🛡️ Compliance Assessment Tool

Your merchant portfolio. Actually PCI-compliant.

Roughly four in five organizations fail to maintain PCI DSS compliance (Verizon Payment Security Report) — because the process is built for auditors, not merchants. CAT turns the 40-page questionnaire into a 15-minute guided conversation: your merchants finish, you get signed official SAQ + AoC documents and a live portfolio dashboard — launchable with zero IT project.

🔒 PCI DSS SAQ A attested · AoC 🇪🇺 GDPR + UK GDPR DPA ready 📬 Signed OpenAI DPA · no model training on your data 🇺🇸 Data resident in AWS us-east-1

The actual merchant experience — most finish in about 15 minutes.

How you launch

Launch it your way.

Pick the launch path that matches how much lift you want today — from a zero-code bulk invite to a fully embedded custom experience. Every path runs the same compliance engine and produces the same official, PCI-form-filled SAQ + AoC PDF that card brands and your bank's auditor expect.

Live in under a week · zero code

Concierge launch

Technical name: bulk merchant invite (CSV import + branded email links)

Export your merchant list as a CSV. Each merchant gets a branded email with a secure link to complete their SAQ under your brand. No integration, no engineering ticket — you just watch the dashboard fill in.

POST /v1/merchants/import { "merchants": [...], "sendInvites": true } // → branded invite email sent to each merchant
Live in an afternoon

One-button launch

Technical name: platform redirect / hand-off

Redirect the merchant to a CAT URL your bank picks — they complete the SAQ on our domain (under your branding), then we send them back to the returnUrl you supplied with a ?status=completed&attemptId=… query string so your portal can update its own UI. Session-token auth and signed webhooks included.

POST /v1/merchants/{id}/portal-link { "returnUrl": "https://bank.example/.../callback" } // → 302 the merchant to response.handoffUrl // → we 302 them back with status + attemptId
Live in ~2 weeks

Embedded

Technical name: iframe embed + REST API

Drop our white-labellable iframe into your portal so the merchant never sees a domain change, or call the REST API directly to build a fully custom UI or mobile app. OpenAPI 3.1 spec at /openapi.json — your SDK is one openapi-generator-cli call away.

<iframe src="https://api.complianceassessmenttool.com /portal/embed?sessionToken=cat_sess_… &merchantId=mrc_…"></iframe>
Optional differentiator

AI-assistant add-on

Technical name: MCP server for your bank's chatbot

Plug our Model Context Protocol server into your bank's existing AI chatbot (Claude, GPT, or any MCP-compatible agent). The agent runs the entire SAQ flow conversationally — and every tool call still emits the same audit events as the REST API.

// MCP client config mcpServers: { cat: { url: "https://.../mcp", headers: {...} } }

How the AI actually works

Grounded in PCI DSS v4.0.1 — with a human in the loop on every step.

The AI doesn't replace the merchant's judgement or your QSA review. It translates 600-plus pages of PCI DSS into a question your barber shop owner or e-commerce founder can answer in their own words, then shows the merchant exactly what we inferred from their answer before they accept it. Nothing is silently auto-attested.

📚

Grounded in the source

Every combined question, applicability check, and compliance-status inference is anchored in the actual PCI DSS v4.0.1 control text we pre-loaded into DynamoDB. The model can't make up a control number — it reads from a typed reference table and cites the requirement it's interpreting.

🧑‍⚖️

Human reviews every step

The merchant sees the AI's suggested answer + reasoning + the underlying PCI requirement before they confirm. They can re-answer, ask for clarification, or escalate to a free-text reply. Nothing is sealed without a typed signature + attestation acknowledgement.

📖

Plain-English, not PCI jargon

"Do you store the card number anywhere — your CRM, accounting software, voice recordings of phone orders?" beats "Requirement 3.3.1: PAN is masked when displayed." The merchant doesn't have to become a PCI expert to honestly answer the question.

🔍

Full reasoning trail

Every AI inference is persisted with its reasoning, the source control text, and the suggested-answer history. The merchant, your compliance team, and your QSA can all see why a control landed at "In Place" vs "Not In Place" — no black box.

🛡️

Refusal-trained on sensitive data

The prompts explicitly refuse cardholder data: if a merchant pastes a PAN or CVV the agent declines to store it and points them to a safer way to describe the flow. The schema doesn't even accept those fields.

✍️

Signed, not auto-attested

The merchant signs the AoC themselves with a typed name + title + acknowledgement clause, captured on the attempt record. The PDF carries the same signature block your bank's auditor expects.

Why it matters

Today, your merchants ghost the PCI process.

Most regional banks and ISOs use a static PDF + email reminders + spreadsheet tracker. The completion rate for self-served SAQs hovers around 30–40%. The other 60% require manual follow-up, an outsourced QSA, or just get marked non-compliant in your reporting.

The traditional flow

  • 4-page PDF SAQ form emailed to the merchant
  • Merchant doesn't understand half the questions
  • Ops team chases by phone + email for weeks
  • ~30% never finish; bank carries the risk
  • QSA review costs $5k+ per merchant for the rest
  • No audit trail of who answered what or when

With Compliance Assessment Tool

  • Merchant clicks a link in their bank portal
  • AI determines the right SAQ from a natural-language description
  • One combined question per PCI requirement — not 200 sub-controls
  • Sign digitally; SAQ + AoC PDFs delivered by email and webhook
  • Per-merchant audit log of every state change
  • Typical merchant finishes in 12–18 minutes

Program economics

Compliance becomes a service line, not a penalty line.

