Server-derived brand

innovate PCI shell

Compliance

Compliance cycle and Data Collection readiness workflow for the Command Center.

Organization: Innovate Lab Tenant
Entity: ent_innovate_platform_lab
Scope: server-derived registry scope
Role: pci_operator
Stage: lab
Active theme: Pay Theory

Technical details

brand_pointer: partner://innovate/brand/lab/v2026-05-01
asset_pointer: https://assets.innovate.test/pci/
brand_reasons: none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API: /api/session/brand
Boundary: No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source: api_server_derived_from_session_registry_context
Primary role lane: pci_operator from server matrix metadata
Visible actions: 8
Suppressed actions: 1 action(s) withheld without client-side disabled controls.
Viewer role accepted: false
Signer input accepted: false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.

Step-up initiate: /api/session/step-up
Callback boundary: /api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint: sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.

Visible server-allowed actions
Action	Category	Step-up	Reason
Review tenant	tenant	server authorized	role_allows_tenant_review
Review evidence package	evidence	server authorized	role_allows_evidence_review
Create evidence metadata intake	evidence	server authorized	role_allows_evidence_upload_metadata
Answer questionnaire	assessment	server authorized	role_allows_answer
Override inherited answer	assessment	server step-up required	operator_step_up_required
Invite submerchant	onboarding	server authorized	operator_scope_review_required
Save workflow state	workflow	server authorized	role_allows_workflow_metadata_save
Queue audit export	audit	server step-up required	role_allows_operator_audit_export_metadata

auth.session_refreshed

Module status

Data Collection enabled / primary Data Collection is enabled by trusted session context.
Monitoring enabled / integrated Monitoring is enabled by trusted session context.

PCI application

PCI Compliance Command Center

Interactive compliance workflow workspace

Compliance cycle loaded: 22 of 24 responses answered, 3 evidence records, and 5 review lanes. Same-origin API refresh will keep this workspace current. Tenant authority, live data, payment traffic, restricted contents, and deployment authority stay server-side.

operator review 92% Start compliance cycle

Client authority: csrf-bound-workflow-save-only
Request policy: trusted-session-csrf-no-viewer-authority-workflow-data-only
CSRF cookie: __Host-pt_pci_csrf same-origin session check for workflow saves.
Data boundary: Workflow state only; no live payment data, restricted evidence files, signed document files, export files, external queues, notifications, or partner-edge authority.

Next best action

Confirm scope

Review the business profile and SAQ path before moving questionnaire work forward.

Use a stage card to work, mark ready, or accept a section; every change goes through the same-origin workflow API.

Workflow

Run the compliance cycle

Compliance lead

Business profile & SAQ scope

SAQ_A recommended with needs review confidence.

18 inherited answers, 1 stale item, 2 evidence requirements.

Review scope

Security reviewer

Questionnaire & policy review

22 of 24 control responses answered across 2 sections.

92% complete; 1 review findings tracked.

Continue questionnaire

Evidence coordinator

Evidence collection

3 evidence metadata records and 3 upload-session states are visible.

1 accepted metadata records; browser upload remains disabled.

Review evidence

Executive reviewer

AOC package & acceptance

Export package is blocked with 5 role lanes in final review.

2 sign-ready checks passed; signing remains server-authorized only.

Review package

Controls

Control workbench

Work the concrete control answers and evidence records that move this compliance cycle toward review.

Payment flow scope12/12 answers completeSAQ scope and payment-channel review
ready for reviewOpen workspace
Security policy review10/12 answers completeClear stale inheritance or record the reviewer answer
blockedOpen workspace
Monitoring readiness evidenceMonitoring readiness evidenceRequest state: missing
missingOpen workspace

Tasks

Work queue

Confirm Data Collection cycle ownerSource: data collectionTenant scoped by trusted API session
open
Review Monitoring integration review itemSource: monitoringTenant scoped by trusted API session
waiting
Verify corpus pointer for active cycleSource: corpusTenant scoped by trusted API session
open
Finding: Review cannot complete until the trusted evidence metadata ref is present.Requirement: Monitoring readiness evidenceOwner: pci operator
unresolved blocker

