 2/3/4?

Level 1: >6M Visa/MC transactions annually — requires annual ROC by QSA. Levels 2–4: SAQ + ASV scans (Level 2 may require ROC depending on brand).

When did 4.0.1 become mandatory?

March 31 2024 (4.0 mandatory). 4.0.1 issued June 2024 with clarifications. New requirements with later effective dates (e.g., MFA expanded) became fully enforceable Mar 31 2025.

PCI DSS 4.0.1 Compliance Checklist 2026 — 30 Steps (All 12 Requirements)

The checklist

Scope

1

Define & document PCI scope (CDE + connected systems)

critical

Annual scope review + after any changes to CDE.

→ Req 12.5.2

2

Network diagrams + data-flow diagrams (cardholder data)

critical

Updated when CDE changes; auditor's first request.

→ Req 1.2.4

3

Segmentation testing if used to reduce scope

critical

Annual for merchants, every 6 months for service providers.

→ Req 11.4.5

Req 1 Network Security

4

Firewall config standards documented & reviewed semi-annually

high

Inbound + outbound rule sets; business justification per rule.

→ Req 1.2, 1.4

5

Restrict inbound/outbound traffic to/from CDE to least-required

critical

Deny-all default; documented exceptions.

→ Req 1.3.1, 1.3.2

Req 2 Secure Configurations

6

System hardening standards aligned to industry baselines

critical

CIS Benchmarks / NIST SP 800-123 / vendor-recommended.

→ Req 2.2

7

Change all vendor-supplied defaults (passwords, SNMP, etc.)

critical

Pre-deployment + verification step in change process.

→ Req 2.3

Req 3 Protect Stored Data

8

Don't store SAD (sensitive auth data) after authorization

critical

CVV2, full track data, PIN — never stored.

→ Req 3.3.1

9

PAN rendered unreadable wherever stored (encryption/hashing/truncation/tokenization)

critical

Strong crypto + documented key management.

→ Req 3.5

10

Cryptographic key management lifecycle documented

high

Generation, distribution, storage, rotation, retirement.

→ Req 3.6, 3.7

Req 4 Transmission Security

11

Strong cryptography for PAN in transit across open networks

critical

TLS 1.2+ everywhere; documented cipher suite policy.

→ Req 4.2

Req 5 Anti-Malware

12

Anti-malware deployed on all systems commonly affected

high

Automatic updates + periodic scans + active in real-time.

→ Req 5.2

13

Anti-phishing technical controls (DMARC, MTA-STS, link sandbox)

high

New 4.0 — required best practice through Mar 2025, then mandatory.

→ Req 5.4.1

Req 6 Secure Software

14

Public-facing web apps protected (WAF or vulnerability assessment)

critical

Required for all in-scope web apps.

→ Req 6.4.2

15

Software security training + secure-coding standards

high

Documented training; secure-coding guidelines in dev process.

→ Req 6.2

16

Inventory of bespoke + third-party software components

high

SBOM-style; updated when components change.

→ Req 6.3.2

Req 7 Access Control

17

Need-to-know access restrictions with documented authorization

critical

Documented approval per role; reviewed semi-annually.

→ Req 7.2

18

Role-based access aligned to job function

high

Privilege minimisation; documented role definitions.

→ Req 7.2.5

Req 8 Identification & Authentication

19

Unique ID for every user; no shared accounts

critical

SSO + IDP; auditor will sample accounts.

→ Req 8.2

20

MFA for ALL access into CDE (4.0 change: all access, not just admin/remote)

critical

Phishing-resistant MFA preferred; required by 4.0 effective Mar 2025.

→ Req 8.4, 8.5

Req 9 Physical Access

21

Restrict physical access to CDE systems & media

critical

Badges, locks, visitor log, camera retention 90 days.

→ Req 9.2, 9.3

22

POI device inventory + tamper inspection

high

Documented inventory; periodic physical inspection; staff trained to spot skimmers.

→ Req 9.5

Req 10 Logging

23

Audit logs for all access to system components & cardholder data

critical

Centralised, tamper-resistant, retained 1 year (3 months immediately available).

→ Req 10.2, 10.5

24

Daily log review (or automated equivalent with documented response)

high

Mandatory; auditor will sample log reviews.

→ Req 10.4

Req 11 Testing

25

Internal & external vulnerability scans quarterly

critical

External by ASV (PCI-approved scanning vendor); failing scans must be remediated + rescanned.

→ Req 11.3

26

Internal & external penetration test annually + after significant changes

critical

Network + application layer; documented methodology + remediation evidence.

→ Req 11.4

27

File integrity monitoring on critical files

high

Alerts on unauthorized modification; documented response to alerts.

→ Req 11.5

Req 12 Information Security Policy

28

Information security policy reviewed & updated annually

critical

Approved by management; communicated to all personnel.

→ Req 12.1

29

Targeted risk analyses for any 'customized approach' control

high

4.0 introduces customised approach; must justify with risk analysis.

→ Req 12.3

30

Incident response plan tested annually + IRR procedure for cardholder data

critical

Documented + table-top exercise + post-incident lessons.

→ Req 12.10

PCI DSS 4.0.1 Compliance Checklist — 30 Steps Across 12 Requirements

The checklist

Scope

Req 1 Network Security

Req 2 Secure Configurations

Req 3 Protect Stored Data

Req 4 Transmission Security

Req 5 Anti-Malware

Req 6 Secure Software

Req 7 Access Control

Req 8 Identification & Authentication

Req 9 Physical Access

Req 10 Logging

Req 11 Testing

Req 12 Information Security Policy

Pitfalls — where teams actually fail

Real enforcement actions for PCI DSS

FAQ

Other checklists