What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All calendars

PCI DSS 4.0.1 · 16 RECURRING ACTIVITIES

PCI DSS 4.0.1 Compliance Calendar — quarterly + annual cadence

PCI DSS is the most cadence-heavy of the major frameworks: daily log reviews, quarterly ASV scans, semi-annual segmentation tests, annual penetration tests + ROC/SAQ. Miss any one and your acquirer or QSA will note it as a non-compliance.

Cadence mix:2× Weekly2× Monthly2× Quarterly2× Every 6 months6× Annually2× Event-triggered

Who this is for

Merchants Level 1–4 (with or without QSA-led audit)
Service providers handling cardholder data
Engineering teams operating the cardholder data environment (CDE)

Typical effort

Variable by scope. Small SAQ-A merchant: <40 hrs/yr. Level-1 service provider with full ROC: multi-FTE.

The calendar

Weekly (2)

Daily log review (rolled up weekly)

Logging

Daily review of security events on CDE systems. Auto-tooling acceptable, but documented investigation of anomalies required.

Reference

Req. 10.4

Owner

Security + DevOps

Effort

30 min/day

Evidence

Log review evidence

Critical security control checks

Network

Confirm firewall rules, IDS/IPS alerts, anti-malware signatures.

Reference

Req. 1, 11.5

Owner

Network + Security

Effort

1–2 hrs

Evidence

Control check log

Monthly (2)

Critical patch installation

Patching

Critical security patches installed within 1 month of release.

Reference

Req. 6.3.3

Owner

DevOps

Effort

4–8 hrs

Evidence

Patch records

Internal vulnerability scans

Vulnerability

Required by 11.3.1 — internal scans by qualified personnel; remediate per risk.

Reference

Req. 11.3.1

Owner

Security

Effort

4 hrs

Evidence

Internal scan report

Quarterly (2)

External ASV scan (Approved Scanning Vendor)

ASV Scan

Pass scan from ASV; remediate Highs and rescan if needed; submit attestation.

Reference

Req. 11.3.2

Owner

Security + ASV

Effort

Vendor + 4–8 hrs internal

Evidence

ASV attestation

User access review (CDE accounts)

Access

Manager-certified review; remove dormant; verify privileged still appropriate.

Reference

Req. 7, 8.2.6

Owner

Manager + IT

Effort

4 hrs

Evidence

Access review report

Every 6 months (2)

Firewall / router rule review

Network

Review every CDE firewall rule for business justification + necessity. Remove obsolete.

Reference

Req. 1.2.7

Owner

Network

Effort

4–8 hrs

Evidence

Firewall review

Network segmentation test (service providers)

Segmentation

Service providers must test segmentation effectiveness every 6 months. Merchants: annually.

Reference

Req. 11.4.5 / 11.4.6

Owner

Pen tester

Effort

Vendor-led

Evidence

Segmentation test report

Annually (6)

Penetration test — application + network (internal + external)

Pen Test

Per 11.4 — methodology, scope = CDE + connected systems. Remediate critical/high before report close.

Reference

Req. 11.4

Owner

Pen tester

Effort

Vendor + ~24 hrs internal

Evidence

Pen test + remediation

Targeted risk analysis (per Customised Approach controls)

Risk

PCI DSS 4.0 introduced targeted risk analyses for any control implemented via Customised Approach + for periodic frequency definitions.

Reference

Req. 12.3.1

Owner

Security

Effort

8 hrs

Evidence

Targeted risk analysis

Security awareness — CDE personnel + role-based

Training

All personnel with CDE access; role-based training for developers, sysadmins.

Reference

Req. 12.6

Owner

Security + HR

Effort

4 hrs admin

Evidence

Training records

Policy + procedure review

Policy

Update for environment / scope / regulation changes. Documented review.

Reference

Req. 12.1

Owner

Security + Compliance

Effort

8 hrs

Evidence

Updated policy library

Service provider list + responsibility matrix review

Vendor

Maintain list per 12.8.1; obtain attestation per 12.8.4; review responsibility matrix per 12.8.5.

Reference

Req. 12.8

Owner

Procurement + Security

Effort

8 hrs

Evidence

Service provider register

ROC or SAQ + Attestation of Compliance

Validation

QSA-led ROC for Level 1; SAQ self-validation for lower levels. Submit AOC to acquirer.

Reference

PCI DSS Validation

Owner

QSA / Security + Exec

Effort

Variable; weeks for ROC

Evidence

ROC / SAQ + AOC

Event-triggered (2)

Significant change to CDE

Change

Any significant change → reassess scope, retest segmentation, rescan, update documentation.

Reference

Req. 6.5.2, 11.3.1.1

Owner

Security + Eng

Effort

Variable

Evidence

Change + revalidation record

Cardholder data incident response

Incident

Activate IR plan; preserve evidence; notify acquirer + brands per agreement timelines.

Reference

Req. 12.10

Owner

Incident lead + Legal

Effort

Variable

Evidence

Incident record

Pitfalls — where teams actually fail

Failed ASV scan ignored, then 'passed' on rescan only after remediation — you must keep evidence of the remediation, not just the clean rescan.
Internal vulnerability scans skipped because external ASV is run — they're separate requirements (11.3.1 vs 11.3.2).
Segmentation test treated as optional for service providers — 11.4.5 makes it twice-yearly mandatory.
PCI 4.0.1 customised approach used without a targeted risk analysis — instant non-compliance.
Scope changes (new payment integration, new vendor) without scope reassessment — silently expands CDE.

Want this calendar mapped to YOUR controls?

Drop your existing PCI DSS 4.0.1 policy or upload a draft — ComplianceIQ scores it against the framework and produces a 0–100 audit, gap-by-gap with the cadence work you're missing.

Run free PCI DSS 4.0.1 audit See readiness checklist

What happens when the cadence slips — real PCI DSS 4.0.1 actions

FAQ

How often is the ASV scan required?

Quarterly per Req. 11.3.2. Plus after any significant change to the CDE. Failed scans must be remediated and rescanned to a passing result.

Is annual penetration testing always required?

Yes per Req. 11.4 (and after any significant change). Both internal and external; segmentation controls must be validated. Methodology must be industry-accepted (e.g. PTES, OSSTMM, OWASP).

What's new in PCI DSS 4.0.1 ongoing cadence vs 3.2.1?

Targeted risk analyses for periodic frequencies + Customised Approach controls (12.3.1), expanded service provider segmentation testing, MFA on all CDE access, role-based developer training, and more documented evidence around scoping.

Does this calendar apply to SAQ-A merchants?

Many cadences scale down. SAQ-A only outsources card data fully — but you still need vendor management, training, policy review, and incident response prep. Ignore the cadence and you'll fail your acquirer's annual SAQ check.

PCI DSS 4.0.1 Compliance Calendar — quarterly + annual cadence

The calendar

Weekly (2)

Monthly (2)

Quarterly (2)

Every 6 months (2)

Annually (6)

Event-triggered (2)

Pitfalls — where teams actually fail

What happens when the cadence slips — real PCI DSS 4.0.1 actions

FAQ

Other calendars