The Compliance Ledger
Cycles, entries, DRL categories, custom categories, and the six states every entry moves through.
The compliance ledger is the single source of truth for your PCI DSS evidence. It replaces the DRL spreadsheet, the shared drive, and the task tracker with one structure that stays consistent across cycles.
Cycles
A cycle is a time-bounded assessment window — typically your quarterly or annual PCI assessment. Every cycle has:
- An ID (e.g.
Initial-Assessment-2026,2026-Q2) - Start date, end date, and an optional target completion date
- A status (
active,locked,archived) - A seeded set of entries — one per PCI DSS requirement
You can have multiple cycles open simultaneously (for example, a closed annual cycle archived for QSA reference and a fresh quarterly cycle in progress).
Entries
An entry is one piece of evidence your QSA expects. Each entry carries:
- A DRL request ID (e.g.
MFA-01,POL-02) - A title and description in plain English
- Expected evidence — what the QSA needs to see
- The PCI DSS requirement(s) it satisfies
- Upload instructions, accepted formats, and CLI automation notes
- An owner, a state, a priority, and a sign-off status
Entries live inside a cycle, so evidence for MFA-01 in your Q1 cycle is
separate from evidence for MFA-01 in Q2 — unless you choose to carry it
forward.
DRL categories
Every entry belongs to one of the 31 standard QSA evidence categories (the same structure your assessor's Document Request List uses):
| Code | Category |
|---|---|
APP | Applications |
AS | Assessments |
AV | Antivirus |
CHD | Cardholder Data |
CSP | Cloud Service Providers |
DIA | Diagrams |
EMP | Employees & Contractors |
FIM | File Integrity Monitoring |
IDS | Intrusion Detection |
KM | Key Management |
LOG | Log Management |
MFA | Multi-Factor Auth |
NET | Network Devices |
POL | Policies & Standards |
SRV | Servers |
TRN | Training |
VPN | VPN |
WAF | Web Application Firewall |
…and 13 others. The full list is visible from the category picker on any entry. When you export, the evidence ZIP is organized by these codes.
Custom categories
If your organization groups evidence differently than the baseline — for example, a company-specific category for a compensating control — admins can add custom categories from Settings → Categories. Custom categories merge with the baseline at read time, so every entry still maps to exactly one code.
The six states
Every entry sits in one of six states. State describes evidence provenance — where the evidence came from — not readiness. Readiness is sign-off.
| State | Meaning |
|---|---|
not_started | No evidence attached yet. |
evidence_collected | Auto-collected by a CLI scan upload. |
evidence_uploaded | A person uploaded a file through the web app. |
carried_forward | Evidence from a previous cycle, attested as still valid. |
not_applicable | Scoped out with a required justification. |
needs_attention | The collector or reviewer flagged a concern. |
Transitions happen automatically: a successful CLI scan advances an entry
from not_started to evidence_collected; a manual upload advances it to
evidence_uploaded; a carry-forward action moves it to carried_forward.
State is never a judgment. An entry in evidence_collected is not
"compliant" — it simply has evidence. Your QSA makes the final compliance
determination.
Navigating the ledger
- Cycles list —
/cycles— all cycles, past and present. - Cycle detail —
/cycles/<cycle-id>— every entry in the cycle, grouped by DRL category, with state and owner visible at a glance. - Entry detail —
/ledger/<cycle-id>/entries/<entry-id>— upload evidence, change state, assign an owner, sign off, or mark N/A.