Evidence

Evidence checklist

TPSP AOC metadata packageType: tpsp aocVisibility: parent visible record onlyScan: passed
accepted record
Monitoring status metadataType: monitoring statusVisibility: tenant visibleScan: pending
scanner pending
Network scan upload refusedType: network scanVisibility: hidden refusedScan: refused
refused metadata
Requirement evidence: AOC package evidenceStatus: accepted recordedLab sample expiry: 2027-05-04
accepted recorded
Requirement evidence: Monitoring readiness evidenceStatus: missingNo expiry label
missing

AOC / export

Review package

Sign-ready checks: 4
Passed checks: 2
Signer review: needs correction
Signature: correction required
Export package: blocked

Acceptance

Final review

Review state: degraded
Role lanes: 5
Accepted entities: 1
Pending handoffs: 4
Browser authority: not allowed

Final review packet

What reviewers need to decide

This packet is the checklist behind final acceptance: each row names the reviewer, the workspace, the decision, and the criteria.

Business profile and SAQ scopeReviewer: submerchant adminDecision: Confirm payment channels and SAQ path or request follow-upCriteria: Merchant profile is complete; Payment channel scope is recorded; SAQ path recommendation is reviewable
ready for reviewReview the scope workspace
Questionnaire and policy answersReviewer: submerchant adminDecision: Accept control answers or return them for changesCriteria: Required controls have answers; Stale inherited answers are cleared or explained; Policy exceptions have owner notes
not startedOpen control answer workbench
Evidence request coverageReviewer: evidence uploaderDecision: Accept evidence records or request corrected referencesCriteria: Required evidence records are linked; Scanner status is recorded; Restricted contents are absent from the browser response
not startedOpen evidence request workbench
Monitoring dependency readinessReviewer: pci operatorDecision: Confirm Monitoring dependency state or request remediationCriteria: Monitoring dependency owner is visible; Evidence and assessment routes are linked; No browser scan, beacon, CSP, or status-feed mutation is available
not startedOpen monitoring readiness workbench
AOC package and correction logReviewer: executive signerDecision: Accept package readiness or record correction requestCriteria: Sign-ready checklist is visible; Correction/addendum rows are reviewable; Only package status and correction rows are returned
not startedOpen AOC package workbench
Final operator acceptanceReviewer: pci operatorDecision: Record final product review or request follow-upCriteria: Authorized reviewers are visible; Role handoff state is reviewable; Final review action is CSRF-bound and server-derived
not startedOpen acceptance flow

Activity

Recent application activity

Compliance cycle openedoperator review with current corpus package4 cycle badges active
current
Questionnaire progress seeded22 answered / 24 total92% completion
ready for review
AOC package queued for review4 sign-ready checksExport state: blocked
needs correction

Technical boundaries

operator_review

Cycle status

92%

Completion

Tasks

Evidence records

Scope and cycle serviceRead-only GET

SAQ scope and cycle state

Loading eligibility recommendation, corpus package, active cycle, inherited-answer, and override state from /api/compliance/scope-cycle-state.

In progress

SAQ_A

Recommended SAQ

operator_review

Cycle state

Inherited answers

Stale inherited answers

94%

Scope/cycle request policy

scope_cycle_api: /api/compliance/scope-cycle-state
request_policy: trusted-session-no-query-no-body-no-viewer-cycle-or-corpus-authority
boundary: No browser cycle authority, corpus selection, standards text, evidence contents, document contents, endpoint value, live-data path, queue send, notification send, or fallback browser storage.
cycle_ref: cycle_lab_2026_readiness
corpus_package_ref: corpus-package://pci/saq-a/v2026-05-01
corpus_package_state: current

Current scope and cycle state
Area	State	Next signal

Inherited-answer and override review
Record	State	Action

Compliance reportingNeeds review

Compliance reporting and scope/cycle workspace

Review service-backed breadth, scope, cycle, SSF, ASV, TPSP, rebase, reports, and export metadata on the shared M-UI foundation.

