← Back to Baseline

MB-R093

PCI manual evidence checklist present

C07 Logging & Monitoring Low

Automated scanning cannot prove full PCI DSS compliance, but projects should maintain evidence references for manual review items such as payment flow diagrams, SAQ scope, incident response, access review, vendor responsibilities, and retention policies. This rule checks whether a project-level PCI evidence checklist or documentation pointer exists so technical findings can be reviewed in context.

Why it Matters

Some PCI readiness evidence cannot be inferred from code alone. Teams still need diagrams, script approvals, access reviews, provider responsibility notes, incident procedures, and review cadence evidence.

A manual evidence checklist prevents audit surprises and gives merchants or agencies a practical way to prove how payment security is maintained over time.

Verification Steps

Evidence file check

# Look for PCI readiness evidence in repo or documentation
find . -iname "*pci*" -o -iname "*payment*evidence*" -o -iname "*checkout*script*"

Checklist review

# Confirm evidence covers payment flow diagrams, script inventory, access review, key rotation, incident response, and quarterly review

Remediation / Fix Guidance

  1. Create a PCI readiness checklist for items automation cannot prove.
  2. Attach payment flow diagrams, provider responsibilities, checkout script approvals, and access review notes.
  3. Assign owners and review dates to each evidence item.
  4. Keep evidence updated when payment modules, checkout scripts, or providers change.
  5. Store evidence where release and maintenance teams can find it.

Examples

Fail Example
No documented payment flow, script approval, access review, or evidence owner.
# Manual evidence missing → FAIL
Pass Example
docs/pci-readiness.md includes owners, dates, payment flow, script inventory, and review evidence.
# Checklist present → PASS

References