Merchants don't resent paying for PCI compliance — they resent the process. When the annual program fee buys a 15-minute guided attestation instead of a stack of paperwork and a looming penalty, it reads as a service they value, not a tax they dodge.

$79–$119
typical annual PCI program fee merchants already expect to pay
$25
CAT's wholesale cost per completed assessment
$54–$94
net margin per compliant merchant, per year

And the number that matters most for your relationship with the card brands — your portfolio compliance rate — becomes something you can show them, instead of reconstructing it from a spreadsheet every audit season.

Model it for your book →

What CAT does best

Why banks and ISOs choose CAT.

Most merchant-compliance tooling on the market was built before modern AI and API platforms existed — a static questionnaire wrapped in a portal redirect. We built CAT the other way around: an AI engine and a flexible integration layer first, with the SAQ + AoC as the output. Here's what that gets your portfolio.

🧠

AI determines the right SAQ from plain English

The merchant describes how they take cards in a sentence — CAT picks the correct SAQ type across all nine variants (A, A-EP, B, B-IP, C, C-VT, D, P2PE, SPoC) and shows its reasoning. No more merchant self-selection errors that surface weeks later as a restart.

One question per PCI requirement, not 200+ sub-controls

6 combined questions for SAQ A, up to 12 for the largest types — each one covering a full requirement in plain language. It's the single biggest reason completion moves from ~35% to a clear majority of merchants finishing.

🔌

Four ways to launch, one engine underneath

Concierge launch (bulk invite, zero code), One-button launch (redirect and get them back), Embedded (iframe or REST API for your own UI), and an AI-assistant add-on (MCP server for your chatbot). Pick per merchant, per channel — every path runs the same engine and produces the same official documents.

📄

Official, form-filled SAQ + AoC PDFs

The exact documents card brands and your auditor already accept — sealed and delivered by email and webhook, with a per-merchant audit trail of every state change.

🔁

Annual renewal, handled for you

New: CAT tracks each merchant's 1-year attestation anniversary and automatically reminds the merchant — and your team — before it lapses, so your portfolio compliance rate stays high without anyone manually chasing renewals.

📊

A live view of your whole book

New: see what percentage of your merchant portfolio is compliant, what's expiring soon, and what needs attention — at a glance, instead of stitching it together from spreadsheets.

Numbers that matter to compliance

Built for the metrics your auditor will ask about.

~15 min
typical merchant completion time
99.5%
monthly uptime target
100%
audit-log coverage of state-changing events
< 5 min
session-token mint to first merchant interaction
2–4 wks
typical integration timeline
0
cardholder data on our infrastructure
Auto
renewal reminders before every 1-year AoC expiration

Trust & security

Built so vendor risk is the easy part.

We've assembled an AI platform that's purpose-built to take friction out of compliance for your customers — and the same discipline shows up on the vendor-due-diligence side. We hold our own signed PCI DSS SAQ A AoC, operate the public Trust Center, and have an executed Data Processing Addendum with OpenAI — the AI sub-processor that does the actual model work — covering the EEA / UK / Swiss SCCs and prohibiting model training on customer data. Read it for yourself: the fully signed PDF is downloadable under our click-through NDA. We're set up to make modern compliance easy to evaluate, not to send your security team chasing PDFs.

📜

PCI DSS SAQ A · attested

We hold our own signed Attestation of Compliance for SAQ A. View the AoC →

🇪🇺

GDPR + UK GDPR ready

SCCs and UK Addendum incorporated into our standard DPA. EEA / Swiss / UK transfers covered. Read DPA →

🤝

OpenAI DPA in force

Executed Feb 3, 2026 between us and OpenAI. No model training on customer data; ≤30-day retention. Available under our NDA. Details →

📋

SIG/CAIQ pre-filled

~80 of the most-asked vendor-questionnaire items already answered. Saves your security team a week. View →

📊

Per-partner audit log

Every state-changing API call writes a structured event. Queryable via REST. SOC 2 / SOX-evidence-ready. Docs →

🔐

Tenant isolation by design

Partition-key scoping on every query. Merchant-scoped session tokens. Cross-tenant reads return 403. Architecture →

Visit the full Trust Center →

Pricing

One simple price. No tiers, no per-call quotas.

Per completed assessment
$25
Billed monthly in arrears · volume discounts available · no per-API-call fees, no seat fees, no year-one minimums
  • ✓ Unlimited API calls (no per-call metering)
  • ✓ Unlimited session-token mints
  • ✓ AI determination + per-section combined questions
  • ✓ Official PCI form-filled SAQ + AoC PDFs
  • ✓ Webhook delivery with retries
  • ✓ Full audit log (retained term + 7 years)
  • ✓ Automatic annual renewal reminders for every merchant
  • ✓ Live portfolio dashboard — compliance rate, expirations, at-risk merchants
  • ✓ Embeddable iframe, REST API, MCP server
  • ✓ Bulk merchant import + branded invite emails (concierge launch)
  • ✓ Optional annual platform fee — waivable for pilots

Start with a capped pilot on a slice of your book — pay only for completed assessments.

Typical partner economics: charge your merchants the industry-standard annual program fee ($79–$119); CAT costs $25 per completed assessment — the margin is yours.

Ready to talk?

Apply for a partner integration and we'll respond within one business day. Or browse the docs and Trust Center — everything you need to do vendor risk is already public.

Apply to integrate → See the live demo