Needs attention

SSF scope records

Corpus update checks

Report manifests

Export packages

Compliance workspace reason codes

reason_code_1: corpus_rebase_preview_required
reason_code_2: asv_scan_window_missing_metadata
reason_code_3: new_tpsp_requires_aoc_metadata
reason_code_4: ssf_guidance_text_blocked_until_extractor_validated
reason_code_5: report_stale_until_rebase_reviewed
reason_code_6: assessment_readiness_blocks_final_reporting
reason_code_7: scanner_verdict_pending
reason_code_8: restricted_cardholder_data_refused
reason_code_9: parent_evidence_visibility_requires_operator_review
reason_code_10: parent_evidence_visibility_degraded
reason_code_11: customized_approach_operator_review
reason_code_12: operator_review_required_before_assessor_review
reason_code_13: compensating_control_assessor_review
reason_code_14: assessor_review_pending
reason_code_15: scan_metadata_refused
reason_code_16: asv_window_missing
reason_code_17: tpsp_record_pending_review
reason_code_18: rebase_preview_required
reason_code_19: report_stale
reason_code_20: report_blocked
reason_code_21: export_blocked

Compliance reporting serviceRead-only GETs

Service-backed compliance reporting workspace

In progress

Loading SSF, customized approach, compensating control, ASV, TPSP, corpus rebase, and internal-record metadata from same-origin APIs. This is the working reporting state; supporting reporting tables below are secondary.

Read APIs

/api/compliance/ssf/status
/api/compliance/customized-approach
/api/compliance/compensating-controls
/api/compliance/asv/summary
/api/compliance/tpsp/records
/api/corpus/rebase-warnings
/api/compliance/internal-records

Action APIs

/api/audit/export-requests and /api/reports/operator are mounted below as CSRF-bound record-only actions.

Request policy

trusted-session-no-query-no-body-no-viewer-authority-reporting-workspace

Boundary

No browser tenant, entity, cycle, report, export, standards-text, evidence, document, endpoint, download, signed URL, queue, notification, or live-data authority; no request bodies on read paths and no browser storage fallback.

Current service-backed compliance reporting state
Area	State	Service seam

SSF applicability from compliance service
SSF ref	Gate	Restricted text	Reason codes

Customized approach metadata from compliance service
Approach	State	Objective	Evidence bundle

Compensating controls from compliance service
Control	State	Requirement	Evidence requests

ASV metadata from compliance service
Scan	Status	Window	Remediation findings

TPSP records from compliance service
Record	Coverage	Validity	AOC metadata

Corpus rebase warnings from compliance service
Warning	State	Fail closed	Affected refs

Internal compliance records from compliance service
Record	State	Retention anchor	Browser visible

Compliance breadthService metadata

Compliance breadth and reporting

Review SSF applicability, control approach records, ASV/TPSP coverage, rebase warnings, and server-owned output metadata without rendering restricted standards text.

Ready for review

SSF scope records

0/1

Customized controls accepted

0/1

Compensating controls accepted

1/2

ASV windows passed

TPSP records

1/2

Server export packages ready

30%

No browser tenant, compliance, report, export, download, signed URL, queue, notification, endpoint, account, PAN, PII, evidence-body, document-body, restricted-standards-text, or live-data authority.

Workspace policy

breadth_ref: compliance-breadth://cycle_lab_2026_readiness/submerchant-a/m9-reporting
api_shape_ref: service-shape://api/compliance-service/breadth-reporting/m9.9
authority: compliance-service
display_policy: record-only-no-standards-text
export_policy: server-owned-export-only
browser_export_state: not_allowed
tenant_id: pci_tnt_innovate_lab
partner_id: innovate
stage: lab

SSF scope2 record(s)

SSF applicability

SSF scope cards render software/product refs and gate states only. Guidance bodies remain blocked until extractor validation is approved.

