PCI DSS 4.0

PCI DSS 4.0 Tabletop Exercises for Incident Response Plan Testing

PCI DSS 4.0 requires you to test your incident response plan at least annually and document the results. Breachday runs the exercise and generates the documented test results in one session: a timeline, role-based participation, and assessor-ready evidence for Requirement 12.10.

The compliance challenge

PCI DSS 4.0 Requirement 12.10 explicitly requires organizations to establish an incident response plan, test it at least annually, and document the test results. Assessors look for evidence that the plan was actually exercised, beyond the fact that it exists on paper.

Many teams satisfy 12.10.2 with a facilitated discussion and a Word document summary written afterward. That approach works until the assessor asks who participated, what decisions were made at each stage, and whether the scenario covered the incident types your plan addresses.

Breachday validates your IR plan through simulated incidents with structured evidence: participant roster, inject-by-inject timeline, vote tallies, and an auto-generated after-action report that serves as your documented test results for 12.10.2.

What teams struggle with today

  • Annual tabletop exercises documented in slide decks with no per-decision audit trail
  • Assessors requesting test results and receiving facilitator notes instead of structured evidence
  • IR plan testing that does not include all required roles (IC, Legal, Comms, Engineering)
  • Scenarios that do not exercise the incident types your IR plan must cover under Requirement 12.10.1
  • Separate documentation projects to compile exercise results after the session ends

Requirement 12.10

How Breachday maps to PCI DSS 4.0

Specific control requirements and how each Breachday exercise produces evidence your assessor can review.

ControlRequirementHow Breachday satisfies it
Req 12.10.1IR plan exists and covers required elementsRequirement 12.10.1 sets out the elements your IR plan must contain. The scenario library covers BEC, ransomware, cloud outage, IdP compromise, and insider threat, so you can exercise the plan against the incident types relevant to your cardholder data environment, with custom scenarios for CDE-specific elements.
Req 12.10.2Annual testing with documented resultsAuto-generated after-action reports serve as the documented test results. Each report includes exercise date, duration, participants, scenario, timeline, and outcomes — the structured evidence assessors expect for annual IR testing.
Req 12.10.4Personnel trained on IR responsibilitiesRole-based participation demonstrates that personnel understand their IR responsibilities. Incident Commander, Legal, Comms, and Engineering seats capture attributed responses showing who did what during the exercise.
Req 12.10.5Plan addresses security monitoring alertsRequirement 12.10.5 expects your IR plan to include monitoring and responding to alerts from security monitoring systems such as IDS/IPS, network security controls, and change-detection mechanisms. Scenarios can begin from exactly these alerts, exercising how your team triages and escalates a monitoring-system signal.

See which plan covers PCI DSS 4.0 reporting· Learn about building scenarios

The audit packet

What your auditor receives

Every completed exercise generates a structured after-action report, produced as you run the session rather than written up after the fact.

  • Branded PDF after-action report with your organization logo
  • Inject-by-inject timeline with timestamps for every situation update, decision, and escalation
  • Vote tallies and freeform responses attributed by role seat
  • Findings grouped by severity with facilitator observations on each inject
  • SHA256 hash on exported reports for integrity verification
  • Participant roster with display names, role seats, and join/leave timestamps
  • Linked IT assets and BIA processes showing what was exercised
  • Lessons learned with owners, status, and due dates
  • Structured JSON export for GRC tools and audit repositories

04 — Workflow

How it works

A streamlined sequence from preparation to after-action report.

01

Design the scenario

Define the narrative, injects, and roles. Use our templates or build from scratch.

02

Start the exercise

Launch the room with one click and activate your scenario timeline for participants.

03

Join the room

Participants join from any device using a short room code, then pick their role seat.

04

Run your scenario

Deliver injects, capture votes and responses, and guide decisions in real time.

05

Review the report

Generate an after-action report with timeline events, decisions, and improvement takeaways.

Frequently asked questions

PCI DSS 4.0-specific questions from compliance and security teams.

Does Breachday satisfy PCI DSS 4.0 Requirement 12.10.2?

Breachday is designed for the annual IR plan testing requirement. The after-action report documents that the plan was exercised, who participated, what decisions were made, and what gaps were identified — the evidence assessors request under 12.10.1 and 12.10.2.

What incident types should our PCI DSS tabletop cover?

Your IR plan should address the incident types relevant to your cardholder data environment — the plan elements set out in Requirement 12.10.1. Breachday includes scenarios for BEC, ransomware, cloud outages, IdP compromise, and insider threat. You can also build custom scenarios targeting your specific CDE architecture.

Can QSAs accept a Breachday PDF as test documentation?

Customers use Breachday reports as structured test results for 12.10.2. The report includes timestamps, participants, decisions, and findings — more detail than most manual summaries. Your QSA determines final acceptability; we designed the export format for assessor review.

How do we demonstrate personnel training under 12.10.4?

Each exercise report includes a participant roster with role seats. Running exercises with your actual IR team, rather than only the security group, demonstrates that personnel across functions understand their responsibilities during a cardholder data incident.

Which Breachday plan is appropriate for PCI DSS programs?

Starter supports annual IR testing with PDF export at exercise time. Plus and Pro add saved reports, branded PDFs, and BIA-linked scenarios for business continuity elements. Pro supports up to 10 facilitator seats and 60 participants per exercise. See our pricing page for tier details.

Can we run PCI and SOC 2 testing in a single exercise?

Yes. One Breachday exercise produces evidence mappable to PCI DSS 12.10.x and SOC 2 CC7.x. Many merchants and service providers provide the same after-action report to both their QSA and SOC 2 auditor.

Ready to run your first PCI DSS tabletop?

Run your annual Requirement 12.10 test and export documented results the same day. Book a demo to see how a Breachday after-action report maps to your QSA's 12.10 testing procedures.

Breachday is not a substitute for legal or audit advice. Control mappings are guidance for compliance teams; your auditor has the final say.