Which SAQ applies to you?
Most SaaS startups are SAQ A or A-EP. Codex automates the SAQ A-EP path; if you’re SAQ D or Level 1, you need a QSA, not just Codex.
Requirement mapping (PCI DSS v4.0)
Requirement 1 — Install and maintain network security controls
Requirement 2 — Apply secure configurations
Requirement 3 — Protect stored account data
Requirement 4 — Protect data in transit
Requirement 5 — Protect against malware
Requirement 6 — Develop and maintain secure systems
Requirement 7 — Restrict access by business need
Requirement 8 — Identify users and authenticate access
Requirement 9 — Restrict physical access to CHD
For cloud-only SaaS, this devolves to “your hyperscaler handles physical security” + their AOC/AoC document linked from your evidence pack.Requirement 10 — Log and monitor all access
Requirement 11 — Test security regularly
Requirement 12 — Information security policy
Codex links to your published security policy + tracks annual review attestations.What’s different about PCI DSS vs SOC 2
PCI DSS is prescriptive where SOC 2 is principle-based. SOC 2 says “you should manage access” — PCI DSS says “you must enforce password length ≥ 12 characters with complexity requirements.” Codex captures the prescriptive numbers and surfaces violations specifically. Things PCI is stricter about:- Quarterly external scans by an Approved Scanning Vendor (ASV) — mandatory, not optional
- Annual penetration testing — mandatory after every significant change
- Specific encryption algorithms and key sizes — Codex flags weak crypto config
- Card data masking when displayed (last 4 only)
- Limiting CDE scope — explicit network segmentation between CDE and non-CDE
When you’re ready
Reports → PCI DSS evidence package outputs:- SAQ (correctly mapped to your scope: A, A-EP, or D)
- Per-requirement implementation evidence
- AoC (Attestation of Compliance) draft
- Quarterly ASV scan history
- Annual pen test reports
- ROC (Report on Compliance) supporting evidence — for Level 1 service providers