Fail-closed — locked

Scope	Applicability	Inheritance	Corpus gate	Reasons
Software scope Accepted SSF refs `ssf_scope_ref` `ssf-scope://innovate/lab/platform-core/module-core` `software_product_ref` `software-product://innovate/platform-core` `entity_ref` `ent_innovate_platform_lab` `module_ref` `ssf-module://secure-software-standard/core`	Accepted Raw state `state` `in_scope`	Needs attention Raw state `state` `not_enabled`	Fail-closed — locked Restricted SSF guidance stays server-side. Corpus and gate refs `corpus_package_ref` `corpus-package://pci/ssf/v2026-05-01` `guidance_gate_state` `record_only_guidance_blocked` `response_workspace_ref` `assessment-workspace://cycle_lab_2026_readiness/ssf/platform-core`	SSF reason codes `reason_code_1` `ssf_guidance_text_blocked_until_extractor_validated`
Software scope Accepted SSF refs `ssf_scope_ref` `ssf-scope://innovate/lab/submerchant-a/not-applicable` `software_product_ref` `software-product://not-applicable/submerchant-a` `entity_ref` `ent_innovate_test_merchant_a` `module_ref` `ssf-module://not-applicable`	Accepted Raw state `state` `out_of_scope`	Accepted Raw state `state` `not_applicable`	Fail-closed — locked Restricted SSF guidance stays server-side. Corpus and gate refs `corpus_package_ref` `corpus-package://pci/ssf/v2026-05-01` `guidance_gate_state` `record_only_guidance_blocked` `response_workspace_ref` `not_applicable`	SSF reason codes `reason_code_1` `entity_not_flagged_software_vendor`

Customized approach1 control(s)

Customized approach controls

Objective, risk, validation, and evidence refs remain record only; the browser cannot approve control authority.

Ready for review

Control	State	Safe summary	Refs and reasons
Customized control Control refs `control_ref` `customized-control://cycle_lab_2026_readiness/script-integrity` `requirement_ref` `requirement-ref://dss/record-only/script-integrity` `objective_ref` `objective-ref://dss/record-only/script-integrity` `target_risk_ref` `risk-ref://script-integrity/unauthorized-code`	Ready for review Raw state `state` `operator_review`	Customized approach is displayed as objective, risk, validation, and evidence refs only; restricted standards text is not rendered.	Evidence refs `evidence_ref_1` `evidence-ref://cycle_lab_2026_readiness/monitoring-status-metadata` `evidence_ref_2` `audit-event://cycle_lab_2026_readiness/customized-control.review` Validation refs `validation_ref_1` `validation-ref://customized/script-integrity/pending` Customized approach reason codes `reason_code_1` `operator_review_required_before_assessor_review`

Compensating controls1 worksheet(s)

Compensating controls

Constraint, risk, validation, maintenance, and evidence refs are displayed behind technical details only.

Ready for review

Worksheet	State	Validation	Evidence and reasons
Compensating worksheet Worksheet refs `compensating_control_ref` `compensating-control://cycle_lab_2026_readiness/legacy-segmentation` `requirement_ref` `requirement-ref://dss/record-only/segmentation` `constraint_ref` `constraint-ref://legacy-network-zone/readiness` `identified_risk_ref` `risk-ref://legacy-network-zone/segmentation-gap`	Ready for review Raw state `state` `assessor_review`	Validation and maintenance refs `validation_ref` `validation-ref://compensating/segmentation/pending` `maintenance_ref` `maintenance-ref://compensating/segmentation/monthly` `expires_at` `Lab sample expiry: end of current cycle`	Evidence refs `evidence_ref_1` `evidence-ref://cycle_lab_2026_readiness/network-scan-refused-metadata` Compensating control reason codes `reason_code_1` `assessor_review_pending` `reason_code_2` `scan_metadata_refused`

ASV coverage2 window(s)

ASV scan windows

ASV windows show scan scheduling and external report record only. This app does not execute scans, upload reports, queue reminders, or contact vendors.

