PCI DSS Evidence Requirements: What QSAs Expect
A comprehensive guide to the documentation, configurations, screenshots, logs, and interview records that QSAs require for each PCI DSS requirement family.
Understand evidence quality standards, collection best practices, and common mistakes to ensure a successful assessment.
PCI DSS evidence is the documentation, system configurations, screenshots, logs, and interview records that demonstrate compliance with each of the 322 requirements. QSAs evaluate evidence quality based on completeness, accuracy, date relevance, and system identification. Collecting evidence continuously — not just at assessment time — is the most effective way to ensure a successful assessment.
Types of Evidence QSAs Expect
Policies & Procedures
Written security policies, operational procedures, standards documents
System Configurations
Firewall rules, OS hardening configs, encryption settings, access controls
Screenshots & Screen Captures
Timestamped evidence of system settings, dashboard views, monitoring alerts
Log Files & Audit Trails
Authentication logs, access logs, change management records, security event logs
Interview Records
QSA notes from personnel interviews confirming awareness and adherence to procedures
Test Results
Vulnerability scan reports, penetration test results, ASV scan outputs, segmentation test evidence
Evidence by PCI DSS Requirement Family
Each of the 12 PCI DSS requirement families requires specific types of evidence. The following table summarises the key evidence types and documents QSAs expect for each requirement.
| Requirement | Evidence Types | Key Documents |
|---|---|---|
| Req 1 — Network Security | Configurations, Diagrams, Logs | Firewall configs, network diagrams, rule review records |
| Req 2 — Secure Configuration | Configurations, Standards, Logs | Hardening standards, configuration baselines, default credential removal |
| Req 3 — Data Protection | Configurations, Policies, Procedures | Encryption configs, key management procedures, data retention policies |
| Req 4 — Transmission Encryption | Configurations, Certificates | TLS configurations, certificate inventories, protocol versions |
| Req 5 — Malware Protection | Configurations, Logs, Screenshots | AV configs, scan logs, update records |
| Req 6 — Secure Development | Procedures, Logs, Test Results | SDLC documentation, code review records, change control logs |
| Req 7 — Access Restriction | Configurations, Matrices, Logs | Access control matrices, role definitions, access review records |
| Req 8 — User Identification | Configurations, Screenshots, Policies | Authentication configs, MFA settings, password policy configs |
| Req 9 — Physical Security | Logs, Photos, Certificates | Visitor logs, camera footage, media destruction certificates |
| Req 10 — Logging & Monitoring | Configurations, Logs, Screenshots | Log configs, SIEM alerts, daily log review evidence |
| Req 11 — Security Testing | Test Results, Configurations, Reports | ASV scan reports, pen test reports, IDS/IPS configs, segmentation test results |
| Req 12 — Security Policies | Policies, Assessments, Records | Information security policy, risk assessments, training records, incident response plans |
Evidence Quality Standards
QSAs evaluate evidence against four key quality criteria. Evidence that fails to meet these standards will be rejected and must be re-collected.
Date stamps
All evidence must show when it was collected. Undated evidence is rejected.
System identification
Screenshots must show hostname/IP/system name to identify which system is shown.
Completeness
Evidence must cover the full scope — partial evidence for a subset of systems is insufficient.
Relevance
Evidence must be from the current assessment period, not prior years.
Evidence Collection Best Practices
Common Evidence Mistakes
Collecting evidence only at assessment time (leads to rushed, incomplete evidence and failed requirements)
Screenshots without date stamps or system identification
Providing policies that don't match actual system configurations
Missing evidence for a subset of in-scope systems (must cover ALL systems)
How GRCTrack Streamlines Evidence Management
Related PCI DSS Resources
PCI DSS Evidence Requirements — Frequently Asked Questions
Automate Your PCI Evidence Collection
Streamline evidence collection, ensure quality standards, and maintain continuous compliance readiness with a centralised evidence management platform.