Does PCI DSS reach an AI deployment that does not directly process cardholder data?

The standard reaches systems that store, process, or transmit cardholder data plus systems that could affect the security of those systems. An AI deployment that does not directly handle cardholder data but has network access into the CDE or that integrates with systems handling cardholder data falls inside the scope. The QSA's scope analysis traces the integrations and the network paths to determine what falls in scope. AI deployments often surprise the scope analysis because the integrations are recent and the data flows are not in the existing documentation.

Does the inspection-layer redaction satisfy the rendering-unreadable requirement under Requirement 3?

The redaction at the request boundary prevents the cardholder data from leaving the controller's perimeter in the AI access path. The retained payload at the model provider does not carry the cardholder data. The architectural effect is functionally equivalent to truncation or tokenization for the AI access path. The QSA's evaluation considers the redaction approach, the redaction completeness (does every prompt class trigger the redaction?), and the audit evidence (does the record series demonstrate the redaction fired?). The inspection-layer architecture provides the evidence the QSA expects.

How does the inspection layer enforce need-to-know access (Requirement 7) on a retrieval-based AI agent?

The agent's identity attaches to the retrieval call through the inspection layer. The policy bundle defines the authorized record sets per agent identity, per role, and per route. A retrieval call that requests records outside the authorized set fails or filters at the inspection layer before the records reach the agent's context. The audit record carries the agent identity, the requested scope, the records returned after filtering, and the policy decision. The architecture extends the existing role-based access model the organization runs for the source systems to the AI access path.

What is the QSA's evidence expectation for AI-related risks under Requirement 11?

The QSA expects the organization to identify the AI-specific attack vectors that apply to the deployment (prompt injection, indirect injection through retrieved content, sensitive data exfiltration through the response stream, unauthorized tool-call escalation), to define the testing methodology that covers each vector, to perform the testing on the documented schedule, and to remediate the findings. The audit record series feeds the testing evidence: a successful test extraction surfaces in the records as a detected event, and the remediation closes the policy gap that allowed the extraction.

Does the same audit record series satisfy both PCI DSS Requirement 10 and EU AI Act Article 12?

The record series carries the field set both regimes read against. Requirement 10 reads against the access record for cardholder data: timestamp, user identity, source, action, outcome. Article 12 reads against the AI-decision traceability: timestamp, identity, model and version, policy state, outcome. The field overlap is substantial. A single record series with the inspection-layer schema satisfies both regimes for AI deployments that fall inside both. The deployer produces the PCI DSS evidence for the QSA and the AI Act evidence for the AI supervisor from the same data.

PCI DSS and AI: How v4.0 Reaches Production AI Deployments Touching Cardholder Data

PCI DSS v4.0 took full effect on March 31, 2025. The standard reaches AI deployments wherever cardholder data passes through an AI prompt, a tool result, or a retrieval corpus the AI system queries. Most production AI deployments in payments-adjacent organizations have inherited a scope problem that v4.0 brings to the surface. The customer support agent the contact center uses retrieves the customer record from the CRM, which includes the cardholder data. The fraud-detection AI pipeline ingests the transaction stream that includes the primary account number. The internal copilot a billing team uses reads invoice attachments that contain the cardholder data in the PDF body. Each path puts the AI system inside the cardholder data environment unless the system actively prevents the cardholder data from reaching the model.

I want to walk through the PCI DSS v4.0 requirements that reach AI deployments, the architectural reason most implementations carry an oversized scope, and the inspection-layer controls that produce the audit evidence and the scope reduction the QSA will accept.

The PCI DSS scope rule and how AI expands it

Scope under PCI DSS is the set of systems that store, process, or transmit cardholder data plus the systems that could affect the security of those systems. The cardholder data environment (CDE) is the in-scope segment. Systems outside the CDE that have network access into the CDE pull into scope. Systems that handle cardholder data pull directly into scope regardless of network topology.

AI deployments routinely expand the CDE because the AI systems retrieve, process, or transmit cardholder data without the operator explicitly designing for it. Three patterns appear most often.

The first is the customer support agent that retrieves customer records to answer support queries. The CRM record includes the primary account number, the cardholder name, the service code, and sometimes the full track data depending on the integration history. The AI agent's prompt assembly puts the cardholder data into the model's context window. The model is now in scope.

The second is the fraud detection pipeline that ingests transaction streams. The transaction record includes the primary account number, the merchant identifier, the transaction amount, and the timestamp. The AI inference pulls the primary account number into the model's context. The model is in scope.

The third is the internal copilot reading invoices, statements, or receipts. The PDF body includes the truncated primary account number on a payment confirmation page. The OCR pipeline extracts the number into the prompt. The model is in scope.

Requirement 1: Network security and AI data flows

Requirement 1 requires the organization to document data flows for all cardholder data, including flows in and out of the CDE. AI deployments add data flows the existing documentation did not contemplate. The flow from the CRM into the AI prompt assembly into the model API call into the model provider's infrastructure has to be documented. The flow from the model response back into the agent's tool calls has to be documented.

The flow documentation has to identify the source system, the cardholder data fields the flow carries, the destination system, the encryption in transit, and the access controls at each hop. The QSA reads the documentation against the implementation to confirm the flows are accurate.

The inspection layer at the request boundary makes the flow documentation tractable. The layer logs every model call with the prompt classification, the routing decision, and the response classification. The compliance team generates the data flow inventory from the audit record series.

