Complium - AI-Native PCI DSS Compliance Platform
by EIC
QSA-built SaaS helps you achieve and maintain PCI DSS compliance end-to-end, from scope to ROC/AOC
Complium: QSA-Engineered SaaS for PCI DSS v4.0.1
Complium is an end-to-end SaaS platform for achieving and maintaining PCI DSS v4.0.1 compliance. Built by EIC Limited—a Qualified Security Assessor (QSA) company—the platform mirrors an assessor's exact workflow. Evidence is structured per requirement for Report on Compliance (ROC) work, guiding you from scoping to the final deliverables. The entire workflow is strictly human-gated: AI operates as a tool to organize data, not as an assessor. EIC's embedded QSA independently reviews all evidence to determine final compliance, validate the ROC, and sign the Attestation of Compliance (AOC).
One Firm, Platform, and Validation: Most tools provide software only, forcing you to separately engage an assessment firm. Complium is exclusively delivered by EIC Limited. Because the SaaS platform and the assessment come from the same firm, EIC's QSA is embedded in the workflow. Your evidence is automatically structured for the exact process they use to validate your environment. EIC confirms QSA qualification for your region prior to onboarding.
Azure-Connected Evidence Automation (Read-Only):
Microsoft Entra ID: Access-control and authentication evidence (Req 7, 8).
Azure Activity Logs: Audit-logging evidence (Req 10).
Microsoft Defender for Cloud: Configuration posture across network, secure-configuration, data-protection, and vulnerability families (Req 1–4, 6, 11). (Note: Cloud evidence covers a subset of testable controls; the rest is assessed via the platform by EIC's embedded QSA).
Six AI Capabilities (All Human-Reviewed): Powered by Azure OpenAI through a configurable provider layer:
Evidence Analysis: Extract and classify documents.
Compliance Copilot: Retrieval-augmented Q&A on PCI DSS v4.0.1.
Requirement-Status Suggestions: Proposed status with reasoning.
ROC Finding Narratives: Draft justifications for review.
Cloud Control Mapping: Map Defender findings to requirements.
Remediation Guidance: Plain-language steps for gaps.
Every AI output is a draft. No status is recorded or report produced until EIC's embedded QSA explicitly reviews and accepts it, in strict alignment with PCI SSC AI guidelines.
Data Isolation & Graph API Scopes: Complium requests zero write permissions, protects data with strict row-level security, and connects via Admin-Consent OAuth2, Azure Lighthouse, or Service Principal using these read-only scopes:
— Account-status inventory (Req 8)
— Directory configuration (Req 8)
— Sign-in and directory audit logs (Req 10, 7)
— Authentication and MFA policy (Req 8)
— Directory role assignments (Req 7)
Published by EIC Limited, a Qualified Security Assessor (QSA) company.