Skip to contentSkip to content

PCI DSS Evidence Collection Guide

Evidence types, retention requirements, and automation strategies for every PCI DSS v4.0.1 requirement — reduce collection time by up to 70%.

Benchmark Evidence Maturity →← Back to PCI DSS Guide

Evidence Types by Category

Policy & Procedure Documents

Req 2, 3, 5, 6, 9, 12Automation: Medium
Information Security Policy
Incident Response Plan
Change Management Procedure
Access Control Policy
Retention: 1 year + active period

System Configuration Screenshots

Req 1, 2, 5, 6, 8Automation: High
Firewall rule screenshots
OS hardening configuration exports
Encryption settings
Anti-malware config
Retention: Duration of assessment

ASV & Internal Scan Reports

Req 11Automation: High
Quarterly ASV passing reports
Internal network scan results
Web application scan reports
Remediation tracking records
Retention: 12 months

Audit Log Exports

Req 10Automation: High
Administrator activity logs
Access control logs
Security event logs
Log integrity verification
Retention: 12 months (3 months online)

Penetration Test Reports

Req 11.4Automation: Low
Annual external penetration test
Internal pen test report
Segmentation test results
Remediation closure evidence
Retention: 12 months

Training & Awareness Records

Req 12.6Automation: Medium
Security awareness training completion
PCI-specific role training records
Phishing simulation results
Policy acknowledgement signatures
Retention: 12 months

Automation Strategies

Continuous Config Harvesting

API integrations pull firewall rules, OS configs, and encryption settings on a weekly basis, eliminating manual screenshot collection at audit time.

ASV Scan Integration

Connect your ASV portal to your GRC platform to automatically ingest passing scan reports and flag overdue quarterly scans before they become findings.

SIEM Log Evidence Export

Automated log sample generation from your SIEM — pre-formatted to match QSA evidence request templates — reduces log evidence prep from days to minutes.

Training LMS Integration

Pull completion records from your LMS (Workday, Cornerstone, KnowBe4) automatically to satisfy Req 12.6 evidence requirements without manual exports.

FAQ

What types of evidence are required for PCI DSS?

PCI DSS evidence falls into five categories: policy documents, system configuration screenshots, scan reports (ASV and internal), log exports, and interview records. The QSA will test all 285 procedures and each requires at least one evidence artefact.

How long must PCI evidence be retained?

PCI DSS requires audit logs to be retained for at least 12 months, with the most recent 3 months available for immediate analysis. Policy documents and AOCs should be retained for the duration of the compliance programme plus one year.

What is an ASV scan?

An Approved Scanning Vendor (ASV) scan is a quarterly external vulnerability scan of your internet-facing IP addresses and domains, performed by a PCI SSC-approved scanning vendor. Passing ASV scan reports are required evidence for SAQ-A-EP, SAQ-B-IP, SAQ-C, SAQ-D, and Level 1 ROC.

How can I automate evidence collection for PCI?

Evidence automation tools connect directly to your infrastructure via APIs to pull configuration snapshots, log samples, and vulnerability scan results on a scheduled basis. GRCTrack reduces evidence collection time by up to 70% through continuous automated harvesting tied to each control.

What are the most common evidence gaps in a PCI audit?

The top 5 evidence gaps are: missing quarterly ASV scan reports, incomplete network diagrams, absent log retention proof, missing vulnerability remediation records, and policy documents with no version history or approval signatures.

How mature is your evidence programme?

Benchmark your evidence automation maturity against 4,700+ organisations.

Run Evidence Benchmark →