Requirement 3: Cardholder data discovery and scope reduction

Requirement 3 requires the organization to keep cardholder data storage to a minimum and to render the data unreadable wherever it is stored. The requirement applies to the AI deployment in two ways.

The first is discovery. The QSA's annual assessment expects the organization to demonstrate that the cardholder data inventory is current. AI deployments that ingested cardholder data into a vector database, a fine-tuning dataset, or a long-term memory store added cardholder data storage the inventory missed. The discovery scan has to cover the AI-adjacent stores.

The second is the rendering-unreadable requirement. Cardholder data stored in the AI-adjacent stores has to be rendered unreadable through truncation, tokenization, masking, or strong cryptography. The model provider's payload retention is the load-bearing case. The OpenAI API retains request payloads for thirty days by default. The Anthropic API retains for the same window. The retained payloads include cardholder data the application forwarded in the prompt. The retained data sits on the model provider's infrastructure under the provider's controls.

The architecture that produces the scope reduction is field-level redaction at the request boundary before the prompt reaches the model. The inspection layer classifies the prompt content, identifies the cardholder data fields, replaces the fields with a token or a masked representation, and forwards the redacted prompt to the model. The model provider receives the redacted payload. The retained payload at the provider does not carry the cardholder data. The model's response does not surface the cardholder data because the model never received it.

Requirement 7: Access control to cardholder data

Requirement 7 requires access to cardholder data be limited by business need to know. The role-based access model the organization runs for the CRM, the data warehouse, and the source systems has to extend to the AI access path.

The AI deployment expands the access surface in a structural way. A support agent who has need-to-know access to a customer's record through the CRM did not have access to a thousand other customers' records simultaneously. The AI agent the same support agent uses has access to the full corpus the retrieval index covers. A poorly constrained retrieval call returns records the agent does not have need-to-know access to.

The inspection layer at the request boundary enforces the per-caller scope on the retrieval call. The agent's identity attaches to the retrieval, the policy bundle defines the authorized record sets per agent, and the retrieval fails or filters records outside the authorized set. The audit record carries the agent identity, the requested scope, the records returned, and the policy decision.

Requirement 10: Logging and monitoring

Requirement 10 requires the organization to log all access to system components and cardholder data, including access through automated tools. The per-decision audit record series the inspection layer commits covers the logging obligation for the AI access path.

The record carries the timestamp, the natural-person identifier of the caller, the source system (the CRM, the data warehouse), the cardholder data fields the prompt carried (or the truncation or tokenization decision if the inspection layer redacted), the model and version, the policy decision, the response classification, and the cryptographic integrity signature. The QSA querying the record series for a sample of model calls reconstructs the access decisions and the policy state at the moment of each call.

The write-path independence of the inspection layer satisfies Requirement 10.5's log integrity expectation. The application that called the model cannot modify the record because the record sits in a store the application does not have access to.

Requirement 11: Security testing and AI-specific risks

Requirement 11 requires the organization to test the security of systems and networks regularly. The PCI DSS v4.0 update added an explicit obligation to address emerging risks, which the Council guidance reads to include AI-specific attack vectors.

The testing program for AI deployments inside the CDE covers prompt injection, indirect prompt injection through retrieved content, sensitive data exfiltration through the response stream, and unauthorized tool-call escalation. The testing produces evidence the QSA can verify against the inspection layer's audit record series. A penetration test that successfully extracts cardholder data from the model response has to surface in the audit record series as a detected and recorded event.

The QSA review and where most AI deployments fail

The QSA review against the AI access path tends to surface three failures.

The first is the unmapped data flow. The AI deployment was added to the production stack without an update to the data flow documentation. The QSA's walkthrough of the customer support workflow reveals the AI agent's role and the cardholder data flow into the model. The remediation requires the flow documentation and the scope reassessment.

The second is the model provider retention. The compliance team did not consider the model provider's payload retention as a cardholder data storage location. The QSA's review of the third-party inventory pulls the model provider into the scope, and the model provider's SOC 2 or PCI DSS attestation has to extend to the cardholder data the provider retains. Most model providers do not carry the PCI DSS attestation, which forces the organization to redact the cardholder data before it reaches the provider.

The third is the missing audit record for the model calls. The application-level log captures the SDK call but does not carry the per-call identity context, the per-call classification, or the per-call policy state. The QSA's Requirement 10 review fails because the records lack the field set the requirement expects.

DeepInspect

This is the gap DeepInspect closes for PCI DSS-applicable AI deployments. DeepInspect sits inline between the calling application and any HTTP LLM endpoint. For every request, DeepInspect classifies the prompt content for cardholder data fields, applies the per-route policy bundle that enforces field-level redaction or block, attaches the natural-person identifier to the record, evaluates the per-tool authorization for the agent's actions, runs the response classifier for cardholder data exfiltration, and commits the per-decision audit record from a credential the application cannot access.

The field-level redaction produces the scope reduction the QSA will accept: the prompt forwarded to the model provider does not carry the cardholder data, the model provider's retained payload does not carry the cardholder data, and the model never sees the cardholder data. The audit record series produces the Requirement 10 evidence. The same record series produces the data flow documentation under Requirement 1 and the access control evidence under Requirement 7. The deployment integrates as a single HTTP hop with no application code change beyond the base URL.

If your AI deployment touches cardholder data and the QSA review is finding scope gaps, let's talk.