PCI DSS

Payment Card Industry Data Security Standard v4.0.1

StandardInternational

PCI DSS is an industry standard — not a government regulation — that protects cardholder data wherever it is stored, processed, or transmitted. Founded by the five major card brands, it comprises 12 requirements across 6 goals. Version 4.0.1 (published June 2024) is the current standard, introducing 64 new requirements over v3.2.1 including a customised approach for compliance.

Requirements

Goals

Compliance Levels

v4.0.1

Current Version

Who Needs to Comply

Any Entity Handling Cardholder Data

Merchants of all sizes (4 compliance levels by transaction volume)
Payment processors and payment gateways
Service providers and acquiring banks
Software vendors handling cardholder data
Level 1: >6M transactions/year (QSA required)
Level 2: 1-6M transactions/year
Level 3: 20K-1M transactions/year
Level 4: <20K transactions/year

Data Types

Cardholder Data (PAN, name, expiration, service code) — may be stored if encrypted
Sensitive Authentication Data (track data, CVV, PIN) — NEVER stored after authorisation

Key Compliance Areas

Req 1-2

Secure Network & Systems

Goal 1: Install and maintain firewall configuration. Do not use vendor-supplied defaults for passwords and security parameters.

Req 3-4

Protect Cardholder Data

Goal 2: Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks.

Req 5-6

Vulnerability Management

Goal 3: Protect systems against malware. Develop and maintain secure systems and applications.

Req 7-9

Strong Access Control

Goal 4: Restrict access by need-to-know. Identify and authenticate access. Restrict physical access to cardholder data.

Req 10-11

Monitor & Test Networks

Goal 5: Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes.

Req 12

Information Security Policy

Goal 6: Maintain a policy that addresses information security for all personnel.

How Orizon Helps

Scope Assessment

Define your Cardholder Data Environment (CDE): all systems that store, process, or transmit cardholder data, plus connected systems. Determine your compliance level.

Gap Analysis

Assess current controls against all 12 PCI DSS v4.0.1 requirements. Identify gaps especially in the 64 new requirements added in v4.0.

Remediation

Implement required controls: network segmentation, encryption, access controls, logging, vulnerability management, and security policies.

SAQ or Assessment

Complete the appropriate Self-Assessment Questionnaire or engage a Qualified Security Assessor (QSA) for a formal Report on Compliance (RoC).

Attestation of Compliance

Submit your Attestation of Compliance (AoC) to your acquiring bank and card brands. Address any findings from the assessment.

Continuous Compliance

PCI DSS is a continuous process: quarterly network scans, annual penetration testing, ongoing monitoring, and staff security awareness training.

Official Sources

Assess Your Compliance

Expert guidance for your PCI DSS compliance journey.

Get Started