CDE + Vendor + Scope Risk
Survey-based risk assessment across cardholder-data flows, CDE boundaries, vendor + service-provider posture, and scope reduction.
- CDE auto-discovery captured
- Vendor PCI posture scored
- Scope reduction tracked
For Level 1 Merchants + Service Providers + Multi-Channel Retailers
A card breach is a six-figure fine and a brand investigation, and the new version-4 rules just made the bar higher, with dozens of once-optional controls now mandatory. Most teams track scope in spreadsheets, chase scan evidence across channels, and rebuild the whole package each time the assessor comes back. RiskWatch runs it as one program: map your cardholder-data environment once, capture evidence as you go, and hand the assessor a ready package on demand instead of scrambling for it.
Trusted by Level 1 merchants, service providers, and multi-channel retailers managing PCI DSS 4.0, CDE scoping + segmentation, Targeted Risk Analysis, ROC + SAQ + ASV scan validation, and the broader PCI Security Council framework suite across POS + eCommerce + mail-order + telephony channels.





Why PCI Compliance Managers Pick RiskWatch
RiskWatch gives one team a single program covering every payment channel, every part of your cardholder-data environment, and every assessment cycle. Score a control once and it counts toward your card-brand validation and the standards that map to it at the same time, so you stop maintaining parallel spreadsheets that say the same thing. When the assessor shows up, the evidence is already there, and it costs a fraction of enterprise-bank GRC.
Cardholder-data flows discover themselves, segmentation evidence and the segmentation pen test cycle live in one place, and you can see exactly what is in scope before the assessor does, so nothing slips through a forgotten tab. (Auto-discovery plus segmentation evidence per §1.2.1, §1.2.4, and the §11.4.5 / §11.4.6 pen test cycle.)
The controls that now let you set your own testing frequency come pre-templated, so you document the risk decision once and track it instead of inventing a method under audit pressure. (DSS 4.0 Targeted Risk Analysis for the 18 customer-defined-frequency controls, plus Customized Approach documentation in the same vault.)
Run POS, eCommerce, mail-order, and telephony each on its own, then roll the whole picture up to a single report, with every merchant in scope handled the same way. White-glove setup takes 30 days, not six months. (Per-channel posture with rollup to the consolidated ROC.)
The PCI DSS Regulatory Landscape
PCI DSS 4.0 (effective March 31, 2024) and 4.0.1 (released June 2024) introduced the Targeted Risk Analysis, the Customized Approach, expanded scope on multi-factor authentication, new requirements for client-side scripts (§6.4.3) and HTTP request validation (§11.6.1), and stricter password and key-management rules. The 64-control 'future-dated' subset became enforceable March 31, 2025. Brand fines + acquirer assessments remain the enforcement layer (Visa, Mastercard, Amex, Discover, JCB), with CHD breach incidents driving 6-figure to 8-figure penalties. Each merchant level wants its own validation cycle.
Three Domains, One Platform
RiskWatch covers all three. Each domain has a dedicated workflow, scoring model, and remediation queue. They share data so a single CDE assessment satisfies DSS 4.0 §3, the corresponding TRA, the segmentation pen test, and the QSA-required evidence trail simultaneously.
Survey-based risk assessment across cardholder-data flows, CDE boundaries, vendor + service-provider posture, and scope reduction.
All 12 PCI DSS 4.0 requirements + 64 sub-requirements, Targeted Risk Analysis, and the Customized Approach in one cross-mapped library.
SAQ self-assessment (A through D + P2PE-HW), ROC for Level 1 merchants + service providers, and ASV quarterly scans tracked in one place.
§1.2.1 + §11.4.5 · CDE Scoping Spotlight
Most merchants over-PCI-treat their network because they don't have the segmentation map. CDE auto-discovery + scope reduction is the highest-ROI move in PCI DSS 4.0. The CDE Scoping wizard maps cardholder-data flows, distinguishes CDE / Connected / Out-of-scope systems per §1.2.1 + §1.2.4, and tracks the §11.4.5 quarterly segmentation pen-test cycle required for service providers.
The Coverage Gap
GRC platforms handle policies + reviews. ASV vendors run quarterly scans. Network segmentation tools handle §1.2 boundaries. QSA firms run the assessment. Each does one job. PCI Compliance Managers still operate four parallel programs.
