T226 · Cat-19 · Payment Schemes · PCI DSS

PCI DSS v4.0 Scope Assessment Wizard

Step-by-step CDE boundary scoping, SAQ type determination (A / A-EP / B / B-IP / C / C-VT / D), compensating controls assessment, v4.0 customised approach guidance, and a compliance Policy Mandate JSON. Client-side. Zero PII.

Zero PII · Client-side Compliant scope reduces PCI fines ($5K–$100K/month) and breach-event remediation cost.

Last Reviewed · 2026-05-12

🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.

Educational Use Only This tool provides a self-assessment / educational framework for internal planning purposes only. It is not a regulatory audit, legal advice, or a substitute for a formal compliance review by a qualified advisor. Verify all interpretations against the official source text and applicable RTS/ITS/guidance published by the relevant authority.

Organisation

Channels

Card Data

Architecture

Step 1 — Organisation Profile

Organisation Type

Merchant Level Visa / Mastercard transaction volume thresholds

Primary Region

Estimated Annual Card Transactions

Step 2 — Payment Channels

How do you accept card payments?

Payment Terminal / Acceptance Method

If E-Commerce: Integration Architecture

Step 3 — Card Data Handling

Cardholder Data (CHD) Storage CHD = PAN, expiry date, cardholder name

Who processes or transmits CHD in your environment?

Sensitive Authentication Data (SAD) Retention SAD = CVV/CVV2, full magnetic stripe, PIN block

Third-Party Service Provider Compliance AoC = Attestation of Compliance. Req 12.8.4

Step 4 — Network Architecture & Assessment Approach

Network Segmentation Validated segmentation significantly reduces PCI DSS scope

PCI DSS v4.0 Assessment Approach Customised approach requires QSA validation of Targeted Risk Analysis

Compensating Controls

TLS Version for CHD Transmission PCI DSS v4.0 Req 4.2.1: TLS 1.1 and below prohibited

Scope Assessment Results

Regulatory Citations

[1] PCI Security Standards Council, PCI DSS v4.0, March 2022 — pcisecuritystandards.org
[2] PCI SSC, SAQ Instructions and Guidelines v4.0, March 2022
[3] PCI SSC, Guidance for PCI DSS Scoping and Network Segmentation, v1.1
[4] PCI SSC, Summary of Changes: PCI DSS v3.2.1 to v4.0, March 2022
[5] Visa, Global Merchant Compliance Programme
[6] Mastercard, Site Data Protection (SDP) Programme

About This Tool

This wizard applies PCI SSC scoping guidance and SAQ eligibility criteria from PCI DSS v4.0 to determine the applicable Self-Assessment Questionnaire type. It covers all seven SAQ types (A, A-EP, B, B-IP, C, C-VT, D) and flags when a QSA-led Report on Compliance is required for Level 1 merchants.

PCI DSS v4.0 (March 2022) key changes covered: Customised approach with Targeted Risk Analysis (Req 12.3.2), expanded MFA (Req 8.4.2), e-commerce script management (Req 6.4.3), payment page change-detection (Req 11.6.1), and TLS 1.1 prohibition (Req 4.2.1).

⚠ This tool provides scoping guidance only and is not a substitute for a formal QSA assessment or legal advice. Verify with your QSA and acquiring bank before completing an SAQ or ROC. Last Reviewed: 2026-05-09