Missing

Window	State	Metadata	Reasons
Lab sample Q1 window ASV refs `asv_window_ref` `asv-window://cycle_lab_2026_readiness/q1` `entity_ref` `ent_innovate_test_merchant_a` `provider_ref` `asv-provider-ref://record-only/approved-scanner`	Accepted Raw state `state` `scan_passed`	Scan metadata refs `evidence_ref` `evidence-ref://cycle_lab_2026_readiness/asv-q1-metadata` `external_scan_report_ref` `external-report-ref://asv/cycle_lab_2026_readiness/q1` `scan_completed_at` `Lab sample timestamp: 2026-05-07T00:30Z` `finding_ref` `none`	ASV reason codes `reason_code_1` `asv_metadata_recorded`
Lab sample Q2 window ASV refs `asv_window_ref` `asv-window://cycle_lab_2026_readiness/q2` `entity_ref` `ent_innovate_test_merchant_a` `provider_ref` `asv-provider-ref://record-only/approved-scanner`	Ready for review Raw state `state` `missing` Add the scan date and ASV vendor for this quarter's external scan. Add scan details Technical details `reason_code` `asv_scan_window_missing_metadata`	Scan metadata refs `evidence_ref` `pending` `external_scan_report_ref` `pending` `scan_completed_at` `not_completed` `finding_ref` `finding-ref://cycle_lab_2026_readiness/asv-q2-missing`	ASV reason codes `reason_code_1` `asv_scan_window_missing_metadata`

TPSP records2 provider record(s)

TPSP records

Provider AOC and confirmation artifacts are metadata refs only; responsibility matrices remain external evidence metadata for this slice.

Ready for review

Provider	Validity	Coverage	Reasons
Innovate Platform TPSP TPSP refs `tpsp_record_ref` `tpsp-record://innovate/path-1/payment-facilitator` `service_scope_ref` `service-scope-ref://tpsp/path-1/hosted-fields`	Accepted Raw state `state` `current`	Lab sample coverage: current annual period AOC and evidence refs `aoc_metadata_ref` `aoc-ref://innovate/path-1/record-only` `confirmation_artifact_ref` `confirmation-artifact-ref://tpsp/path-1/script-protection` `evidence_ref` `evidence-ref://cycle_lab_2026_readiness/tpsp-aoc-metadata` `responsibility_matrix_policy` `external-evidence-record-only`	TPSP reason codes `reason_code_1` `tpsp_aoc_metadata_current`
Pending gateway metadata TPSP refs `tpsp_record_ref` `tpsp-record://innovate/new-gateway/pending` `service_scope_ref` `service-scope-ref://tpsp/new-gateway/pending`	Ready for review Raw state `state` `pending_review`	Lab sample coverage pending AOC and evidence refs `aoc_metadata_ref` `pending` `confirmation_artifact_ref` `pending` `evidence_ref` `pending` `responsibility_matrix_policy` `external-evidence-record-only`	TPSP reason codes `reason_code_1` `new_tpsp_requires_aoc_metadata`

Corpus rebase1 warning(s)

Rebase warnings

Corpus update warnings show package refs, affected counts, and service review state only. Reports remain service-owned until review completes.

Ready for review

Update guidance	State	Affected refs	Safe message
Corpus update A newer PCI rule set is available. Preview the changes before updating this cycle. Preview changes Technical details `reason_code` `corpus_update_available` Rebase refs `rebase_warning_ref` `rebase-warning://cycle_lab_2026_readiness/corpus-v2026-05-01` `source_package_ref` `corpus-package://pci/saq-a/v2026-05-01` `target_package_ref` `corpus-package://pci/saq-a/v2026-06-preview`	Ready for review Raw state `state` `preview_required`	3 affected ref(s) Affected requirement refs `requirement_ref_1` `requirement-ref://saq-a/record-only/script-integrity` `requirement_ref_2` `requirement-ref://saq-a/record-only/tpsp-aoc` `requirement_ref_3` `requirement-ref://saq-a/record-only/asv`	Corpus rebase preview requires operator review before reports are regenerated; only refs and counts render. Rebase reason codes `reason_code_1` `corpus_rebase_preview_required`

Reports and exportsServer-owned output

Reports and exports

Report and export rows are API-shaped metadata. Generation, signing, delivery, retention anchoring, downloads, and notifications remain server-owned.

Ready for review

Reporting actionsExisting CSRF seam

Server-owned reporting action controls

Ready for reviewserver-owned-reporting

Operators can queue record-only audit exports and operator reports through the same-origin API. The browser never receives document bodies, standards text, evidence contents, download URLs, signed URLs, tenant authority, cycle authority, or live compliance data.

Audit export API: /api/audit/export-requests
Operator report API: /api/reports/operator
CSRF cookie: __Host-pt_pci_csrf double-submit session check for unsafe methods.

