We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / PCI DSS
PCI SSC · Global

PCI DSS

The security standard for organisations that handle payment card data.

Introduction

The Payment Card Industry Data Security Standard (PCI DSS) is the globally recognised baseline for protecting cardholder data (CHD) and sensitive authentication data (SAD) throughout their lifecycle of storage, processing and transmission. Maintained by the PCI Security Standards Council (PCI SSC) - a body founded by American Express, Discover, JCB International, Mastercard and Visa Inc. - the standard applies to any merchant, service provider or other entity that stores, processes or transmits account data, regardless of size, industry or geography. This deep-dive is written for security leaders, compliance managers, internal auditors and technical teams preparing for a formal PCI DSS assessment against the current version of the standard, PCI DSS v4.0.1 (the maintenance release that superseded v4.0 and retired v3.2.1 on 31 March 2024).

Unlike a legal regulation, PCI DSS is a contractual obligation enforced by the individual payment card brands and by acquiring banks. Non-compliance can result in monthly fines, increased transaction fees, mandatory forensic investigation after a breach, and in severe cases the withdrawal of the ability to accept card payments. The standard is prescriptive and technical, but v4.0 introduced a more outcome-focused philosophy through the Customised Approach, alongside the traditional Defined Approach. This guide walks through every requirement family, the assessment evidence auditors expect, scoping discipline, and a phased implementation roadmap.

Copyright and source note
PCI DSS, the PCI DSS Requirements and Security Assessment Procedures, the Self-Assessment Questionnaires (SAQs), the Report on Compliance (ROC) template and the Attestation of Compliance (AOC) are copyrighted works of the PCI Security Standards Council LLC. This guide is original explanatory commentary authored by CyberSigma and does not reproduce the copyrighted text of the standard. Always obtain the official documents from the PCI SSC Document Library and treat the published standard as the single authoritative source for any formal assessment.

What is PCI DSS

PCI DSS is a set of security requirements designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The scope of protection centres on two data categories. Cardholder Data (CHD) comprises the Primary Account Number (PAN), cardholder name, expiration date and service code. Sensitive Authentication Data (SAD) comprises the full track data (magnetic-stripe data or its equivalent on a chip), the card verification code/value (CAV2/CVC2/CVV2/CID) and PINs/PIN blocks. The cardinal rule is that SAD must never be stored after authorisation, even in encrypted form, while CHD may be stored only when there is a legitimate business need and only under strong protection such as strong cryptography with associated key-management processes.

The standard is organised into 12 principal requirements grouped under six control objectives, expanded into several hundred detailed sub-requirements and testing procedures. PCI DSS v4.0 added roughly 60 new requirements. Many were designated 'best practice' until 31 March 2025, after which they became mandatory - meaning any assessment with a report date on or after 1 April 2025 must treat those future-dated requirements as in force. Key v4.0 themes include: continued flexibility through the Customised Approach; increased emphasis on continuous security rather than point-in-time compliance; expanded multi-factor authentication (MFA); stronger anti-phishing and e-commerce skimming controls (notably the new script and header-integrity requirements 6.4.3 and 11.6.1); and clearer definitions of roles and responsibilities via 'Roles and Responsibilities' sub-requirements attached to each of the 12 requirements.

Validation instruments

  • Report on Compliance (ROC): a full assessment performed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA); mandatory for Level 1 merchants and most large service providers.
  • Self-Assessment Questionnaire (SAQ): a self-validation tool for eligible smaller merchants; variants include SAQ A, A-EP, B, B-IP, C, C-VT, P2PE, D-Merchant and D-Service Provider, each scoped to a specific payment channel and technology.
  • Attestation of Compliance (AOC): the signed declaration of compliance status, submitted to the acquirer or payment brand alongside the ROC or SAQ.
  • Quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) where applicable under Requirement 11.3.2.

