The Payment Card Industry Data Security Standard (PCI DSS) is the global security standard for all organisations that store, process or transmit cardholder data. Version 4.0.1 is now the current mandatory standard.
PCI DSS was created by the PCI Security Standards Council โ a body founded by American Express, Discover, JCB, Mastercard and Visa. It applies to any organisation โ merchant, service provider, or processor โ that handles payment card data.
The standard defines 12 requirements organised around 6 goals: build and maintain a secure network, protect cardholder data, maintain a vulnerability management programme, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy.
Version 4.0.1 โ released in 2024 โ is the current mandatory standard. It introduced a customised approach allowing organisations to demonstrate security objectives through alternative controls, and strengthened requirements around authentication, encryption and third-party management.
Every organisation in scope must demonstrate compliance with all 12 requirements. Our engine maps all 300+ sub-controls automatically.
Firewalls and other network security controls to protect the cardholder data environment from untrusted networks.
Secure configuration standards for all system components. No vendor default passwords or unnecessary services.
Minimise storage of cardholder data. Protect stored PAN, SAD and sensitive authentication data with encryption.
Strong cryptography for all cardholder data transmitted over open, public networks. TLS 1.2+ mandatory.
Deploy and maintain anti-malware solutions on all systems susceptible to malware. Automated scanning and log retention.
Security patches, vulnerability management, secure development lifecycle (SDL) and web application firewall (WAF) for public-facing applications.
Least-privilege access controls. Only authorised individuals can access cardholder data and system components on a need-to-know basis.
Unique IDs for all users. Multi-factor authentication (MFA) mandatory for all access to the CDE, especially remote access.
Physical security controls for all systems containing cardholder data. Entry logs, badge access, camera systems, visitor management.
Audit logs for all access to system components and cardholder data. Log retention minimum 12 months, 3 months immediately available.
Internal and external vulnerability scanning (quarterly), penetration testing (annual), intrusion detection and file integrity monitoring.
Comprehensive information security policy covering all personnel. Annual risk assessments, security awareness training, and third-party management programme.
Non-compliance fines are charged by acquiring banks, not by a regulator โ but the financial and reputational damage is very real.
Acquiring banks charge merchants monthly non-compliance fees ranging from $5,000 to $100,000 depending on merchant level, transaction volume, and severity of non-compliance gaps. These escalate the longer non-compliance persists.
A cardholder data breach triggers PFI forensic investigation costs ($10Kโ$100K), card replacement fees charged back to the merchant ($3โ$5 per card), regulatory fines from card brands, legal liability, and potential permanent loss of card acceptance rights.
Visa and Mastercard levy additional assessments directly on acquirers following a data breach โ which are then passed to the responsible merchant. These can exceed $1 million for significant breaches affecting large volumes of cards.
โ ๏ธ Loss of Card Acceptance Rights
Beyond financial fines, the most severe consequence of persistent non-compliance or a major data breach is permanent revocation of the right to accept card payments. For most businesses, this is effectively a terminal event.
Version 4.0.1 was released in June 2024 as a minor revision to v4.0, correcting errors and clarifying requirements. All organisations must now comply with v4.0.1.
MFA is now mandatory for all access to the CDE โ not just remote access. Phishing-resistant MFA strongly encouraged. Password complexity and rotation requirements updated.
New option allowing organisations to demonstrate they meet the security objective of each requirement through alternative controls โ providing greater flexibility for mature security programmes.
Strengthened requirements around third-party service provider management. Formal agreements, annual compliance confirmation, and monitoring of third-party PCI DSS status now required.
New requirements for managing web application security โ WAF or automated technical solution now required for all public-facing web applications. API security explicitly addressed.
Many requirements previously prescriptive now allow a targeted risk analysis approach โ letting organisations define frequency and method based on their specific risk environment.
Expanded requirements for automated detection of suspicious activity, log review tools, and detection of failures in security controls. IDS/IPS and network monitoring strengthened.
The type of PCI DSS assessment depends on your merchant level and how you handle card data.
For e-commerce merchants that have outsourced all cardholder data functions. Simplest assessment โ applies where you use a fully outsourced payment page and store no card data.
Merchants using only imprint machines or standalone, dial-out terminals. No electronic storage of cardholder data. Common for small retail businesses.
Merchants with payment application systems connected to the internet. No electronic storage of cardholder data beyond transaction authorisation.
The most comprehensive SAQ โ applies to all service providers and merchants that do not qualify for simpler SAQ types. Covers all 12 requirements in full.
Level 1 Merchants โ ROC Required
Merchants processing over 6 million card transactions per year (or any merchant that has suffered a data breach) must complete a full Report on Compliance (ROC) assessed by a Qualified Security Assessor (QSA). The Cognisec PCI DSS Engine generates ROC-aligned evidence packs.
Start your free 30-day trial. All 12 requirements. All 3 panels. No complexity.