The complete guide to Payment Card Industry Data Security Standard v4.0 — 12 requirements, merchant levels, SAQ types, and penalties explained for finance & fintech teams.
✓ Official PCI SSC SourcePCI DSS v4.0 — Active StandardUpdated March 2026
What Is PCI DSS?
✓ Verified DataVerified: PCI SSC official documentation
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the PCI Security Standards Council (PCI SSC) — a consortium founded in 2006 by American Express, Discover, JCB International, Mastercard, and Visa Inc. (PCI SSC, 2006)
PCI DSS applies to every organization that stores, processes, or transmits cardholder data (CHD) or sensitive authentication data (SAD) — regardless of size, industry, or transaction volume. This includes merchants, payment processors, issuing banks, acquiring banks, and service providers.
PCI DSS 4.0 was released on March 31, 2022, and became the sole active version on March 31, 2024, when PCI DSS 3.2.1 officially retired. PCI DSS 4.0.1 (minor clarifications, no new requirements) followed in June 2024. (PCI SSC, March 2022)
12
Core Requirements
4
Merchant Levels
4.0.1
Current Version
2024
v3.2.1 Retired
$100K/mo
Max Fine / Month
The 12 PCI DSS Requirements
✓ Verified DataDirect from PCI DSS v4.0 standard
PCI DSS v4.0 organizes its security requirements into six control objectives and 12 top-level requirements. (PCI DSS v4.0, Section 1)as of March 2026
Req 1
Install & Maintain Network Security Controls
Firewalls, network segmentation, and access controls to protect the cardholder data environment (CDE).
Req 2
Apply Secure Configurations to All System Components
Eliminate vendor-supplied defaults; harden all servers, routers, and endpoints per industry best practice.
Req 3
Protect Stored Account Data
Encrypt or tokenize PANs; prohibit storage of sensitive authentication data (SAD) after authorization.
Req 4
Protect Cardholder Data in Transit
Use strong cryptography (TLS 1.2+) for all transmission of cardholder data over open, public networks.
Req 5
Protect All Systems Against Malware
Deploy anti-malware on all applicable systems; keep signatures current; prevent, detect, and address malware.
Req 6
Develop & Maintain Secure Systems & Software
Patch management, secure SDLC, web application firewalls (WAF), and protection against known vulnerabilities.
Req 7
Restrict Access to System Components & Cardholder Data
Implement least-privilege access; restrict access to only those with a legitimate business need.
Req 8
Identify Users & Authenticate Access to System Components
Unique IDs for each user; MFA for all non-console administrative access; strong password policies.
Req 9
Restrict Physical Access to Cardholder Data
Badge access, CCTV, visitor logs, and physical media controls for all facilities housing the CDE.
Req 10
Log & Monitor All Access to System Components & Cardholder Data
Automated audit logs, centralized log management, and time-synchronization across all CDE systems.
Req 11
Test Security of Systems & Networks Regularly
Quarterly external and internal vulnerability scans by ASV; annual penetration testing; intrusion detection.
Req 12
Support Information Security with Organizational Policies & Programs
Note: Individual card brands (Visa, Mastercard, Amex, Discover) define their own merchant levels with slightly different thresholds. Verify your level with your acquiring bank.
Penalties for Non-Compliance
✓ Verified DataFine ranges verified from card brand published materials
Violation Type
Penalty / Consequence
Who Pays
Non-compliance fines
$5,000 – $100,000 per month (assessed to acquiring bank, passed to merchant)
Termination of ability to accept Visa/Mastercard/Amex payments
Merchant
Increased transaction fees
0.5% – 1.0% surcharge per transaction post-breach until re-certification
Merchant
Key Changes in PCI DSS 4.0
✓ Verified DataPCI SSC v4.0 Summary of Changes document
PCI DSS 4.0 introduced significant changes from 3.2.1, with new requirements phased in through March 31, 2025. (PCI SSC Summary of Changes)
Customized Approach: Organizations can now implement alternative controls to meet the intent of each requirement (instead of being locked into prescriptive controls), subject to increased documentation and assessment scrutiny.