Who must comply

PCI DSS applies to all entities involved in payment card processing - merchants, processors, acquirers, issuers and service providers - as well as any other entity that stores, processes or transmits cardholder data or sensitive authentication data, or that could affect the security of the cardholder data environment (CDE). The rigour of validation is determined by transaction volume, which places each entity into a merchant or service-provider level defined by the individual card brands (levels below reflect Visa/Mastercard conventions; thresholds can differ by brand and by forensic history).

Entity type / levelTypical criteriaValidation requirement
Merchant Level 1Over 6 million card transactions annually (any channel), or any merchant that has suffered a breach, or one designated Level 1 by a card brandAnnual on-site assessment (ROC) by QSA or ISA, quarterly ASV scans, penetration testing
Merchant Level 21 million to 6 million transactions annuallyAnnual SAQ (or ROC at brand/acquirer discretion), quarterly ASV scans
Merchant Level 320,000 to 1 million e-commerce transactions annuallyAnnual SAQ, quarterly ASV scans
Merchant Level 4Fewer than 20,000 e-commerce transactions, or up to 1 million transactions across all channelsAnnual SAQ (at acquirer discretion), quarterly ASV scans as required
Service Provider Level 1More than 300,000 transactions annually, or storing/processing/transmitting large volumes on behalf of othersAnnual on-site ROC by QSA, quarterly ASV scans, penetration testing
Service Provider Level 2Fewer than 300,000 transactions annuallyAnnual SAQ D for Service Providers, quarterly ASV scans
  • Payment gateways, processors and payment facilitators (PayFacs) that touch account data.
  • SaaS and cloud providers whose services could affect the security of a client CDE (for example hosting, managed firewalls, tokenisation or fraud-scoring platforms).
  • Call centres, BPOs and back-office operations that capture PANs over the telephone or via correspondence.
  • E-commerce businesses using redirect, iframe or direct-post integrations - each carries a different SAQ eligibility and script-integrity obligation.
  • Any organisation that has outsourced payment handling but retains responsibility for vendor oversight and for the portions of PCI DSS it still influences.

Structure of PCI DSS

PCI DSS is structured as six control objectives (goals) that decompose into 12 core requirements. Each core requirement contains sub-requirements, defined testing procedures, guidance and - in v4.0 - customised-approach objectives and applicability notes. The table below maps the goals to their requirements.

Control objective (goal)Requirement no.Requirement title
Build and Maintain a Secure Network and Systems1Install and Maintain Network Security Controls
Build and Maintain a Secure Network and Systems2Apply Secure Configurations to All System Components
Protect Account Data3Protect Stored Account Data
Protect Account Data4Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Maintain a Vulnerability Management Programme5Protect All Systems and Networks from Malicious Software
Maintain a Vulnerability Management Programme6Develop and Maintain Secure Systems and Software
Implement Strong Access Control Measures7Restrict Access to System Components and Cardholder Data by Business Need to Know
Implement Strong Access Control Measures8Identify Users and Authenticate Access to System Components
Implement Strong Access Control Measures9Restrict Physical Access to Cardholder Data
Regularly Monitor and Test Networks10Log and Monitor All Access to System Components and Cardholder Data
Regularly Monitor and Test Networks11Test Security of Systems and Networks Regularly
Maintain an Information Security Policy12Support Information Security with Organisational Policies and Programmes

Two additional structural constructs are essential. Appendix A extends the standard for specific scenarios: A1 (multi-tenant service providers), A2 (SSL/early TLS for POS POI terminals) and A3 (the Designated Entities Supplemental Validation, DESV, applied to entities directed by a payment brand or acquirer). The Customised Approach allows an entity to meet the stated Customised Approach Objective of a requirement using controls of its own design, provided it documents a targeted risk analysis and the QSA validates that the objective is met.

Master assessment checklist

This is the core of the guide. Each of the 12 requirements is enumerated below with the principal sub-requirement themes, what an assessor must verify, and the typical evidence expected. Use these tables as the backbone of a readiness or gap assessment; every control area is covered so that nothing is skipped. Evidence should always be current, dated, and traceable to a named owner.

