Overview
If your organization processes, stores, or transmits payment card data, PCI DSS compliance is not optional. Version 4.0, released in March 2022 with a transition deadline of March 2025 for most requirements, represents the biggest update in over a decade. This checklist walks through all 12 requirements with practical implementation guidance, helping you understand what is expected and where organizations most commonly fall short.
The 12 PCI DSS Requirements
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data by business need to know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security with organizational policies and programs
Key Changes in PCI DSS v4.0
| Area | What changed | Impact |
|---|---|---|
| Customized approach | Organizations can design their own controls if they meet the security objective | More flexibility but requires deeper documentation and validation |
| Authentication | MFA required for all access to the CDE, not just remote | Broader MFA deployment across the organization |
| Encryption | Disk-level encryption no longer acceptable as sole control for stored data | May require re-architecting data-at-rest protection |
| Targeted risk analysis | Documented risk analysis required for flexible requirements | Organizations must justify their control frequency and scope |
| Script management | Payment page scripts must be inventoried and authorized | Addresses supply-chain attacks like Magecart |
| Vulnerability management | Internal vulnerability scans must achieve a passing score | Remediation SLAs must be formalized |
Scoping Your Cardholder Data Environment
Accurate scoping is the single most important step in PCI DSS compliance. Your CDE includes every system that stores, processes, or transmits cardholder data, plus any system connected to or providing security services to those systems. Reducing scope reduces cost and complexity. Strategies include network segmentation, tokenization, point-to-point encryption, and outsourcing payment processing to PCI-compliant service providers. Validate your scope annually and any time there is a significant change to payment architecture.
Common Compliance Gaps
- Flat network architecture without segmentation between the CDE and corporate network
- Default credentials on point-of-sale terminals and payment devices
- Incomplete logging that does not capture all access to cardholder data systems
- Antivirus or anti-malware not deployed on all applicable systems
- Accesss reviews not performed regularly for CDE accounts
- Penetration testing that does not include segmentation validation
- Missing or outdated data flow diagrams and network diagrams
Assessment and Validation
Your validation method depends on your merchant level. Level 1 merchants (over 6 million transactions per year) require an annual on-site assessment by a Qualified Security Assessor (QSA). Level 2 through 4 merchants can self-assess using the appropriate Self-Assessment Questionnaire (SAQ). Regardless of level, quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) are required. Internal vulnerability scans and penetration tests must be performed at least annually and after significant changes.
Frequently Asked Questions
When is PCI DSS v4.0 mandatory?
The v4.0 standard became effective March 2024 for all new assessments. Requirements identified as "future-dated" have a deadline of March 31, 2025. After that date, all v4.0 requirements including future-dated ones must be fully met.
What is the customized approach in PCI DSS v4.0?
The customized approach allows organizations to design alternative controls that meet the PCI DSS security objective without following the prescriptive defined approach. It requires a targeted risk analysis and additional documentation to demonstrate the control meets the intent.
How do we reduce PCI DSS scope?
Use network segmentation to isolate the CDE, implement tokenization to replace cardholder data with non-sensitive tokens, adopt point-to-point encryption (P2PE) for payment terminals, and outsource payment processing to PCI-compliant providers. Each strategy reduces the number of systems in scope.
Do cloud environments need PCI DSS compliance?
If cardholder data is processed or stored in the cloud, then yes. The cloud service provider's infrastructure is in scope, and you need to understand the shared responsibility model. Request the provider's Attestation of Compliance (AOC) and ensure your controls cover your side of the responsibility.
What are the consequences of PCI DSS non-compliance?
Non-compliance can result in fines from card brands ranging from $5,000 to $100,000 per month, increased transaction fees, loss of the ability to process card payments, and liability for fraud losses. A breach involving cardholder data significantly increases these financial and reputational consequences.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.