Last reporting API result

Waiting for operator action.

Report manifests2 server record(s)

Reports

Report manifests expose source counts, hashes, status, and policy only. Report bodies and restricted standards text stay server-side.

Ready for review

Report	State	Sources	Reasons
Report manifest Report manifest details `report_ref` `compliance-report://cycle_lab_2026_readiness/operator-status` `report_type` `operator_status` `manifest_sha256` `sha256:bcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbc` `display_policy` `record-only-no-standards-text` `generated_at` `Lab sample timestamp: 2026-05-07T01:10Z`	Ready for review Raw state `state` `stale`	Report source refs `source_ref_1` `assessment-workspace://cycle_lab_2026_readiness/submerchant-a` `source_ref_2` `evidence-library://cycle_lab_2026_readiness/submerchant-a` `source_ref_3` `audit-timeline://cycle_lab_2026_readiness/compliance`	Report reason codes `reason_code_1` `corpus_rebase_preview_required`
Report manifest Report manifest details `report_ref` `compliance-report://cycle_lab_2026_readiness/ssf-readiness` `report_type` `ssf_readiness` `manifest_sha256` `sha256:bcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbc` `display_policy` `record-only-no-standards-text` `generated_at` `not_generated`	Blocked — action needed Raw state `state` `blocked`	Report source refs `source_ref_1` `ssf-scope://innovate/lab/platform-core/module-core` `source_ref_2` `corpus-package://pci/ssf/v2026-05-01`	Report reason codes `reason_code_1` `ssf_guidance_text_blocked_until_extractor_validated`

Export packages2 package(s)

Exports

Exports are server-owned package record only. The browser cannot generate, sign, send, download, authorize, or store export packages.

Ready for review

Export	State	Package readiness	Reasons
Export package Export package details `export_ref` `report-export://cycle_lab_2026_readiness/operator-status/bundle` `export_type` `report_bundle` `manifest_sha256` `sha256:dededededededededededededededededededededededededededededededede` `package_sha256` `pending` `retention_anchor_ref` `pending` `export_policy` `server-owned-export-only` `generated_at` `not_generated`	Blocked — action needed Raw state `state` `blocked`	Package hash pending Blocked — action needed Retention anchor pending Blocked — action needed	Export reason codes `reason_code_1` `report_stale_until_rebase_reviewed`
Export package Export package details `export_ref` `report-export://cycle_lab_2026_readiness/evidence-index/current` `export_type` `evidence_index` `manifest_sha256` `sha256:fafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafa` `package_sha256` `sha256:fafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafa` `retention_anchor_ref` `anchor-manifest://cycle_lab_2026_readiness/evidence-index` `export_policy` `server-owned-export-only` `generated_at` `Lab sample timestamp: 2026-05-07T01:15Z`	Accepted Raw state `state` `ready`	Package hash recorded Accepted Retention anchor recorded Accepted	Export reason codes `reason_code_1` `server_export_package_ready`

Detailed scope and cycle workspaces

Eligibility scope

Eligibility wizard

Eligibility, recommendation, and provisional SAQ assignment remain derived from trusted service state.

Ready for reviewneeds_review

Business profileAcceptedcomplete
Step refs
step_ref
business_profile
step_state
complete
Payment flowAcceptedcomplete
Step refs
step_ref
payment_flow
step_state
complete
Monitoring readinessIn progresscurrent
Step refs
step_ref
monitoring_readiness
step_state
current
Operator reviewBlocked — action neededblocked
Step refs
step_ref
operator_review
step_state
blocked

Recommendation

Recommended package

Ready for reviewneeds_review

Package: SAQ_A
Rationale: Path 1 inherited Monitoring readiness is provisional until operator review confirms the child scope.

