Obtain the PCI DSS v4.0 Report on Compliance (ROC) template and Requirements and Testing Procedures document from the PCI SSC document library to understand what evidence each requirement demands
Define your cardholder data environment (CDE) scope, including all systems that store, process, or transmit cardholder data or are connected to such systems; scope reduction via segmentation must be validated
Map your existing controls to PCI DSS requirements by requirement number (e.g., Requirement 3 for stored cardholder data protection, Requirement 8 for authentication); document the mapping in a traceability matrix
Automate recurring evidence collection: firewall rule exports for Requirement 1, vulnerability scan results (ASV scans for external-facing systems) for Requirement 11, and log review records for Requirement 10
For Requirement 8 (authentication), document MFA enforcement, password/passphrase policies, and account lifecycle records; collect screenshots or API-exported configs from your identity provider
Work with a PCI QSA to validate the evidence package before the formal assessment; use the Customized Approach option (available in v4.0) for controls implemented differently than the defined approach
Known gotchas
PCI DSS 4.0 introduced targeted risk analyses for several requirements; ensure each applicable requirement has a documented, approved risk analysis rather than relying on inherited controls
ASV (Approved Scanning Vendor) external scans must pass with no vulnerabilities scoring at or above the threshold defined in PCI DSS; failing scans cannot be waived without formal dispute resolution
Requirement 3.5.1 requires primary account numbers (PANs) to be rendered unreadable anywhere they are stored; validate this with data discovery scans, not just policy assertions
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp