Payment Card Industry Data Security Standard

PCI DSS compliance guide

The Payment Card Industry Data Security Standard (PCI DSS) protects cardholder data across merchants, service providers and payment processors. Whether you're Level 1 or Level 4, we help you implement all 12 requirements with clear evidence and audit readiness.

Start compliance assessmentBook implementation call

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. It's managed by the PCI Security Standards Council, founded by major card brands (Visa, Mastercard, American Express, Discover, JCB).

Why this matters now: PCI DSS v4.0 became mandatory March 31, 2024. The updated standard introduces customized implementation approaches, expanded MFA requirements and e-commerce protections against payment page skimming attacks.

Contractual requirement

Enforced by payment brands and acquiring banks

Continuous compliance

Annual assessments, quarterly scans, ongoing controls

Complements SOC 2 compliance and ISO 27001 certification.

Who needs to comply?

Merchants

Any organization accepting payment cards (all volumes)

Service providers

Entities processing, storing or transmitting CHD on behalf of others

Payment processors

Third parties processing card transactions

Payment gateways

E-commerce platforms handling card data

Hosting providers

Infrastructure hosting CDE systems

Payment applications

Software vendors with PA-DSS/PCI SSF validated applications

How VerifyWise supports PCI DSS compliance

Concrete capabilities that address each requirement's controls

Cardholder data inventory and classification

Track where cardholder data (CHD) flows across systems. Map primary account numbers (PAN), sensitive authentication data and service codes to identify storage locations, transmission paths and retention periods.

Addresses: Requirement 3: Protect stored cardholder data, Requirement 4: Encrypt transmission

Network segmentation documentation

Document network architecture showing cardholder data environment (CDE) boundaries. The platform maintains network diagrams, firewall rules and segmentation controls for Requirements 1 and 2.

Addresses: Requirement 1: Install and maintain network security controls, Requirement 2: Apply secure configurations

Access control and authentication tracking

Manage user access to CDE systems with role-based controls. Track authentication mechanisms, multi-factor authentication deployment and unique ID assignment for Requirement 8 compliance.

Addresses: Requirement 7: Restrict access, Requirement 8: Identify users and authenticate access

Vulnerability management lifecycle

Track patch management, antivirus deployments and secure development practices. The platform maintains vulnerability scan results, remediation timelines and secure coding evidence.

Addresses: Requirement 5: Protect systems from malware, Requirement 6: Develop and maintain secure systems

Logging and monitoring evidence

Centralize audit log retention, review schedules and intrusion detection system (IDS) configurations. Generate evidence for log analysis, file integrity monitoring and security event correlation.

Addresses: Requirement 10: Log and monitor access, Requirement 11: Test security regularly

Policy management and incident response

Maintain the full PCI DSS policy suite with version control and approval workflows. Document incident response plans, security awareness training and annual risk assessments.

Addresses: Requirement 12: Support information security with policies, Requirement 9: Restrict physical access

All compliance activities are tracked with timestamps, assigned owners and approval workflows. This audit trail demonstrates continuous compliance rather than point-in-time documentation.

Complete PCI DSS requirements coverage

VerifyWise provides dedicated tooling for all 12 requirements across 6 security goals

12

PCI DSS requirements

35

Requirements with dedicated tooling

100%

Coverage across all security goals

Network security8/8

Firewalls, encryption, secure configs

Cardholder data6/6

Storage, transmission, disposal

Vulnerability mgmt6/6

Patching, antivirus, secure dev

Access control7/7

Authentication, authorization, physical

Monitoring5/5

Logging, testing, incident response

Policies3/3

Security policy, assessments

Built for payment security compliance

Cardholder data mapping

Track CHD flows and CDE boundaries with automated discovery

ASV scan integration

Quarterly external vulnerability scan tracking and remediation

ROC and SAQ generation

Evidence packages for QSA audits or self-assessments

Multi-framework mapping

Crosswalk to SOC 2, ISO 27001 and NIST CSF requirements

12 PCI DSS requirements

Organized under 6 security goals for comprehensive cardholder data protection

Build and maintain a secure network and systems

1
Requirement 1

Install and maintain network security controls

Firewalls and routers protect the cardholder data environment

2
Requirement 2

Apply secure configurations to all system components

Vendor defaults are changed, unnecessary services disabled

Protect cardholder data

3
Requirement 3

Protect stored cardholder data

CHD storage minimized, PAN masked, encryption applied

4
Requirement 4

Protect cardholder data with strong cryptography during transmission

Encryption over open, public networks

Maintain a vulnerability management program

5
Requirement 5

Protect all systems and networks from malicious software

Antivirus, anti-malware deployed and maintained

6
Requirement 6

Develop and maintain secure systems and software

Security patches, secure development practices

Implement strong access control measures

7
Requirement 7

Restrict access to system components and cardholder data

Need-to-know access, role-based controls

8
Requirement 8

Identify users and authenticate access to system components

Unique IDs, multi-factor authentication

9
Requirement 9

Restrict physical access to cardholder data

Physical security controls for systems and media

Regularly monitor and test networks

10
Requirement 10

Log and monitor all access to system components and cardholder data

Audit trails, log review processes

11
Requirement 11

Test security of systems and networks regularly

Vulnerability scans, penetration testing

Maintain an information security policy

12
Requirement 12

Support information security with organizational policies and programs

Security policy, risk assessment, incident response

PCI DSS v4.0 key changes

Major updates from v3.2.1 to v4.0 effective March 31, 2024

Customized implementation

  • Targeted risk analysis replaces one-size-fits-all controls
  • Organizations define control frequency based on risk profile
  • Flexibility in how requirements are met