Requirement 1 - Install and Maintain Network Security Controls

What to verifyTypical evidence
Network Security Controls (NSCs - firewalls, virtual and cloud equivalents) are defined, configured and maintained (1.2)NSC configuration standards, change-control records, review of ruleset documentation
Ruleset restricts inbound/outbound traffic to only that which is necessary; deny-all default in place (1.2.1, 1.4)Firewall/NSC rulesets, port/service justification matrix, network diagrams
Network segmentation isolates the CDE from untrusted networks and from the rest of the corporate network (1.3, 1.4)Current network diagram, data-flow diagram, segmentation configuration
NSC rulesets are reviewed at least every six months (1.2.7)Signed six-monthly ruleset review records with dates and reviewer names
No direct connections between the internet and the CDE; DMZ used for public-facing components (1.4.4, 1.4.5)Architecture diagrams, DMZ configuration, egress/ingress controls
Anti-spoofing and private IP disclosure prevention in place (1.4.3, 1.4.5)NAT configuration, anti-spoofing rules, external scan evidence
Security controls on any computing device that connects to both untrusted networks and the CDE (1.5.1)Endpoint/host firewall configuration, mobile device policy, BYOD controls

Requirement 2 - Apply Secure Configurations to All System Components

What to verifyTypical evidence
Vendor default accounts and passwords are changed or disabled before install (2.2.2)Hardening standards, sampled system configs, account inventory
System hardening/configuration standards exist for all component types and align to industry benchmarks (2.2.1)Documented build standards (e.g. CIS-based), gold-image definitions
Only necessary services, protocols, daemons and functions are enabled; insecure ones justified and secured (2.2.4, 2.2.5)Running-services listing, risk analysis for insecure services
System security parameters configured to prevent misuse (2.2.6)Configuration baselines, sampled parameter settings
All non-console administrative access is encrypted with strong cryptography (2.2.7)SSH/TLS configuration, disabled Telnet/HTTP admin evidence
Wireless vendor defaults (encryption keys, SNMP community strings, passwords) changed; strong wireless encryption used (2.3.1, 2.3.2)Wireless configuration, key-rotation records, WPA2/WPA3 evidence

Requirement 3 - Protect Stored Account Data

What to verifyTypical evidence
Account data storage is minimised via retention and disposal policy; data purged when no longer needed (3.2.1)Data-retention policy, quarterly secure-deletion records, discovery scan output
Sensitive Authentication Data (SAD) is not stored after authorisation, even if encrypted (3.3.1)SAD-search results, application/data-store review, forensic sampling
Full track data, card verification codes and PIN blocks are not retained (3.3.1.1-3.3.1.3)Database/log inspection, code review, storage scans
PAN is masked when displayed; maximum first six/last four shown only to those with need (3.4.1)Screenshots of masked displays, role-based display configuration
PAN is rendered unreadable wherever stored (one-way hash with salt, truncation, tokens, or strong cryptography) (3.5.1)Encryption/tokenisation architecture, hashing configuration, sampled stored values
Cryptographic keys are protected against disclosure and misuse; key-management procedures are documented (3.6, 3.7)Key-management policy, key-custodian acknowledgements, KMS/HSM records
Key rotation, retirement, split knowledge and dual control for manual clear-text key operations (3.7.4-3.7.9)Key-rotation logs, dual-control procedures, key-custodian forms

Requirement 4 - Protect CHD with Strong Cryptography During Transmission

What to verifyTypical evidence
Strong cryptography and secure protocols protect PAN during transmission over open, public networks (4.2.1)TLS configuration, protocol/cipher inventory, external scan evidence
Certificates used are valid, trusted and not expired or revoked (4.2.1.1)Certificate inventory with expiry dates, CA trust configuration
Only trusted keys and certificates are accepted; insecure versions/ciphers disabled (4.2.1)Cipher-suite configuration, disabled early-TLS/SSL evidence
PAN is never sent via end-user messaging technologies (email, SMS, chat) unless protected by strong cryptography (4.2.2)Messaging/DLP policy, DLP alerts, awareness records
Inventory of trusted keys and certificates used to protect PAN in transit is maintained (4.2.1.1)Certificate/key inventory, ownership register

