Payment Security

PCI-DSS Requirements Guide

Complete guide to PCI-DSS compliance covering all 12 requirements. Understand compliance levels, SAQ types, and protect cardholder data.

Get PCI Assessment Book Compliance Call

Core Requirements

Security Goals

Compliance Levels

v4.0

Current Version

What is PCI-DSS?

Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed to ensure all companies that accept, process, store, or transmit credit card information maintain a secure environment.

Who Must Comply

Any organization that stores, processes, or transmits cardholder data, regardless of size or transaction volume.

Enforced By

Payment card brands (Visa, Mastercard, Amex, Discover, JCB) through acquiring banks and payment processors.

Penalties

$5,000-$100,000/month fines, increased transaction fees, loss of payment processing ability, liability for fraud losses.

Merchant Compliance Levels

Your compliance level determines validation requirements based on annual transaction volume

Level 1

Most Stringent

Over 6 million transactions/year

Large merchants, payment processors

Annual Report on Compliance (ROC) by QSA
Quarterly network scans by ASV
Attestation of Compliance (AOC)

Level 2

1-6 million transactions/year

Mid-size merchants

Annual Self-Assessment Questionnaire (SAQ)
Quarterly network scans by ASV
Attestation of Compliance (AOC)

Level 3

20,000-1 million e-commerce transactions/year

E-commerce merchants

Annual Self-Assessment Questionnaire (SAQ)
Quarterly network scans by ASV
Attestation of Compliance (AOC)

Level 4

Under 20,000 e-commerce or up to 1 million other transactions/year

Small merchants

Annual Self-Assessment Questionnaire (SAQ)
Quarterly network scans (recommended)
Compliance validation requirements set by acquirer

Self-Assessment Questionnaire Types

Choose the SAQ type based on how you handle cardholder data

SAQ Type	Description	Applies To	Requirements
SAQ A	Card-not-present merchants using fully outsourced payment processing	E-commerce with redirect to payment processor (Stripe Checkout, PayPal)	22 requirements
SAQ A-EP	E-commerce merchants with website that impacts payment security	E-commerce with embedded payment forms (Stripe Elements)	191 requirements
SAQ B	Merchants using imprint machines or standalone dial-out terminals	Brick-and-mortar with basic terminals	41 requirements
SAQ B-IP	Merchants using standalone, PTS-approved payment terminals with IP connection	Modern POS terminals	82 requirements
SAQ C	Merchants with payment application systems connected to the internet	Payment applications on dedicated systems	160 requirements
SAQ C-VT	Merchants using virtual payment terminals via web browser	Virtual terminals for phone orders	79 requirements
SAQ D	All other merchants and service providers	Merchants storing/processing cardholder data, service providers	329 requirements (full DSS)

Reduce Your SAQ Scope

Using payment solutions like Stripe Checkout or PayPal where customers are redirected to the payment provider allows you to qualify for SAQ A, reducing your requirements from 329 to just 22.

The 12 PCI-DSS Requirements

Organized into 6 security goals with specific control objectives

Build and Maintain a Secure Network and Systems

2 requirements

Install and maintain network security controls

Configure firewalls and network controls to protect cardholder data

Document network architecture and data flows

Configure firewalls to restrict untrusted network traffic

Limit inbound and outbound traffic to necessary communications

Implement DMZ for public-facing systems

Review firewall/router rules every 6 months

Apply secure configurations to all system components

Change vendor defaults and remove unnecessary services

Change all vendor-supplied defaults (passwords, settings)

Remove unnecessary functionality (scripts, drivers, features)

Implement only one primary function per server

Enable only necessary services and protocols

Document security configuration standards

Protect Account Data

2 requirements

Protect stored account data

Minimize data storage and protect what must be stored

Don't store sensitive authentication data after authorization

Mask PAN when displayed (show only last 4 digits)

Render PAN unreadable in storage (encryption, tokenization, hashing)

Document and implement data retention policies

Secure encryption keys with strict access controls

Protect cardholder data in transit

Encrypt transmission of cardholder data over open networks

Use strong cryptography (TLS 1.2+) for transmission

Never send unprotected PANs via email, chat, SMS

Document all transmission locations and methods

Use trusted certificates from reputable CAs

Verify TLS is enabled and certificates are valid

Maintain a Vulnerability Management Program

2 requirements

Protect all systems against malware

Deploy and maintain anti-malware solutions

Deploy anti-malware on all commonly affected systems

Ensure anti-malware is actively running and cannot be disabled

Keep anti-malware definitions current

Generate and review audit logs from anti-malware

Conduct periodic malware scans

Develop and maintain secure systems and software

Apply security patches and develop software securely

Install critical security patches within one month

Establish secure software development lifecycle

Train developers on secure coding practices

Address OWASP Top 10 vulnerabilities

Conduct code reviews and security testing

Implement Strong Access Control Measures

3 requirements

Restrict access to cardholder data by business need-to-know

Limit access to only those who require it

Define access needs for each role

Implement role-based access control (RBAC)

