.png?width=365&height=122&name=BTLogo%20(1).png)
Rethink PCI Compliance Automation: From Checklists to Continuous Evidence
PCI compliance automation has become essential in an era where teams are shipping code multiple times each day. Yet the standard itself was built for a time when code was shipped monthly, data was stored on premises, and manual checklists were used to complete audits.
Today’s fast-paced release cycle shouldn’t have to slow down to keep up with compliance.
And the good news is that you shouldn’t have to.
With the right system designs, leveraging automation can keep an organization in compliance—and create evidence for auditors along the way.
Determining Which Parts of PCI Compliance Should be Automated
At its core, PCI compliance automation means using technology and smart system design to continuously enforce, and prove, adherence to the PCI DSS standards without manual checklists or endless collections of screenshots.
Companies like Basis Theory have a shared responsibility matrix, which takes ownership of 90% of the PCI compliance requirements. The remaining 10% is perfect for automation.
“And auditors will like that you are automating that 10% in those cases,” says Brandon Sterne, CISO of Basis Theory.
As you automate portions of PCI compliance, Sterne recommends building evidence collection into your systems. This is a central pillar of a DevOps approach with continuous integration and continuous deployment (CI/CD). Developers continuously write code, and the CI runs to ensure all the tests are still passing. Assuming all tests pass, the CD automatically deploys that code to production. Developers are already doing this for functional tests. It's a small lift to add tests and logging to show control effectiveness.
A log is the output that shows the controls in place are doing what they say they should be doing.
“Then for the audit, you go to the latest run and grab the output from that CI,” Sterne says. “That’s your evidence.”
And when tests fail, don’t fail silently.
“Failures aren’t bad things, you should be using automation to see where specifically you failed in the code,” Sterne says. “You should be able to go to a report and find the reference point. This proves the control is working.”
What can I automate with PCI compliance?
Sterne recommended using automation for specific PCI requirements in addition to using a shared responsibility matrix and automating the elements that are within one's control.
For example, PCI 6.3.2 tells you to keep an inventory of bespoke and custom software. Any third-party library being used should also be inventoried and described. This helps monitor vulnerabilities and identify software upgrade opportunities.
Basis Theory has a CI job running through every repository with PCI scope. As it passes through the code, it generates a record of every library in use.
“Each library needs a justification,” Sterne says. “If there’s something not accounted for, the CI job will flag it. That’s an example of good automation in PCI.”
When it comes to an audit, specifically for 6.4.2, the PCI inventory page is kept updated through automation, and sharing that page would satisfy the auditors.
System Design for PCI Compliance Automation
PCI compliance automation isn’t just about scripts and scans, it’s about designing systems that continuously create their own evidence. A well-designed control doesn’t just enforce security, it documents itself. The logs, reports, and alerts become living proof that the controls are actually working.
“That’s automation, but it’s also clever control design,” Sterne says. “Design your controls so that they produce evidence.”
Your work isn’t done after building security controls—the evidence layer must also be built in. Smart control design includes evidence as part of the process, because as long as the system is operating, evidence is being produced that an auditor can easily review and move on.
As PCI DSS 4.0 adoption accelerates, many organizations have implemented the new standard but have not yet realized its full value. This doesn’t mean working harder or dedicating more resources to compliance—it’s about designing smarter. Automating evidence collection, integrating controls into existing developer workflows, and offloading as much PCI scope as you can to trusted partners transforms compliance into a continuous, low-friction process that keeps pace with your engineers.
Sterne has previously spoken on this topic at the Merchant Advisory Group (MAG) Payments Conference, where he explored how organizations can bridge the gap between compliance interest and business impact.
Meet with Brandon at Payments MAGnified in February of 2026 to discuss PCI 4.0 and how continuous improvement applies to compliance!