Requirement 5 - Protect All Systems and Networks from Malicious Software

What to verifyTypical evidence
Anti-malware solution deployed on all applicable system components; coverage evaluated periodically (5.2.1, 5.2.3)Anti-malware deployment console, coverage report, targeted risk analysis for non-covered systems
Anti-malware mechanisms are kept current, perform periodic scans and active/real-time scanning (5.3.1, 5.3.2)Definition-update logs, scan schedules and results
Anti-malware cannot be disabled or altered by users unless authorised for a limited time (5.3.5)Endpoint policy configuration, exception approval records
Anti-phishing mechanisms protect against phishing attacks (5.4.1)Email-gateway configuration, phishing-simulation results, DMARC/SPF/DKIM
Removable electronic media is scanned for malware when in use (5.3.3)USB/media scanning policy and logs

Requirement 6 - Develop and Maintain Secure Systems and Software

What to verifyTypical evidence
Security vulnerabilities are identified and risk-ranked using reputable sources (6.3.1)Vulnerability-intelligence subscriptions, risk-ranking methodology
Security patches are installed; critical/high patches within one month (6.3.3)Patch-management reports, SLA tracking, sampled patch levels
Bespoke and custom software is developed securely following a secure SDLC (6.2.1-6.2.4)SDLC policy, secure-coding standards, training records
Code reviews and application security testing address common vulnerabilities (e.g. injection, XSS) (6.2.3, 6.2.4)Code-review records, SAST/DAST reports, remediation tracking
Public-facing web applications protected by review or a WAF, and via automated technical solution (6.4.1, 6.4.2)WAF configuration and logs, app-scan reports
Payment-page scripts are managed, authorised and their integrity assured against skimming (6.4.3)Script inventory, integrity-check/CSP configuration, authorisation records
Change-control processes separate development/test/production and require documented approvals (6.5.1-6.5.6)Change tickets, environment separation evidence, back-out plans

Requirement 7 - Restrict Access by Business Need to Know

What to verifyTypical evidence
Access to system components and account data is limited to least privilege / need to know (7.2.1, 7.2.2)Role-to-privilege matrix, access-request records, sampled entitlements
An access-control model is defined, covering roles, privileges and objects (7.2.1)RBAC/ABAC documentation, role definitions
Access is assigned based on job classification and function; default deny-all (7.2.2, 7.3.3)Access-control system configuration, provisioning workflow
Privileges for all user IDs and system/application accounts are reviewed at least every six months (7.2.4)Signed six-monthly access-review records
Access-control systems enforce restrictions and default to deny (7.3.1-7.3.3)Access-control tool configuration, deny-by-default settings

Requirement 8 - Identify Users and Authenticate Access

What to verifyTypical evidence
Every user is assigned a unique ID; shared/generic accounts are managed and justified (8.2.1, 8.2.2)User inventory, shared-account exception register
User lifecycle: additions, changes and terminations are managed; inactive accounts removed/disabled within 90 days (8.2.4-8.2.6)Joiner-mover-leaver records, dormant-account report
Strong authentication: passwords at least 12 characters (or 8 with documented constraints), complexity and history enforced (8.3.1-8.3.9)Password-policy configuration, sampled account settings
Multi-factor authentication for all access into the CDE and for all remote/administrative access (8.4.1-8.5.1)MFA configuration, authentication logs, coverage report
MFA is resistant to replay and cannot be bypassed (8.5.1)MFA solution design, anti-replay configuration
Application and system accounts and their credentials are managed and protected; interactive use restricted (8.6.1-8.6.3)Service-account inventory, secrets-vault configuration, rotation records

