Skip to contentSkip to content
Knowledge Hub

See Exactly What QSAs Expect

See exactly what QSAs expect — sample policies, logs, diagrams, and artifacts for every PCI DSS v4.0.1 requirement.

0Evidence Examples
0Requirements Covered
0Evidence Categories

Frequently Asked Questions

What evidence is needed for PCI DSS compliance?
Evidence types include security policies, system configurations, network diagrams, access control logs, vulnerability scan reports, penetration test results, change management records, and training completion records. Requirements vary by SAQ type.
How should I organise PCI compliance evidence?
Organise evidence by requirement number, with clear labelling of collection date, system scope, and assessor notes. GRCTrack automatically categorises evidence across 8 types: Policy, Log, Diagram, Configuration, Procedure, Assessment Artifact, Screenshot, and Report.
How long must PCI evidence be retained?
PCI DSS requires evidence retention for at least one year, with the last three months of evidence readily available for review. Some industries may require longer retention periods.