
The QSA is coming. Your certificates are on the agenda.
The PCI DSS 4.0 Audit Prep Kit packages the evidence, the answers, and the 30-day plan for the certificate and cryptography portion of your assessment — built by engineers who have sat through these interviews.
Instant download · 4 working documents · Single-organization license
Want to gauge the gap first? Run the free PCI audit prep checklist →PCI DSS 4.0 raised the bar on crypto
The new requirement
A documented cryptographic inventory, reviewed annually. "Show me your crypto inventory" is now a standard QSA request.
The date it became mandatory
4.0's future-dated requirements became mandatory, including 12.3.3. If your assessment started after this date, these controls are in scope.
Explicitly expected under 4.2.1
ECDHE/DHE cipher suites are required. 3DES removal is also checked — Sweet32 vulnerability made it a direct 4.0 finding.
A cert the QSA finds that isn't in your inventory
If the QSA scans and finds a certificate your team didn't document, the inventory finding follows — and raises questions about everything else.
What a finding actually costs
A certificate-related finding means remediation under deadline, a re-test, and an uncomfortable conversation about why the crypto controls weren't documented. QSA prep engagements run $10,000+; internal scramble weeks cost more. This kit is the checklist-to-evidence bridge for one narrow, high-scrutiny slice of the assessment: certificates and cryptography.
Four working documents. Zero surprises in the interview.
No PDFs to read. No worksheets to build from scratch. Open and fill.
Certificate Evidence Workbook
ExcelA control map of all nine certificate/crypto requirements — 4.2.1 through 12.3.3 — each with what the QSA asks and the exact evidence to produce.
- 17-item evidence register with owner, status, and location tracking
- Remediation tracker pre-seeded with the twelve findings QSAs raise most, severity-coded
Crypto Inventory Template
Excel · Requirement 12.3.3 deliverableThe Requirement 12.3.3 deliverable, ready to fill: certificates, keys, and protocols/ciphers tabs — plus the annual review log most teams miss.
- Separate tabs: certificates, keys, protocols/ciphers
- Annual review log — the requirement is maintain AND review; this proves both
QSA Interview Prep
WordQuestion-by-question preparation: the strong answer pattern, what weakens it, and what to have in hand — for every certificate and key management question from scope to key rotation.
- Interview assignment table — one named owner per topic
- Five answers to rehearse out loud before the interview
30-Day Prep Plan
ExcelA phased project plan from T-30 to audit day — discover, triage, fix, assemble, verify, freeze — with owners, status tracking, and a progress counter.
- Six phases across 30 days with named owners per task
- The month before the audit, managed
The judgment you're paying for
"The failure mode isn't a wrong answer; it's three people giving three different answers, or an answer the evidence contradicts. One named owner per topic.
"If something failed in the assessment period (expired cert, outage), disclose it with the monitoring you added. Transparency scores better than cover-ups.
""We rotate keys when we renew certificates" conflates cert renewal with key rotation — 4.0 QSAs probe exactly this.
Kept current
The kit is revised when PCI SSC guidance and CA/Browser Forum requirements change. Purchasers keep lifetime access to the current version — the same compliance monitoring engine that powers fixmycert.com/compliance tracks requirement changes so updates ship before the next assessment cycle.
One-time purchase
- Certificate Evidence Workbook (Excel)
- Crypto Inventory Template — Req. 12.3.3 deliverable (Excel)
- QSA Interview Prep with strong-answer patterns (Word)
- 30-Day Phased Prep Plan (Excel)
- Lifetime access to the current version
- Single-organization license
Secure checkout via Stripe. Download link delivered instantly.
The compliance shelf
47-Day Readiness Kit
Know where your automation stands. 82-point scored audit, exec briefing deck, CLM vendor matrix, and DCV migration plan.
PCI DSS 4.0 Audit Prep Kit
Survive this assessment. Evidence workbook, crypto inventory, QSA interview prep, 30-day plan.
Compliance-in-a-Box
The governance documentation auditors ask for next: CP/CPS template, key ceremony script, and naming convention guide.
Common Questions
Want the checklist version first? Read the free PCI DSS 4.0 Certificate Audit Prep checklist →