Requirement 9 - Restrict Physical Access to Cardholder Data

What to verifyTypical evidence
Physical access controls restrict entry to facilities and systems in the CDE (9.2.1)Badge-system logs, access-control diagrams, site walkthrough notes
Visitors are identified, authorised, escorted and logged; access revoked on departure (9.3.1-9.3.4)Visitor logs, badge policy, escort procedures
Media containing account data is physically secured, inventoried and controlled during transport (9.4.1-9.4.5)Media inventory, chain-of-custody forms, secure-transport records
Media is destroyed when no longer needed (cross-cut shredding, incineration, secure wipe) (9.4.6, 9.4.7)Destruction certificates, shredding logs
Point-of-interaction (POI) devices are protected from tampering and substitution; inspected periodically (9.5.1)POI device inventory with serials, inspection logs, training records

Requirement 10 - Log and Monitor All Access

What to verifyTypical evidence
Audit logs are enabled and capture all access to system components and cardholder data (10.2.1)Logging configuration, sample log extracts, log-source inventory
Logs record required events: user access, privileged actions, invalid attempts, changes to accounts, audit-log changes (10.2.1.1-10.2.1.7)Log records showing user ID, event type, date/time, success/failure, origin, affected resource
Logs are protected from alteration and centrally collected (10.3.1-10.3.4)SIEM/central-log configuration, file-integrity monitoring, access restrictions on logs
Time synchronisation using authoritative time sources is in place (10.6.1-10.6.3)NTP configuration, time-source records
Logs are reviewed daily for critical systems (via automated mechanisms) and anomalies are actioned (10.4.1-10.4.3)SIEM alerting rules, review records, incident tickets
Audit-log history retained at least 12 months, with at least 3 months immediately available (10.5.1)Retention configuration, archive evidence
Failures of critical security-control systems are detected, alerted and responded to promptly (10.7.1-10.7.3)Health-monitoring configuration, failure-response records

Requirement 11 - Test Security of Systems and Networks Regularly

What to verifyTypical evidence
Wireless access points are identified and unauthorised ones detected quarterly (11.2.1, 11.2.2)Wireless-scan reports, authorised-AP inventory
Internal and external vulnerability scans are run at least quarterly and after significant change; issues resolved and rescanned (11.3.1, 11.3.2)Internal scan reports, ASV passing scans, remediation evidence
External ASV scans are performed by an Approved Scanning Vendor and pass (11.3.2)ASV attestation and scan reports
Penetration testing (external and internal) is performed at least annually and after significant changes; segmentation testing validates isolation (11.4.1-11.4.6)Pen-test methodology, reports, remediation and retest evidence, segmentation-test results
Intrusion-detection/prevention techniques monitor traffic at the CDE perimeter and critical points (11.5.1)IDS/IPS configuration, alert records
Change- and tamper-detection on payment pages alerts to unauthorised modification of HTTP headers and script content (11.6.1)Client-side integrity-monitoring configuration and alert logs
File-integrity monitoring detects unauthorised changes to critical files (11.5.2)FIM tool configuration, alert and review records

Requirement 12 - Support Information Security with Organisational Policies and Programmes

What to verifyTypical evidence
A comprehensive information-security policy is established, published, maintained and reviewed at least annually (12.1.1-12.1.4)Signed security policy, annual review record, distribution evidence
A targeted risk analysis process supports flexible/PCI-defined frequencies and the customised approach (12.3.1-12.3.4)Targeted risk-analysis documents, technology-review records
Roles and responsibilities for PCI DSS are formally assigned and understood (12.1.3, 12.5.1)Roles matrix, acknowledgements, scope documentation
PCI DSS scope is documented and confirmed at least annually and on significant change (12.5.2, 12.5.3)Scoping documentation, annual scope-confirmation record, data-flow diagrams
Security-awareness training is provided at hire and at least annually, covering current threats (12.6.1-12.6.3)Training content, completion records, phishing-awareness material
Personnel screening is performed prior to hire where permitted (12.7.1)Background-check policy and records
Third-party service provider (TPSP) relationships are managed: due diligence, written agreements, responsibility matrix and monitoring (12.8.1-12.8.5)TPSP inventory, contracts with PCI responsibility clauses, AOCs, responsibility matrix
An incident-response plan exists, is tested annually and covers detection, containment and reporting (12.10.1-12.10.7)IR plan, test records, on-call roster, breach-notification procedures
Additional requirements for TPSPs and for entities under DESV (Appendix A1, A3) are met where applicableMulti-tenant separation evidence, DESV validation records