| Platform Category | DSS 4.0 | CDE Scoping | Targeted Risk | ASV Scans | ROC/SAQ | Multi-merchant |
|---|---|---|---|---|---|---|
| Generic GRCServiceNow GRC, Archer | Partial | · | Partial | · | Partial | Partial |
| PCI Specialty ToolsControlScan, Aperia | Yes | Partial | Partial | Yes | Yes | Partial |
| ASV Scan VendorsTrustwave, Qualys ASV | · | · | · | Yes | · | · |
| Segmentation ToolsIllumio, Akamai Guardicore | · | Yes | · | · | · | · |
| QSA Consulting FirmsCoalfire, Schellman, A-LIGN | Yes | Yes | Yes | · | Yes | Partial |
| Spreadsheets & Email | · | · | · | · | · | · |
| RiskWatchThe unified ROC-ready platform | Yes | Yes | Yes | Yes | Yes | Yes |
RiskWatch is the only platform covering all six PCI compliance domains: DSS 4.0 controls, CDE scoping + segmentation, the new Targeted Risk Analysis, ASV scan tracking, ROC/SAQ validation, and multi-merchant coordination. GRC platforms cover policies. ASV vendors run scans. Segmentation tools handle boundaries. Each does one job. RiskWatch unifies all six in one survey-based assessment workflow.
How It Works
RiskWatch is a survey-based assessment platform. The work is structured around questionnaires that capture CDE boundaries, the 12 PCI DSS 4.0 requirements, segmentation evidence, and the new TRA + Customized Approach in a consistent format, then scored against every framework you align to.
For PCI DSS, that workflow runs continuously across DSS 4.0.1, the 18 TRA controls, the segmentation pen-test cycle, ASV quarterly scans, and the broader PCI 3DS / PA-DSS / Card Production overlays. A single CDE assessment scores against DSS 4.0 §3, the TRA-required customer-defined frequency, and the cross-mapped SOC 2 + ISO 27001 controls simultaneously.
The same platform runs all of it, surfaces gaps before QSA arrival, assigns remediation owners, and tracks completion. Replace the GRC platform, the ASV portal, the segmentation spreadsheet, and the QSA reconciliation between them.
Built For Your Role
Owns the enterprise PCI program, QSA relationship, ROC validation cycle, and acquirer reporting.
12 reqs + 64 sub-reqs scored continuously. ROC evidence vault live. QSA pre-audit packages ready. Acquirer reporting on demand.Owns the technical security controls, CDE protection, MFA + encryption + access management aligned to DSS 4.0.
All §6, §7, §8, §10, §11 controls scored. MFA + encryption evidence captured. Access reviews tracked. Pen-test results integrated.Owns CDE scoping, segmentation rules, §1 firewall + boundary controls, and the §11.4.5 segmentation pen test.
Segmentation map live. §1.2.1 / §1.2.4 evidence captured. Quarterly segmentation re-validation scheduled. Pen-test integration tracked.Owns §6 secure development, §11.6.1 HTTP request validation, §6.4.3 client-side scripts, and the SDLC + secure coding evidence.
§6.4.3 client-side script inventory live. §11.6.1 HTTP request validation captured. SDLC evidence + code review tracked.Owns the §12.8 service-provider management, the supplier PCI register, and acquirer-facing service-provider reporting.
Service-provider register live. §12.8 evidence captured. AOC retention tracked. Service-provider risk continuously scored.Owns the TRA methodology, internal PCI audit cycle, the Customized Approach control-objective documentation, and brand reporting.
TRA workflow live for 18 controls. Customized Approach docs captured. Internal audit cycle continuous. Brand reporting evidence vault.Built For Your Segment
Brick-and-mortar + eCommerce + mail-order + telephony retailers running CDE across POS, web, and contact-center channels.
Online merchants under SAQ A, A-EP, or D with iframe / redirect / hosted-payment-page architectures and §6.4.3 client-side script obligations.
Acquirers, processors, gateways, hosting providers, and managed services under stricter service-provider PCI requirements (§11.4.5 quarterly segmentation pen-test).
Hotels, restaurants, and franchises running PCI across centralized + franchisee POS, payment-tokenization, and gift-card programs.
Healthcare providers + payers running PCI alongside HIPAA, with patient-payment portals, kiosks, and IVR systems in scope.
B2B SaaS, subscription, and recurring-billing platforms running PCI on tokenized payment flows + Stripe / Adyen / Braintree integrations.
Frameworks We Cover
RiskWatch ships with pre-built libraries for every major PCI Security Standards Council document + state law + cross-mapped framework. Map controls once. Score against the framework that matters this validation cycle.
Trusted by 500+ risk and compliance teams
















We were running PCI in a 60-tab spreadsheet, ASV scans in a separate portal, segmentation evidence in Visio, and the QSA submission in Word. Now it's one platform. CDE scoping, all 12 DSS 4.0 reqs, the 18 TRA controls, the §11.4.5 segmentation pen-test cycle, and SOC 2 cross-mapping all run from the same evidence vault. Our last QSA assessment closed with three findings instead of fourteen, and we cut prep time from 16 weeks to 6.
Resources
DSS 4.0 · CDE · TRA · ROC-ready
30-minute walkthrough of the PCI library, your channel + CDE inputs, and the QSA-ready evidence-trail output. No slideware, no consulting upsell.
Or call US: +1 941-500-4525