Recommendation refs

run_ref: eligibility-run://innovate/lab/run-2026-05-06
entity_ref: ent_innovate_test_merchant_a
driver_question_ref: eligibility-question://payment-flow/tpsp-iframe
driver_question_ref: eligibility-question://monitoring/path-1-inheritance

Provisional assignment

SAQ assignment

Ready for reviewprovisional

Assignment state: Ready for reviewprovisional
Operator review: Needs attentionpending
Override reason: not_applicable

Assignment refs

assignment_ref: saq-assignment://innovate/lab/submerchant-a/provisional
override_reason_ref: not_applicable

Eligibility actions

Run SAQ scope and assignment

server-derived-scope

Operators can run the eligibility wizard, create a provisional assignment, and record operator review. The server derives corpus package, tenant, entity, cycle, workflow task, and audit refs.

Wizard API: /api/eligibility/wizard/run
Assignment API: /api/eligibility/provisional-assignment
Review API: /api/eligibility/operator-review
CSRF cookie: __Host-pt_pci_csrf double-submit session check for unsafe methods.

Last eligibility API result

Waiting for operator action.

Cycle workspace

Cycle working slice

Scope, corpus, inheritance, and evidence-required metadata refs only; no evidence contents render.

Ready for reviewoperator_review

Inherited answers

Stale inherited answer(s)

Override(s)

Child re-attestation required

Cycle status: Ready for reviewoperator_review
Corpus package status: In progresscurrent
Badges: AcceptedinheritedBlocked — action neededstaleCorrection requiredoverrideNeeds attentionevidence_required

Cycle refs

cycle_ref: cycle_lab_2026_readiness
corpus_package_ref: corpus-package://pci/saq-a/v2026-05-01

Evidence-required metadata
Status and refs	Requirement summary
Missingrequired Evidence refs `evidence_ref` `evidence-required://cycle_lab_2026_readiness/aoc-ref` `requirement_ref` `requirement-ref://saq-a/record-only/aoc`	aoc
Acceptedreceived_recorded Evidence refs `evidence_ref` `evidence-required://cycle_lab_2026_readiness/monitoring-status` `requirement_ref` `requirement-ref://saq-a/record-only/monitoring`	monitoring

Supporting API and cycle metadata

Compliance collection serviceRead-only load

Service-backed compliance collection workspace

Loading question-group, evidence-request, workflow-task, and classification metadata from /api/compliance/collection-state. This is the working compliance collection state for the Command Center.

In progress

Compliance collection request policy

collection_api: /api/compliance/collection-state
request_policy: trusted-session-no-query-no-body-no-viewer-authority-compliance-workflow
boundary: No browser tenant, entity, cycle, evidence, workflow, write, service-context, endpoint, or account authority; no request body, query string, evidence content, document content, export body, live-data path, or browser storage fallback.

Question groups from compliance service
Group	State	Progress

Workflow tasks from compliance service
Task	State	Owner

Cycle metadataTrusted session

Compliance cycle data

Trusted-session cycle metadata supporting the Command Center workflow.

Ready for review

Cycle	Status	Owner role	Due
2026 lab readiness cycle Cycle refs `cycle_ref` `cycle_lab_2026_readiness` `entity_ref` `ent_innovate_platform_lab`	In progress Cycle state `status` `in_progress`	pci_operator	Lab sample due date: 2026-05-31
2026 operator review cycle Cycle refs `cycle_ref` `cycle_lab_2026_review` `entity_ref` `ent_innovate_platform_lab`	Ready for review Cycle state `status` `review_ready`	pci_operator	Lab sample review window

Trusted tenant context

Server-derived navigation and actions

Step-up reauthentication handoff

Module status

PCI Compliance Command Center

Confirm scope

Run the compliance cycle

Business profile & SAQ scope

Questionnaire & policy review

Evidence collection

AOC package & acceptance

Control workbench

Work queue

Evidence checklist

Review package

Final review

What reviewers need to decide

Update the selected work item

Recent application activity

SAQ scope and cycle state

Compliance reporting and scope/cycle workspace

Service-backed compliance reporting workspace

Compliance breadth and reporting

SSF applicability

Customized approach controls

Compensating controls

ASV scan windows

TPSP records

Rebase warnings

Reports and exports

Server-owned reporting action controls

Reporting queue action

Reports

Exports

Eligibility wizard

Recommended package

SAQ assignment

Run SAQ scope and assignment

Scope action

Cycle working slice

Service-backed compliance collection workspace

Compliance cycle data