Scoping

Scoping is the single most consequential activity in a PCI DSS programme: it defines which systems, people and processes fall under the standard and therefore the size, cost and risk of the assessment. The Cardholder Data Environment (CDE) comprises the people, processes and technologies that store, process or transmit CHD or SAD. PCI DSS scope, however, is broader than the CDE - it also includes any 'connected-to' or 'security-impacting' systems that can affect the security of the CDE, even if they never touch account data themselves (for example, an authentication server, a jump host, a patch-distribution server, or a hypervisor hosting CDE workloads).

  • CDE systems: any system that stores, processes or transmits CHD/SAD, and any system on the same network segment.
  • Connected-to / security-impacting systems: systems that can connect to or influence the security of the CDE (e.g. NTP, DNS, AD, SIEM, admin workstations, backup servers).
  • Out-of-scope systems: only truly isolated systems with adequate network segmentation and no ability to affect CDE security - and the isolation must be validated by penetration testing.
  • Segmentation is not mandatory but is strongly recommended to reduce scope; if used, its effectiveness must be tested at least annually (every six months for service providers).
  • Scope reduction techniques: tokenisation, point-to-point encryption (P2PE), outsourcing to compliant providers, and iframe/redirect e-commerce integrations that keep PAN off the merchant's servers.
Scope confirmation is annual and mandatory
Under Requirement 12.5.2, entities must document and confirm PCI DSS scope at least once every 12 months and upon significant change (service providers: every six months). An accurate, current data-flow diagram and asset inventory is the foundation of a defensible scope. Under-scoping is the most common root cause of failed assessments and post-breach findings.

Implementation approach

A successful PCI DSS programme is delivered in phases. The following five-phase roadmap moves an organisation from an undefined state to sustained, audit-ready compliance. Each phase lists indicative activities and the deliverables that de-risk the eventual formal assessment.

Phase 1 - Discovery and scoping

  • Activities: identify all payment channels; perform cardholder-data discovery scans; map data flows; build asset inventory; determine merchant/service-provider level and applicable SAQ or ROC.
  • Deliverables: current data-flow diagrams, network diagrams, CDE and in-scope inventory, validation-type determination, project charter.

Phase 2 - Gap assessment

  • Activities: assess current state against all 12 requirements; identify control gaps; risk-rank findings; validate segmentation assumptions; review third-party AOCs.
  • Deliverables: gap-analysis report, prioritised remediation plan with owners and timelines, provisional Customised/Defined approach decisions.

Phase 3 - Remediation

  • Activities: implement or tune NSCs, encryption, MFA, logging and monitoring; harden systems; deploy anti-malware and FIM; write/update policies and procedures; establish training and TPSP management.
  • Deliverables: hardening standards, key-management procedures, updated policies, deployed technical controls, remediation-closure evidence.

Phase 4 - Validation and testing

  • Activities: run internal and ASV scans until passing; conduct penetration testing and segmentation testing; complete evidence collection; perform an internal readiness (pre-assessment) review.
  • Deliverables: passing scan reports, pen-test report with remediation, complete evidence library, readiness sign-off.