Targeted Risk Analysis (TRA): Several requirements now require organizations to perform and document a targeted risk analysis to determine appropriate frequency of activities.
Multi-Factor Authentication (MFA): MFA is now required for ALL access into the cardholder data environment (CDE), not just remote access.
Password Requirements: Minimum password length increased from 7 to 12 characters; complexity requirements updated.
E-commerce & Phishing Protection: New Req 6.4.3 and 11.6.1 address client-side script management and alerts for unauthorized changes to payment pages — directly targeting Magecart-style attacks.
Roles & Responsibilities: Every requirement now explicitly defines responsibilities between entities.
PCI DSS Compliance Checklist
~ AI-EstimatedAI-summarized from PCI DSS v4.0 requirement structure
This checklist summarizes key action items from PCI DSS v4.0. It is not a substitute for a full QSA assessment. Your applicable requirements depend on your merchant level and card-on-file scope.
Define and document your Cardholder Data Environment (CDE) scope
Install and maintain network firewalls; prohibit direct internet-to-CDE traffic
Change all vendor-supplied default passwords and security parameters
Protect stored cardholder data — use tokenization or strong encryption (AES-256)
Never store sensitive authentication data (CVV, PIN, full track data) post-authorization
Enforce TLS 1.2+ for all cardholder data transmissions; disable TLS 1.0 and 1.1
Deploy anti-malware on all applicable systems; enable real-time scanning
Maintain a formal patch management program; apply critical patches within one month
Implement role-based access control (RBAC) and least-privilege access
Require MFA for all access to the CDE (remote and non-console administrative)
Implement unique user IDs; shared/generic IDs are prohibited
Restrict and monitor physical access to server rooms and paper records
Enable comprehensive audit logging; retain logs for at least 12 months (3 months online)
Conduct quarterly internal and external vulnerability scans (ASV-certified for external)
Perform annual penetration testing (network and application layer)
Implement an intrusion detection/prevention system (IDS/IPS)
Maintain a written information security policy; review annually
Conduct annual security awareness training for all personnel
Maintain a vendor management program; track all third-party service providers
Have a documented incident response plan; test annually
Frequently Asked Questions
Do I need PCI DSS compliance if I use a payment processor like Stripe or Square?
Yes, but your scope is significantly reduced. If you use an iframe or redirect that prevents your systems from ever touching raw card data ("outsourced card environment"), you likely qualify for the simplest SAQ (A or A-EP). However, you are still responsible for your own systems' security and must complete annual self-assessment. Consult your acquiring bank.
What is a SAQ and which one do I need?
A Self-Assessment Questionnaire (SAQ) is a validation tool for merchants who are not required to undergo a full QSA audit. There are 9 SAQ types (A, A-EP, B, B-IP, C, C-VT, D-Merchant, D-Service Provider, P2PE). The correct SAQ depends on how you accept card payments. Most e-commerce merchants using fully hosted payment pages qualify for SAQ A.
What is tokenization and does it reduce PCI scope?
Tokenization replaces actual card numbers (PANs) with a non-sensitive placeholder token. When properly implemented with a validated tokenization system, it can dramatically reduce your PCI scope because systems storing only tokens — not actual PANs — may fall outside CDE scope. Verify scope reduction with your QSA.
What is the difference between PCI DSS 4.0 and 4.0.1?
PCI DSS 4.0.1 (released June 2024) consists only of editorial corrections, clarifications, and minor errata from the original v4.0. No new requirements were added, and no compliance timelines changed. If you are already compliant with v4.0, you are compliant with v4.0.1.
When do the new PCI DSS 4.0 'future-dated' requirements take effect?
The 64 new requirements that were marked as "best practice" during transition became mandatory on March 31, 2025. These include MFA for all CDE access, enhanced anti-phishing controls for e-commerce pages, targeted risk analysis, and new password length requirements.