MB-R093
Automated scanning cannot prove full PCI DSS compliance, but projects should maintain evidence references for manual review items such as payment flow diagrams, SAQ scope, incident response, access review, vendor responsibilities, and retention policies. This rule checks whether a project-level PCI evidence checklist or documentation pointer exists so technical findings can be reviewed in context.
Some PCI readiness evidence cannot be inferred from code alone. Teams still need diagrams, script approvals, access reviews, provider responsibility notes, incident procedures, and review cadence evidence.
A manual evidence checklist prevents audit surprises and gives merchants or agencies a practical way to prove how payment security is maintained over time.
# Look for PCI readiness evidence in repo or documentation
find . -iname "*pci*" -o -iname "*payment*evidence*" -o -iname "*checkout*script*"
# Confirm evidence covers payment flow diagrams, script inventory, access review, key rotation, incident response, and quarterly review
No documented payment flow, script approval, access review, or evidence owner.
# Manual evidence missing → FAIL
docs/pci-readiness.md includes owners, dates, payment flow, script inventory, and review evidence.
# Checklist present → PASS