The global payment-card data security standard, now in v4.0 with future-dated requirements becoming mandatory in March 2025.
Any entity that stores, processes, or transmits cardholder data — merchants, processors, acquirers, issuers, service providers.
Safeguard's hosted environment maintains a Level 1 Service Provider AoC.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
12 high-level requirements expanded to ~280 sub-requirements at v4.0.
Customised approach allowed for compensating controls (new in v4.0).
Targeted Risk Analyses (TRAs) for every customised control — annual review.
Quarterly external ASV scans for in-scope systems.
Annual penetration testing of segmentation controls.
Continuous evidence retention — minimum 12 months for most control families.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Pre-mapped to all 12 PCI-DSS v4.0 requirements with sub-requirement traceability.
Cardholder data flow diagrams auto-generated from telemetry — required by Req 1.2.4.
TRAs templated and stored alongside the customised control they justify.
Quarterly ASV scan integration with results bound to the relevant requirement.
Network segmentation tests automated and timestamped.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Self-Assessment Questionnaire (SAQ) — auto-populated by SAQ type (A through D).
Report on Compliance (RoC) evidence bundle — QSA-ready.
Quarterly ASV scan reports with remediation tracking.
Cardholder data flow diagrams (current + historical).
Penetration test results with segmentation validation.
These frameworks share substantial control overlap with PCI-DSS v4.0. Customers running one assessment typically satisfy the others with the same evidence base.
North America
The Trust Services Criteria attestation that has become the de-facto B2B SaaS security baseline globally.
Cross-jurisdictional
The global Information Security Management System standard, updated in 2022 with 93 Annex A controls in four themes.
Cross-jurisdictional
SWIFT Customer Security Programme — mandatory controls for institutions connected to the SWIFT network.
North America
The FFIEC's interagency examination framework for cybersecurity in US financial institutions.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.