Phase 5 - Formal assessment and sustainment

  • Activities: engage QSA for ROC or complete SAQ; sign AOC; submit to acquirer/brand; establish business-as-usual (BAU) monitoring and continuous-compliance cadence.
  • Deliverables: ROC/SAQ, signed AOC, BAU calendar (daily log review, quarterly scans, six-monthly reviews, annual pen-test and scope confirmation).

Maturity and capability model

PCI DSS itself is pass/fail at the point of assessment, but organisations benefit from tracking their compliance maturity to move from reactive, point-in-time validation to sustained security-as-BAU. The following model gauges programme capability.

LevelNameCharacteristics
1Initial / ad hocNo formal scope; controls inconsistent; compliance treated as a one-off scramble before the deadline; frequent gaps.
2DevelopingScope documented; core controls in place but manually maintained; evidence gathered reactively; some requirements only met near assessment time.
3DefinedPolicies and procedures documented for all 12 requirements; roles assigned; BAU cadence emerging; evidence collected routinely.
4ManagedAutomated monitoring (SIEM, FIM, integrity checks); metrics tracked; continuous compliance embedded; targeted risk analyses drive control frequencies.
5OptimisedSecurity integrated into engineering and change processes; customised-approach controls validated; continuous assurance; compliance is a by-product of strong security.

Assessment and audit approach

  1. Confirm validation type and level (SAQ vs ROC) with the acquirer or payment brand, and select the correct SAQ variant if self-assessing.
  2. Define and document scope: finalise data-flow and network diagrams, asset inventory, and segmentation boundaries.
  3. Select the assessment approach per requirement: Defined Approach (meet requirements as written) or Customised Approach (meet the objective via designed controls with a targeted risk analysis).
  4. Conduct interviews, observations, configuration reviews and sampling across in-scope system components and personnel.
  5. Test each sub-requirement against its defined testing procedure and record the result as In Place, Not Applicable, Not Tested or Not in Place.
  6. For any Customised Approach items, review the entity's controls matrix, targeted risk analysis and testing evidence to confirm the objective is met.
  7. Validate compensating controls (Defined Approach only) against the compensating-controls worksheet where a requirement cannot be met as stated.
  8. Aggregate findings into the ROC (or complete the SAQ), remediate any Not-in-Place items, and re-test until all applicable requirements are In Place.
  9. Complete and sign the Attestation of Compliance (AOC); attach passing ASV scans and pen-test evidence.
  10. Submit the AOC and supporting artefacts to the acquirer/brand, and initiate the BAU cadence for the next cycle.

Evidence request list

Assessors request evidence across several categories. Prepare a structured, indexed evidence library keyed to each requirement to accelerate the assessment.

  • Governance and policy: information-security policy, acceptable-use policy, targeted risk analyses, roles-and-responsibilities matrix, annual scope-confirmation record.
  • Architecture: current network diagrams, data-flow diagrams, CDE and asset inventories, segmentation design.
  • Network and configuration: firewall/NSC rulesets and six-monthly reviews, hardening/build standards, sampled configurations, wireless configuration.
  • Data protection: data-retention and disposal policy, discovery-scan results, encryption and tokenisation architecture, key-management procedures and custodian forms.
  • Access and authentication: RBAC matrix, user inventory, six-monthly access reviews, MFA configuration and coverage, joiner-mover-leaver records.
  • Physical security: badge/visitor logs, media-handling and destruction records, POI device inventory and inspection logs.
  • Logging and monitoring: logging configuration, SIEM alerting rules, daily-review records, retention evidence, FIM and IDS/IPS configuration.
  • Testing: internal and ASV scan reports, penetration-test and segmentation-test reports, remediation and retest evidence.
  • Vulnerability and change management: patch reports and SLAs, SDLC and secure-coding standards, code-review and SAST/DAST reports, change tickets.
  • Third parties and incident response: TPSP inventory and contracts, provider AOCs, responsibility matrix, incident-response plan and annual test records.
  • Awareness: security-awareness training content and completion records, phishing-simulation results.