Authentication enhancements

  • Multi-factor authentication (MFA) expanded to all CDE access
  • MFA required for administrative and remote access
  • Phishing-resistant MFA encouraged

E-commerce and phishing

  • New requirement for detecting and responding to unauthorized code on payment pages
  • Script monitoring and change detection for web payment forms
  • Protection against skimming attacks

Roles and responsibilities

  • Explicit documentation of PCI DSS roles required
  • Accountability assigned for each requirement
  • Executive sponsorship documented

Transition timeline: v3.2.1 retired March 31, 2024. All entities must validate compliance to v4.0. Some requirements have future effective dates through March 31, 2025 (designated as "best practice until then").

Merchant compliance levels

Requirements vary based on annual transaction volume

Level 1

6M+ transactions annually

Validation requirements

  • Annual on-site assessment by QSA or internal auditor (if signed by officer)
  • Quarterly network scans by ASV
  • Report on Compliance (ROC) submission
  • Attestation of Compliance (AOC)

Penalty risk

Highest risk: $5K-$100K/month fines, card brand penalties

Level 2

1M-6M transactions annually

Validation requirements

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scans by ASV
  • Attestation of Compliance (AOC)
  • May require on-site audit depending on card brand

Penalty risk

Substantial fines, increased transaction fees

Level 3

20K-1M e-commerce transactions

Validation requirements

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scans by ASV
  • Attestation of Compliance (AOC)

Penalty risk

Fines up to $50K/month, reputation damage

Level 4

Less than 20K e-commerce or 1M total

Validation requirements

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scans by ASV (if applicable)
  • Compliance validation may vary by acquirer

Penalty risk

Lower fines but still risk card processing suspension

24-week implementation roadmap

A practical path to PCI DSS compliance with clear milestones

Phase 1Weeks 1-4

Scoping and discovery

  • Identify all locations where CHD is stored, processed or transmitted
  • Map network topology and define CDE boundaries
  • Inventory systems, applications and third-party connections
  • Determine compliance level and assessment type
Phase 2Weeks 5-10

Gap assessment

  • Evaluate current state against all 12 PCI DSS requirements
  • Identify non-compliant controls and missing evidence
  • Prioritize remediation based on risk and assessment timeline
  • Create remediation roadmap with ownership
Phase 3Weeks 11-20

Remediation and testing

  • Implement missing technical controls (MFA, encryption, logging)
  • Deploy network segmentation and access controls
  • Complete policy documentation and awareness training
  • Conduct internal vulnerability scans and penetration tests
Phase 4Weeks 21-24

Validation and certification

  • Engage QSA or complete SAQ depending on level
  • Execute quarterly ASV network scans
  • Generate Report on Compliance (ROC) or SAQ submission
  • Submit Attestation of Compliance to acquiring bank
Penalties and enforcement

Non-compliance carries severe financial consequences

Card brands and acquiring banks enforce PCI DSS through contractual penalties. Fines escalate with merchant level and duration of non-compliance. Data breaches add investigation, notification and legal costs.

Monthly fines

$5,000 - $100,000/month

Levied by card brands for non-compliance or after a breach. Fines increase with merchant level and duration of non-compliance.

Escalation path

Level 1 merchants face highest fines; can reach $100K/month indefinitely until compliance restored

Increased transaction fees

$0.01 - $0.10 per transaction

Acquirers may impose fee increases for non-compliant merchants. Over thousands of monthly transactions, this creates substantial operational cost.

Escalation path

Permanent fee increase until compliance validated; impacts profit margins directly

Card processing suspension

Immediate termination

Acquiring banks may terminate the merchant agreement, prohibiting card acceptance entirely. Represents existential threat to many businesses.

Escalation path

Reinstatement requires full compliance validation and finding new acquirer (difficult with history)

Breach costs

$200 - $500 per compromised record

Data breach costs include forensics, notification, legal fees, card reissuance and fraud losses. Average total cost: $4M+ per breach.

