Skip to main content
PCI DSS (Payment Card Industry Data Security Standard) applies to any company that stores, processes, or transmits cardholder data (CHD) — directly or indirectly through a payment processor. SaaS vendors that touch payment flows, embed Stripe Elements, or hold tokenized PANs need to satisfy at least PCI DSS Self-Assessment Questionnaire (SAQ) A or A-EP.

Which SAQ applies to you?

Most SaaS startups are SAQ A or A-EP. Codex automates the SAQ A-EP path; if you’re SAQ D or Level 1, you need a QSA, not just Codex.

Requirement mapping (PCI DSS v4.0)

Requirement 1 — Install and maintain network security controls

Requirement 2 — Apply secure configurations

Requirement 3 — Protect stored account data

Requirement 4 — Protect data in transit

Requirement 5 — Protect against malware

Requirement 6 — Develop and maintain secure systems

Requirement 7 — Restrict access by business need

Requirement 8 — Identify users and authenticate access

Requirement 9 — Restrict physical access to CHD

For cloud-only SaaS, this devolves to “your hyperscaler handles physical security” + their AOC/AoC document linked from your evidence pack.

Requirement 10 — Log and monitor all access

Requirement 11 — Test security regularly

Requirement 12 — Information security policy

Codex links to your published security policy + tracks annual review attestations.

What’s different about PCI DSS vs SOC 2

PCI DSS is prescriptive where SOC 2 is principle-based. SOC 2 says “you should manage access” — PCI DSS says “you must enforce password length ≥ 12 characters with complexity requirements.” Codex captures the prescriptive numbers and surfaces violations specifically. Things PCI is stricter about:
  • Quarterly external scans by an Approved Scanning Vendor (ASV) — mandatory, not optional
  • Annual penetration testing — mandatory after every significant change
  • Specific encryption algorithms and key sizes — Codex flags weak crypto config
  • Card data masking when displayed (last 4 only)
  • Limiting CDE scope — explicit network segmentation between CDE and non-CDE

When you’re ready

Reports → PCI DSS evidence package outputs:
  • SAQ (correctly mapped to your scope: A, A-EP, or D)
  • Per-requirement implementation evidence
  • AoC (Attestation of Compliance) draft
  • Quarterly ASV scan history
  • Annual pen test reports
  • ROC (Report on Compliance) supporting evidence — for Level 1 service providers
For SAQ A-EP, sign and submit to your acquirer annually. For Level 1, your QSA writes the ROC; Codex provides the underlying evidence.