What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

PCI DSS compliance · Free audit · No signup

PCI DSS v4.0.1 Security Policy Audit

Grade your information security policy against the 12 PCI DSS requirements every merchant and processor must meet — cardholder data protection, encryption, access control, logging, vulnerability scanning, and incident response. Get the exact wording to add for every gap before your QSA finds it.

Run free PCI DSS audit

Payment Card Industry Data Security Standard v4.0.1 · Any merchant, processor, or service provider that stores, processes, or transmits cardholder data (global)

What PCI DSS non-compliance actually costs

$5,000 – $100,000/mo

Acquirer fines for non-compliance

Per Visa/Mastercard operating rules

$5 – $90 per card

Per-record breach assessment

Card brand recovery + reissuance fees

$292M+

Target (2013 breach settlement)

40M cards exposed; ~$202M legal + $18.5M state AG settlement + card brand fines

$200M+

Home Depot (2014 breach settlement)

56M cards; $25M consumer + $134.5M card issuer settlements + remediation

Who must comply with PCI DSS?

Any merchant that accepts, processes, stores, or transmits credit/debit card data — regardless of transaction volume (Levels 1–4)
All service providers that store, process, or transmit cardholder data on behalf of merchants (gateways, hosting, call centers, SaaS billing)
Software vendors whose products are used in the cardholder data environment (CDE) must also meet PCI SSF / PA-DSS legacy requirements

What this audit checks

12 required clauses, scored as Present / Partial / Missing with the exact regulatory citation and suggested fix.

Network segmentation + firewall ruleset documentation

Req. 1 — explicit deny-all default, documented justification for every allow rule, reviewed every 6 months

No vendor-default passwords or accounts

Req. 2 — vendor defaults changed, hardening standards aligned to CIS/NIST

Stored cardholder data protection (PAN masking + truncation)

Req. 3 — PAN unreadable wherever stored; render via strong crypto, hashing, truncation, or tokenization

Strong cryptography for PAN in transit over open/public networks

Req. 4 — TLS 1.2+ minimum, trusted keys/certs only

Anti-malware on systems commonly affected

Req. 5 — kept current, periodic evaluations of evolving threats including phishing per v4.0.1

Secure software development + change control

Req. 6 — SDLC, code review, OWASP coverage, separation of dev/test/prod, patching SLA

Need-to-know access + least privilege

Req. 7 — RBAC, documented access matrix, default-deny

Unique IDs + MFA for all access to the CDE

Req. 8 — MFA now required for ALL access into the CDE (not just admin) per v4.0

Physical access controls + media handling

Req. 9 — visitor logs, badge controls, media destruction

Audit logging + 1-year retention (3-month online)

Req. 10 — daily review, integrity monitoring, time sync

Quarterly external ASV scans + internal vuln scans + annual pen test

Req. 11 — ASV passing scan every 90 days, segmentation testing annually

Information security policy + annual risk analysis

Req. 12 — formal policy reviewed annually, security awareness, incident response plan, customized approach documentation if used

Why PCI DSS audits actually fail

Treating SAQ-A as 'no compliance work'

Even fully-outsourced e-commerce (SAQ-A) requires written policies, vendor mgmt for service providers (Req. 12.8), and quarterly attestation. Most QSAs find missing TPSP inventories first.

Storing CVV/CVC2/CID anywhere

Req. 3.2 — sensitive authentication data must NEVER be retained after authorization, even encrypted. Found in app logs, email order confirmations, and call recordings on almost every audit.

MFA only for admins

v4.0 made MFA mandatory for ALL access into the CDE, including individual application users. The deadline is now in effect (after Mar 31, 2025).

Customized Approach without a Targeted Risk Analysis (TRA)

v4.0 allows alternative controls, but you must produce a written TRA per requirement you customize. Skipping the TRA invalidates the customized control.

PCI DSS FAQ

What merchant level am I?

Level 1: >6M Visa/MC transactions/year (or any breach). Level 2: 1M–6M. Level 3: 20K–1M e-commerce. Level 4: <20K e-commerce or <1M total. Levels 2–4 may self-assess via SAQ; Level 1 requires an annual on-site QSA assessment + quarterly ASV scans.

Does tokenization eliminate PCI scope?

It reduces scope significantly but does not eliminate it. Any system that touches the PAN before tokenization (capture page, IVR, POS) is still in scope. Properly architected redirect/iframe + Service Provider tokenization can reduce most merchants to SAQ-A.

What changed in PCI DSS v4.0.1?

v4.0.1 (June 2024) clarifies v4.0 wording but introduces no new requirements. Key v4.0 changes already in effect: MFA for all CDE access, customized approach option, targeted risk analyses, anti-phishing controls, payment-page script integrity monitoring (Req. 6.4.3, 11.6.1).