Escalation path

Class action lawsuits, regulatory penalties (GDPR, state laws), reputational damage, customer churn

Start compliance assessment
Policy templates

Complete PCI DSS policy repository

Access ready-to-use payment security policy templates aligned with PCI DSS v4.0, SOC 2 and ISO 27001 requirements

Network security

  • • Firewall Configuration Policy
  • • Network Segmentation Policy
  • • Wireless Security Policy
  • • System Hardening Standards
  • • Configuration Management
  • • Change Control Policy
  • + 3 more policies

Data protection

  • • Cardholder Data Policy
  • • Encryption Standards
  • • Key Management Policy
  • • Data Retention Policy
  • • Secure Disposal Procedures
  • • Tokenization Guidelines
  • + 4 more policies

Access & monitoring

  • • Access Control Policy
  • • Multi-Factor Authentication
  • • Password Policy
  • • Logging and Monitoring Policy
  • • Incident Response Plan
  • • Vulnerability Management
  • + 5 more policies
Browse all policy templates

Frequently asked questions

Common questions about PCI DSS compliance

PCI DSS applies to all organizations that store, process, or transmit cardholder data, regardless of size or transaction volume. This includes merchants, service providers, payment processors and any entity handling payment card information. Compliance is enforced through contracts with acquiring banks and card brands. See the official PCI Security Standards Council for the complete requirements.
PCI DSS v4.0 (published March 2022) introduced customized implementation, expanded MFA requirements, e-commerce skimming protections and documented roles. Key change: organizations can now use targeted risk analysis to define control frequency. v3.2.1 retired March 31, 2024; all entities must be on v4.0 by March 31, 2025.
PCI DSS is payment-specific and contractually required, while SOC 2 and ISO 27001 are broader information security frameworks. Organizations often pursue all three: PCI DSS ensures card data protection, SOC 2 demonstrates overall security controls to customers and ISO 27001 provides international certification. Significant control overlap exists, allowing shared evidence.
The CDE is the subset of your IT environment that stores, processes or transmits cardholder data or sensitive authentication data. It includes people, processes and technologies that interact with CHD. Proper scoping to minimize CDE reduces PCI DSS assessment effort. Network segmentation isolates CDE from other systems, limiting compliance scope.
A Self-Assessment Questionnaire (SAQ) is a validation tool for smaller merchants (typically Levels 2-4) to self-report compliance. A Report on Compliance (ROC) is a detailed assessment document generated by a Qualified Security Assessor (QSA) for Level 1 merchants or organizations choosing external validation. ROC includes evidence review, interviews and technical testing. Both result in an Attestation of Compliance (AOC) submitted to the acquiring bank.
Initial compliance typically takes 3-6 months depending on current security maturity, CDE complexity and merchant level. Level 1 merchants needing significant remediation may require 6-12 months. Ongoing compliance is continuous: quarterly scans, annual assessments, policy reviews and evidence maintenance. Scoping and gap assessment (first 4-6 weeks) determines timeline.
It depends on your integration. If you use a fully outsourced payment solution (e.g., hosted payment page, redirect to processor) where CHD never touches your systems, you qualify for SAQ A (simplest questionnaire). If CHD flows through your systems even temporarily (e.g., payment terminal, e-commerce checkout), you have broader compliance obligations. Tokenization and point-to-point encryption (P2PE) reduce scope but don't eliminate it entirely.
Card brands impose fines from $5,000 to $100,000 per month depending on merchant level and violation severity. Acquirers may add transaction fee increases ($0.01-$0.10 per transaction) or terminate the merchant agreement, prohibiting card acceptance. Data breaches add forensic costs, notification expenses, fraud losses and potential lawsuits. Average breach cost exceeds $4 million. Penalties continue until compliance is validated.
Annual validation is required for all compliance levels. Level 1 merchants need annual on-site assessments (QSA or internal auditor with officer signature). Levels 2-4 complete annual SAQs. All levels need quarterly network scans by an Approved Scanning Vendor (ASV). Continuous compliance activities include log reviews, vulnerability management, access reviews and policy updates. Compliance is not a point-in-time event.
PCI DSS v4.0 requires MFA for all access to the CDE, including administrative access, remote access and console access. MFA must use at least two independent authentication factors: something you know (password), something you have (token, smart card) or something you are (biometric). Phishing-resistant MFA (e.g., FIDO2, PKI) is encouraged. Single sign-on (SSO) alone doesn't satisfy MFA unless combined with additional authentication.
Cloud deployments must meet all PCI DSS requirements. Responsibility depends on the service model: IaaS (you handle most controls), PaaS (shared responsibility) or SaaS (provider handles infrastructure). Cloud providers may have PCI DSS attestations, but you remain responsible for your controls (access management, encryption, logging). Document responsibility matrix with cloud provider. Tokenization and encryption services can reduce scope.
Yes, VerifyWise provides dedicated modules for PCI DSS compliance management. Track cardholder data flows, document CDE boundaries, manage policies and generate audit evidence. Our platform maps controls to all 12 requirements and supports gap assessments, remediation tracking and ASV scan management. We also provide crosswalks to SOC 2, ISO 27001 and NIST AI RMF for organizations implementing multiple frameworks.

Ready to achieve PCI DSS compliance?

Start your compliance journey with our guided assessment and implementation tools.

Start compliance assessmentSchedule consultation
PCI DSS v4.0 compliance and validation guide