Roughly four in five organizations fail to maintain PCI DSS compliance (Verizon Payment Security Report) — because the process is built for auditors, not merchants. CAT turns the 40-page questionnaire into a 15-minute guided conversation: your merchants finish, you get signed official SAQ + AoC documents and a live portfolio dashboard — launchable with zero IT project.
The actual merchant experience — most finish in about 15 minutes.
How you launch
Pick the launch path that matches how much lift you want today — from a zero-code bulk invite to a fully embedded custom experience. Every path runs the same compliance engine and produces the same official, PCI-form-filled SAQ + AoC PDF that card brands and your bank's auditor expect.
Technical name: bulk merchant invite (CSV import + branded email links)
Export your merchant list as a CSV. Each merchant gets a branded email with a secure link to complete their SAQ under your brand. No integration, no engineering ticket — you just watch the dashboard fill in.
POST /v1/merchants/import
{ "merchants": [...], "sendInvites": true }
// → branded invite email sent to each merchant
Technical name: platform redirect / hand-off
Redirect the merchant to a CAT URL your bank picks — they complete the SAQ on our domain (under your branding), then we send them back to the returnUrl you supplied with a ?status=completed&attemptId=… query string so your portal can update its own UI. Session-token auth and signed webhooks included.
POST /v1/merchants/{id}/portal-link
{ "returnUrl": "https://bank.example/.../callback" }
// → 302 the merchant to response.handoffUrl
// → we 302 them back with status + attemptId
Technical name: iframe embed + REST API
Drop our white-labellable iframe into your portal so the merchant never sees a domain change, or call the REST API directly to build a fully custom UI or mobile app. OpenAPI 3.1 spec at /openapi.json — your SDK is one openapi-generator-cli call away.
<iframe src="https://api.complianceassessmenttool.com
/portal/embed?sessionToken=cat_sess_…
&merchantId=mrc_…"></iframe>
Technical name: MCP server for your bank's chatbot
Plug our Model Context Protocol server into your bank's existing AI chatbot (Claude, GPT, or any MCP-compatible agent). The agent runs the entire SAQ flow conversationally — and every tool call still emits the same audit events as the REST API.
// MCP client config
mcpServers: {
cat: { url: "https://.../mcp", headers: {...} }
}
How the AI actually works
The AI doesn't replace the merchant's judgement or your QSA review. It translates 600-plus pages of PCI DSS into a question your barber shop owner or e-commerce founder can answer in their own words, then shows the merchant exactly what we inferred from their answer before they accept it. Nothing is silently auto-attested.
Every combined question, applicability check, and compliance-status inference is anchored in the actual PCI DSS v4.0.1 control text we pre-loaded into DynamoDB. The model can't make up a control number — it reads from a typed reference table and cites the requirement it's interpreting.
The merchant sees the AI's suggested answer + reasoning + the underlying PCI requirement before they confirm. They can re-answer, ask for clarification, or escalate to a free-text reply. Nothing is sealed without a typed signature + attestation acknowledgement.
"Do you store the card number anywhere — your CRM, accounting software, voice recordings of phone orders?" beats "Requirement 3.3.1: PAN is masked when displayed." The merchant doesn't have to become a PCI expert to honestly answer the question.
Every AI inference is persisted with its reasoning, the source control text, and the suggested-answer history. The merchant, your compliance team, and your QSA can all see why a control landed at "In Place" vs "Not In Place" — no black box.
The prompts explicitly refuse cardholder data: if a merchant pastes a PAN or CVV the agent declines to store it and points them to a safer way to describe the flow. The schema doesn't even accept those fields.
The merchant signs the AoC themselves with a typed name + title + acknowledgement clause, captured on the attempt record. The PDF carries the same signature block your bank's auditor expects.
Why it matters
Most regional banks and ISOs use a static PDF + email reminders + spreadsheet tracker. The completion rate for self-served SAQs hovers around 30–40%. The other 60% require manual follow-up, an outsourced QSA, or just get marked non-compliant in your reporting.
Program economics
Merchants don't resent paying for PCI compliance — they resent the process. When the annual program fee buys a 15-minute guided attestation instead of a stack of paperwork and a looming penalty, it reads as a service they value, not a tax they dodge.
And the number that matters most for your relationship with the card brands — your portfolio compliance rate — becomes something you can show them, instead of reconstructing it from a spreadsheet every audit season.
What CAT does best
Most merchant-compliance tooling on the market was built before modern AI and API platforms existed — a static questionnaire wrapped in a portal redirect. We built CAT the other way around: an AI engine and a flexible integration layer first, with the SAQ + AoC as the output. Here's what that gets your portfolio.
The merchant describes how they take cards in a sentence — CAT picks the correct SAQ type across all nine variants (A, A-EP, B, B-IP, C, C-VT, D, P2PE, SPoC) and shows its reasoning. No more merchant self-selection errors that surface weeks later as a restart.
6 combined questions for SAQ A, up to 12 for the largest types — each one covering a full requirement in plain language. It's the single biggest reason completion moves from ~35% to a clear majority of merchants finishing.
Concierge launch (bulk invite, zero code), One-button launch (redirect and get them back), Embedded (iframe or REST API for your own UI), and an AI-assistant add-on (MCP server for your chatbot). Pick per merchant, per channel — every path runs the same engine and produces the same official documents.
The exact documents card brands and your auditor already accept — sealed and delivered by email and webhook, with a per-merchant audit trail of every state change.
New: CAT tracks each merchant's 1-year attestation anniversary and automatically reminds the merchant — and your team — before it lapses, so your portfolio compliance rate stays high without anyone manually chasing renewals.
New: see what percentage of your merchant portfolio is compliant, what's expiring soon, and what needs attention — at a glance, instead of stitching it together from spreadsheets.
Numbers that matter to compliance
Trust & security
We've assembled an AI platform that's purpose-built to take friction out of compliance for your customers — and the same discipline shows up on the vendor-due-diligence side. We hold our own signed PCI DSS SAQ A AoC, operate the public Trust Center, and have an executed Data Processing Addendum with OpenAI — the AI sub-processor that does the actual model work — covering the EEA / UK / Swiss SCCs and prohibiting model training on customer data. Read it for yourself: the fully signed PDF is downloadable under our click-through NDA. We're set up to make modern compliance easy to evaluate, not to send your security team chasing PDFs.
SCCs and UK Addendum incorporated into our standard DPA. EEA / Swiss / UK transfers covered. Read DPA →
Executed Feb 3, 2026 between us and OpenAI. No model training on customer data; ≤30-day retention. Available under our NDA. Details →
~80 of the most-asked vendor-questionnaire items already answered. Saves your security team a week. View →
Every state-changing API call writes a structured event. Queryable via REST. SOC 2 / SOX-evidence-ready. Docs →
Partition-key scoping on every query. Merchant-scoped session tokens. Cross-tenant reads return 403. Architecture →
Pricing
Start with a capped pilot on a slice of your book — pay only for completed assessments.
Typical partner economics: charge your merchants the industry-standard annual program fee ($79–$119); CAT costs $25 per completed assessment — the margin is yours.
Apply for a partner integration and we'll respond within one business day. Or browse the docs and Trust Center — everything you need to do vendor risk is already public.
Apply to integrate → See the live demo