Which SAQ applies to you?
| Your situation | SAQ | Auditor scope |
|---|---|---|
| You use a hosted payment page (Stripe Checkout, PayPal redirect) and never touch card data | SAQ A | ~22 requirements |
| You embed Stripe Elements / Square SDK that posts directly to the processor | SAQ A-EP | ~146 requirements |
| You collect card data on your own forms and tokenize it server-side | SAQ D | ~329 requirements (a real audit) |
| You’re a payment processor or service provider | PCI DSS Level 1 RoC | Full Report on Compliance with QSA assessor |
Requirement mapping (PCI DSS v4.0)
Requirement 1 — Install and maintain network security controls
| 1.x | Codex evidence |
|---|---|
| 1.2 — Network segmentation | AWS/GCP/Azure VPC + security group configs from cloud connector |
| 1.3 — Firewall rules | Cloud security group rules + WAF config |
| 1.4 — Wireless protections | Out of scope for cloud-only SaaS |
Requirement 2 — Apply secure configurations
| 2.x | Evidence |
|---|---|
| 2.2 — Configuration standards | Terraform/IaC commit history + drift reports from cloud connectors |
| 2.3 — Default credentials changed | Cloud IAM user inventory (no root user with active access keys, no default DB passwords) |
Requirement 3 — Protect stored account data
| 3.x | Evidence |
|---|---|
| 3.5 — PAN encryption at rest | Database encryption config (RDS KMS, Cloud SQL CMEK, Cosmos CMK). For SAQ A-EP, you should be tokenizing — Codex looks for direct PAN storage as a critical exception. |
| 3.6 — Cryptographic key management | KMS config + key rotation history |
Requirement 4 — Protect data in transit
| 4.x | Evidence |
|---|---|
| 4.2 — Strong cryptography on public networks | TLS coverage scan (no TLS <1.2, no weak ciphers) on every endpoint |
Requirement 5 — Protect against malware
| 5.x | Evidence |
|---|---|
| 5.2 — Anti-malware on at-risk systems | EDR coverage from CrowdStrike/SentinelOne via MDM connector |
Requirement 6 — Develop and maintain secure systems
| 6.x | Evidence |
|---|---|
| 6.2 — Bespoke software development | GitHub PR review records + branch protection + required CI |
| 6.3 — Vulnerability management | Snyk/Dependabot/Wiz findings + remediation timelines per severity |
| 6.4 — Public-facing web app protections | WAF config + WAF rule violations from CDN connector |
Requirement 7 — Restrict access by business need
| 7.x | Evidence |
|---|---|
| 7.2 — Access control system | IdP role-based assignments with documented business justification per role |
| 7.3 — Access reviews | Quarterly access review snapshots from Codex |
Requirement 8 — Identify users and authenticate access
| 8.x | Evidence |
|---|---|
| 8.3 — Strong authentication for non-CDE | IdP MFA enforcement reports |
| 8.4 — MFA for CDE access | Conditional access policy showing MFA on CDE systems |
| 8.5 — Multi-step authentication | MFA factor inventory per user |
Requirement 9 — Restrict physical access to CHD
For cloud-only SaaS, this devolves to “your hyperscaler handles physical security” + their AOC/AoC document linked from your evidence pack.Requirement 10 — Log and monitor all access
| 10.x | Evidence |
|---|---|
| 10.2 — Audit logs | SIEM connector event coverage report |
| 10.3 — Log integrity | CloudTrail / Azure Activity Log / Cloud Audit immutability config |
| 10.6 — Log review | Log review activity records (who reviewed, when, finding count) |
Requirement 11 — Test security regularly
| 11.x | Evidence |
|---|---|
| 11.3 — External vulnerability scans | Quarterly ASV scan reports (you upload, Codex stores with scan date + vendor) |
| 11.4 — Internal pen tests | Annual pen test reports (uploaded) |
Requirement 12 — Information security policy
Codex links to your published security policy + tracks annual review attestations.What’s different about PCI DSS vs SOC 2
PCI DSS is prescriptive where SOC 2 is principle-based. SOC 2 says “you should manage access” — PCI DSS says “you must enforce password length ≥ 12 characters with complexity requirements.” Codex captures the prescriptive numbers and surfaces violations specifically. Things PCI is stricter about:- Quarterly external scans by an Approved Scanning Vendor (ASV) — mandatory, not optional
- Annual penetration testing — mandatory after every significant change
- Specific encryption algorithms and key sizes — Codex flags weak crypto config
- Card data masking when displayed (last 4 only)
- Limiting CDE scope — explicit network segmentation between CDE and non-CDE
When you’re ready
Reports → PCI DSS evidence package outputs:- SAQ (correctly mapped to your scope: A, A-EP, or D)
- Per-requirement implementation evidence
- AoC (Attestation of Compliance) draft
- Quarterly ASV scan history
- Annual pen test reports
- ROC (Report on Compliance) supporting evidence — for Level 1 service providers