What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) v4.0.1 is the global standard for protecting payment card data. Developed by the PCI Security Standards Council — founded by Visa, Mastercard, American Express, Discover, and JCB — it applies to all entities that store, process, or transmit cardholder data or sensitive authentication data.
For technology companies that handle payment data, PCI DSS compliance is not optional — it is a contractual requirement of your merchant agreement. Your acquiring bank validates compliance annually, and non-compliance at the time of a breach carries severe financial and operational consequences.
The 12 Requirements
PCI DSS organizes its 12 requirements into six goals. Every requirement must be met for compliance validation.
| Goal | Requirements |
|---|---|
| Build and Maintain a Secure Network and Systems | 1. Install and maintain network security controls (firewalls) 2. Apply secure configurations to all system components (no vendor defaults) |
| Protect Account Data | 3. Protect stored account data 4. Protect cardholder data with strong cryptography during transmission |
| Maintain a Vulnerability Management Program | 5. Protect all systems and networks from malicious software 6. Develop and maintain secure systems and software |
| Implement Strong Access Control Measures | 7. Restrict access by business need to know 8. Identify users and authenticate access (unique IDs) 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | 10. Log and monitor all access to system components and cardholder data 11. Test security of systems and networks regularly |
| Maintain an Information Security Policy | 12. Support information security with organizational policies and programs |
SAQ vs. ROC Validation
PCI DSS compliance is validated through either a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC). The appropriate validation type depends on your merchant level, transaction volume, and how you handle cardholder data.
| Aspect | SAQ | ROC |
|---|---|---|
| Performed By | Self-assessment by the merchant | On-site assessment by a Qualified Security Assessor (QSA) |
| Typical Applicability | Level 2–4 merchants (lower transaction volumes) | Level 1 merchants (6M+ transactions/year) and service providers |
| Scope | Varies by SAQ type (A, A-EP, B, B-IP, C, C-VT, D, P2PE) | Full 12-requirement assessment of the CDE |
| Output | Completed SAQ + Attestation of Compliance (AOC) | Report on Compliance (ROC) + Attestation of Compliance (AOC) |
v4.0.1 Key Changes
PCI DSS v4.0.1 introduces several significant changes from previous versions that affect how organizations approach compliance:
- Customized approach — organizations can now meet requirements using alternative controls that satisfy the objective, not just the prescribed method
- Targeted risk analysis — requirement-specific risk analyses replace the blanket annual risk assessment for certain controls
- Enhanced authentication — multi-factor authentication (MFA) requirements expanded beyond remote access to all access into the CDE
- Security awareness — expanded training requirements including phishing awareness and social engineering
Cardholder Data Environment (CDE) Scoping
Scope defines the systems, networks, and processes that are subject to PCI DSS requirements. Accurate scoping is the most important decision in the compliance process — too broad increases cost and complexity; too narrow risks a failed assessment.
Your CDE scope includes:
- CDE systems — any system that stores, processes, or transmits cardholder data
- Connected-to systems — systems that connect to or can impact the security of the CDE
- Security-impacting systems — systems that could affect the security of the CDE (firewalls, IDS, authentication servers)
- Network segments — any network segment not adequately segmented from the CDE
- Third-party service providers — vendors that store, process, or transmit cardholder data on your behalf
Readiness Assessment Checklist
Before engaging a QSA or completing your SAQ, evaluate where your organization stands against these readiness questions:
- Is the cardholder data environment (CDE) clearly defined with documented data flows?
- Is network segmentation validated and tested to isolate the CDE from out-of-scope systems?
- Is encryption implemented for both stored cardholder data and data in transit?
- Are access controls in place with MFA for all access into the CDE?
- Is a vulnerability management program operational with ASV scan schedules?
- Is there an information security policy covering all 12 requirements?
If you can’t confidently answer “yes” to most of these, a readiness sprint will get you there.
Next step: See our readiness process to understand how we help technology companies prepare for PCI DSS v4.0.1 compliance.