Controls now maps every check to PCI DSS 4.0.1, not just SOC 2
Scorifya Controls now produces PCI DSS 4.0.1 evidence alongside SOC 2 in the same self-hosted deployment. One image, both frameworks, on every tier, with no per-framework add-on. Here is what shipped and who it is for.
What changed
Scorifya Controls launched as a self-hosted SOC 2 readiness tool. As of today it maps the same evidence to **PCI DSS 4.0.1** as well. Every automated check and most manual controls now carry both an AICPA Trust Services Criteria 2017 reference and a PCI DSS 4.0.1 requirement number, so a single check run produces evidence for whichever framework you are working toward.
This is one deployment covering two frameworks. There is no separate PCI product, no per-framework tier, and no add-on charge. If you already run Controls, you get PCI mappings automatically the next time you pull the current image.
38 checks, each mapped to both frameworks
The automated check count is now **38**: 19 for your cloud accounts on one major provider, plus checks for a second and third cloud and your code host. Five checks were added specifically to strengthen PCI coverage: log groups that retain at least twelve months of history, databases that use a non-default master username, security groups that do not expose administrative or database ports to the internet, load-balancer listeners that require TLS 1.2 or higher, and databases that enforce TLS rather than merely allowing it.
Each of those also provides SOC 2 evidence, so nothing here is PCI-only overhead. A check that closes an open database port helps both frameworks at once.
28 manual controls, 8 written for card merchants
Manual controls now total **28**. The original 20 SOC 2 controls remain, and 13 of them also carry a PCI requirement code. On top of those, 8 controls were written specifically for merchants who qualify for **SAQ A** or **SAQ A-EP**: a cardholder data flow diagram, a payment-page script inventory with authorization, a quarterly scope confirmation, a third-party service provider list, written responsibility agreements with those providers, a card-breach incident response playbook, payment-page tamper detection evidence, and annual PCI security awareness training.
Each one gets a named owner, a next-review date, overdue alerts, and evidence uploads, exactly like the SOC 2 controls you may already be tracking.
A framework filter, so one view does not clutter the other
The dashboard, the checks table, and the read-only auditor portal now have a framework filter: **All**, **SOC 2 only**, or **PCI DSS only**. Selecting a framework recomputes the posture score and the passing and failing counts against only that framework's mapped items, so a SOC 2 auditor and a PCI assessor each see a clean, relevant view from the same instance.
Why self-hosting matters more for PCI
PCI scope grows every time you connect another party to your cardholder data environment. A hosted compliance platform that reaches into your systems is a third-party service provider you have to track, collect an Attestation of Compliance from, and account for in your scope.
Controls runs on your own servers and never receives your cloud credentials or your evidence. It adds no new third-party to your cardholder data environment. Fewer connected systems means a simpler scope conversation with your assessor. If you want the head-to-head, see the Vanta alternative and Drata alternative pages.
What this is not
Controls is a readiness and continuous-evidence tool, not a shortcut around the assessment itself. It does not fill out your SAQ, it is not a Qualified Security Assessor, and it does not perform approved scanning. Where your acquirer or card brand requires a QSA or an approved scanning vendor, you still engage one. What Controls gives you is a live, framework-mapped evidence trail so that work is far less painful.
PCI coverage is scoped to SAQ A and A-EP: merchants who outsource card capture to a hosted payment page and never store or process raw card numbers on their own systems. Higher-scope environments are out of scope for now.
Getting it
Pull the current image and run your checks. The framework filter appears on the dashboard, and the Settings page shows exactly which framework versions are in use with links to the authoritative sources. Full detail and common questions live on the Controls help page.
Try a scan on scorifya.com, read how we score, or see Pro for unlimited scans and exports.
Get a weekly digest
New KEV CVE notices and (later) score changes on the domains you watch. One email a week, easy unsubscribe. We don't share or sell your address.
By subscribing you confirm you can receive transactional security updates from Scorifya at this email.