Default deny all access unless explicitly granted

Document access control policies

Review access rights regularly

Identify users and authenticate access

Assign unique IDs and implement strong authentication

Assign unique user ID to each person

Implement multi-factor authentication for remote access

Implement MFA for all administrative access to CDE

Secure password/passphrase requirements

Lock accounts after 6 failed login attempts

Restrict physical access to cardholder data

Protect physical access to systems storing cardholder data

Use entry controls to limit physical access

Distinguish between onsite personnel and visitors

Authorize and log visitor access

Physically secure media containing cardholder data

Destroy media when no longer needed

Regularly Monitor and Test Networks

2 requirements

Log and monitor all access to system components and cardholder data

Implement logging and monitoring for security events

Log all individual user access to cardholder data

Log administrative actions and access to audit trails

Synchronize time across all systems (NTP)

Retain audit trail history for at least one year

Review logs daily for security events

Test security of systems and networks regularly

Conduct regular security testing and scanning

Test for wireless access points quarterly

Run internal and external vulnerability scans quarterly

Conduct penetration testing annually (and after changes)

Deploy intrusion detection/prevention systems

Implement file integrity monitoring on critical files

Maintain an Information Security Policy

1 requirement

Support information security with policies and programs

Maintain a comprehensive security policy

Establish and maintain information security policy

Define security responsibilities for all personnel

Conduct security awareness training

Screen personnel prior to hire

Maintain incident response plan and test annually

Implementation Timeline

Typical phases for achieving PCI-DSS compliance

Phase 1

Scoping & Gap Assessment

2-4 weeks

Define cardholder data environment (CDE)
Document all data flows
Identify applicable SAQ type
Conduct gap assessment against requirements
Prioritize remediation efforts

Phase 2

Remediation

2-6 months

Implement network segmentation
Deploy encryption and access controls
Establish logging and monitoring
Update policies and procedures
Train personnel on requirements

Phase 3

Validation

2-4 weeks

Conduct internal security testing
Complete vulnerability scans via ASV
Perform penetration testing
Prepare evidence documentation
Complete SAQ or prepare for QSA audit

Phase 4

Attestation & Maintenance

Ongoing

Submit AOC to acquirer/payment brands
Conduct quarterly ASV scans
Review logs and access controls regularly
Perform annual penetration testing
Update policies as environment changes

Schedule PCI Consultation

Common Compliance Pitfalls

Avoid these frequent mistakes that lead to PCI-DSS failures

Underestimating Scope

Including too many systems in scope or failing to properly segment the CDE increases complexity and cost significantly.

Solution: Minimize scope through network segmentation, tokenization, and outsourcing payment processing where possible.

Storing Prohibited Data

Storing full magnetic stripe data, CVV/CVC codes, or PIN blocks after authorization is a direct violation.

Solution: Implement data discovery tools and ensure applications never store sensitive authentication data post-authorization.

Weak Segmentation

Claiming network segmentation without proper implementation and testing means all connected systems are in scope.

Solution: Validate segmentation through penetration testing and ensure controls prevent traffic between CDE and out-of-scope networks.

Inconsistent Logging

Missing logs, insufficient detail, or failure to review logs daily prevents detection of security events.

Solution: Centralize logging with SIEM, automate alerting for suspicious activity, and document daily log review process.

Patch Management Gaps

Missing critical patches within 30 days or failing to patch all in-scope systems creates exploitable vulnerabilities.

Solution: Implement automated patch management, track all in-scope systems, and prioritize critical/high vulnerabilities.

Third-Party Risk

Assuming service providers are compliant without verification can lead to compliance failures.

Solution: Obtain AOCs from all service providers annually, maintain service provider inventory, and include PCI requirements in contracts.

PCI-DSS v4.0 Key Changes

Version 4.0 introduces significant updates effective March 2024 (mandatory March 2025)

Customized approach option for meeting requirements

Expanded MFA requirements for all CDE access

Enhanced password requirements (12+ characters)

Targeted risk analysis for flexible controls

Automated technical controls where possible

Script integrity monitoring for payment pages

Internal vulnerability scans with authenticated scanning

Enhanced security awareness training requirements

Get PCI Compliance Help

Need Help with PCI-DSS Compliance?

Schedule a call to discuss your payment security requirements and get expert guidance on achieving compliance.

30 Minutes

Quick, focused conversation

Video or Phone

Your preferred format

No Sales Pitch

Honest, practical advice

Schedule Strategy Call