What compliance frameworks does GRCTrack support?

GRCTrack supports 10 compliance frameworks: PCI DSS 4.0.1 (322 controls), ISO 27001:2022 (93 controls), SOC 2 Type II (64 controls), HIPAA Security (45 controls), GDPR 2016/679 (99 controls), NIST CSF 2.0 (106 controls), NIS2 Directive (21 controls), SWIFT CSP 2024 (32 controls), Cyber Essentials UK (5 controls), and CE Plus UK (5 controls).

How is GRCTrack different from Vanta, Drata, and Sprinto?

GRCTrack is the only compliance platform built by qualified security assessors (QSAs). It features 6 dedicated portals, 7 AI intelligence engines, 53 drag-and-drop dashboard widgets, 15 granular RBAC roles, 10 visual themes, 11 languages, and support for niche frameworks like SWIFT CSP, NIS2, and Cyber Essentials that no competitor covers. Starting at £999/year vs $6,000+ for alternatives.

What are the 7 AI intelligence engines?

Flo — conversational AI assistant; FloAva — contextual guidance alongside controls; Policy Copilot — AI policy document generation; Evidence Intelligence — automatic categorisation and framework mapping; Remediation Intelligence — prioritised ticket creation with Jira/ServiceNow integration; Architecture Intelligence — AI-powered network diagram generation; Human Risk Intelligence — employee risk scoring and behavioural analytics.

What are the 6 portals?

QSA Admin Portal for multi-client assessment management; Merchant Portal for self-service compliance; Acquirer Command Center for portfolio-wide visibility; Auditor Portal for assessment execution; Client Portal for stakeholder tracking; Partner Portal for MSSPs with white-label and revenue sharing.

Does GRCTrack include security awareness training?

Yes. GRCTrack includes a full Training & Awareness Governance module aligned to PCI DSS Requirement 12.6. Features include mandatory course assignment, interactive quizzes, certification tracking, policy acknowledgement with digital signatures, and one-click audit evidence export. It also includes AI phishing simulation with campaign scheduling, behavioural analytics, and automated remediation.

What is the CISO Command Centre?

The CISO Command Centre is an executive dashboard providing real-time visibility across human risk scores, training completion, policy governance, privileged user exposure, departmental risk heatmaps, and awareness maturity metrics — all in a single pane of glass designed for security leadership.

Can I customise dashboards and themes?

Yes. GRCTrack offers 53 drag-and-drop dashboard widgets with role-aware sizing. You can choose from 10 visual themes (Pearl, Arctic, Slate, Rosé, Obsidian, Midnight, Ember, Forest, Aurora, System) and configure white-label branding with custom logos, colours, and domains.

Is there a free trial?

Yes. All multi-framework plans include a free trial — no credit card required. SAQ-A plans include a 30-day money-back guarantee. Enterprise customers can schedule a personalised demo first.

Interactive Tool

Generate Your Personal PCI Compliance Checklist

Select your SAQ type to generate a personalised checklist of every control you need to implement for PCI DSS v4.0.1 compliance.

1Select Your SAQ Type

Not sure which SAQ type applies to your business? Use the SAQ Wizard to find out.

Frequently Asked Questions

What is a PCI DSS compliance checklist?

A PCI compliance checklist is a comprehensive list of all controls required for your specific SAQ type. It maps each control to the PCI DSS requirement, evidence needed, and implementation steps. GRCTrack's checklist generator creates a personalised checklist based on your SAQ type.

How many controls are in PCI DSS SAQ A?

SAQ A contains approximately 22 controls focused on outsourced payment security, including policies, provider management, and personnel awareness. It applies to merchants who fully outsource payment processing to PCI-validated third parties.

How many controls are in PCI DSS SAQ D?

SAQ D for merchants contains 300+ controls covering all 12 PCI DSS requirements. SAQ D for service providers has additional requirements. This is the most comprehensive SAQ type, applying to organisations that store, process, or transmit cardholder data.

Can I skip PCI DSS controls?

Controls can be marked as not applicable (N/A) only if they genuinely do not apply to your environment. You must document and justify each N/A control. Alternatively, PCI DSS v4.0.1 allows compensating controls via the customised approach with documented risk analysis.