Payment Card Industry Data Security Standard
15 articles available
PCI DSS 4.0 has 12 core requirements organized under 6 goals: build secure networks, protect account data, manage vulnerabilities, control access, monitor and test networks, and maintain security policies. Together they contain approximately 400 individual test procedures.
PCI DSS 4.0 introduces 64 new requirements including the customized approach, expanded MFA for all CDE access, 12-character minimum passwords, payment page script management, and targeted risk analysis. The standard became mandatory March 31, 2024, with future-dated requirements effective March 31, 2025.
PCI DSS has four compliance levels based on annual card transaction volume: Level 1 (over 6 million), Level 2 (1-6 million), Level 3 (20,000-1 million e-commerce), and Level 4 (under 20,000 e-commerce). Higher levels require more rigorous assessment methods.
The PCI DSS SAQ is a self-validation tool for Level 2-4 merchants. There are 9 SAQ types (A, A-EP, B, B-IP, C, C-VT, D-Merchant, D-SP, P2PE) based on how you accept card payments. SAQ A is simplest (22 questions) while SAQ D is most comprehensive (329 questions).
The PCI DSS audit process involves scoping your cardholder data environment, engaging a QSA for on-site assessment, remediating gaps, and receiving a Report on Compliance (ROC). A typical Level 1 audit takes 3-6 months and costs $100,000-$350,000.
E-commerce merchants must comply with PCI DSS if they accept online card payments. Most can use SAQ A (22 questions) by using hosted payment pages, or SAQ A-EP (191 questions) with JavaScript integrations like Stripe Elements. Key concerns include securing checkout pages, managing third-party scripts, and protecting against skimming attacks.
SaaS companies need PCI DSS compliance if they process, store, or transmit cardholder data — either for their own billing or on behalf of customers. Most SaaS companies can minimize scope by using Stripe or similar processors for billing and ensuring their platform never directly handles card data.
PCI DSS scope reduction involves minimizing the number of systems, processes, and people that interact with cardholder data. Key strategies include tokenization, P2PE, network segmentation, and outsourcing payment processing. Effective scope reduction can cut compliance costs by 60-70%.
Network segmentation isolates the cardholder data environment (CDE) from the rest of your network to reduce PCI DSS scope. While not mandatory, proper segmentation using firewalls, VLANs, and micro-segmentation can reduce in-scope systems by 50-80% and must be validated through penetration testing.
PCI DSS requires encryption of cardholder data both at rest (Requirement 3) and in transit (Requirement 4). At rest, stored PANs must be rendered unreadable using strong cryptography. In transit, TLS 1.2 or higher is mandatory. PCI DSS 4.0 no longer accepts disk-level encryption as the sole protection for stored PANs.