Roles and responsibilities

RolePCI DSS responsibilities
Executive sponsor / CISOOwns the compliance mandate, approves scope and budget, accountable for the AOC and residual risk.
PCI compliance managerCoordinates the programme, maintains evidence library, liaises with QSA/ASV and acquirer, tracks remediation.
Network and infrastructure teamMaintains NSCs, segmentation, hardening standards, time sync and secure configurations (Req 1, 2).
Application/development teamImplements secure SDLC, code review, WAF, script-integrity and change control (Req 6).
Security operations / SOCRuns logging, SIEM, IDS/IPS, FIM, daily log review and anti-malware (Req 5, 10, 11).
Identity and access managementManages unique IDs, least privilege, MFA and access reviews (Req 7, 8).
Cryptography / key custodiansManages encryption, tokenisation and key lifecycle under split knowledge/dual control (Req 3, 4).
Physical security / facilitiesControls facility and media access, visitor management and POI protection (Req 9).
Vendor management / procurementManages TPSP due diligence, contracts, AOC collection and responsibility matrices (Req 12.8).
QSA / ISAPerforms the assessment, validates evidence and customised approaches, authors the ROC.
Approved Scanning Vendor (ASV)Performs and attests quarterly external vulnerability scans (Req 11.3.2).

KPIs to track

  • Percentage of in-scope systems compliant with hardening/build standards.
  • Percentage of critical/high patches applied within the one-month SLA (Req 6.3.3).
  • Number of open ASV scan failures and mean time to remediate to a passing scan.
  • MFA coverage across CDE, remote and administrative access (target 100%).
  • Percentage of accounts reviewed on the six-monthly access-review cycle.
  • Number of overdue firewall/NSC ruleset reviews (target zero).
  • Daily log-review completion rate and mean time to detect/respond to critical alerts.
  • Security-awareness training completion rate (target 100% within cycle).
  • Number of TPSPs with current AOCs on file versus total TPSP inventory.
  • Time to remediate high/critical penetration-test findings.
  • Number of dormant accounts not disabled within 90 days (target zero).
  • Percentage of payment pages with active script-integrity monitoring (Req 6.4.3 / 11.6.1).

Readiness checklist

  • Validation type and merchant/service-provider level confirmed with the acquirer.
  • Current data-flow and network diagrams produced and validated within the last 12 months.
  • Cardholder-data discovery scan completed with no unexpected PAN/SAD storage.
  • CDE and in-scope asset inventory complete and reconciled.
  • Segmentation implemented and tested (annually, or six-monthly for service providers).
  • NSC rulesets documented and reviewed within the last six months.
  • System hardening standards defined and applied to all component types.
  • SAD confirmed not stored post-authorisation; stored PAN rendered unreadable.
  • Key-management procedures documented with custodian acknowledgements.
  • Strong cryptography enforced on all transmission over open, public networks.
  • Anti-malware, FIM and anti-phishing controls deployed and current.
  • Secure SDLC, WAF and payment-page script controls operating.
  • Least-privilege access model and six-monthly access reviews evidenced.
  • MFA enforced for CDE, remote and all administrative access.
  • Physical access, media handling and POI inspection controls in place.
  • Centralised logging, daily review, time sync and 12-month retention operating.
  • Quarterly internal and ASV scans passing; annual pen-test and segmentation test complete.
  • Security-awareness training delivered within the cycle to all personnel.
  • TPSP inventory, contracts, AOCs and responsibility matrix maintained.
  • Incident-response plan documented and tested within the last 12 months.
  • Annual scope confirmation recorded and signed.
  • Evidence library indexed by requirement and ready for the assessor.

Common gaps

  • Under-scoping: failing to include connected-to and security-impacting systems, or relying on untested segmentation.
  • Inadvertent SAD storage: full track data, CVV or PIN blocks retained in application logs, debug files or database columns.
  • Stale firewall/NSC rulesets with permissive 'any-any' rules and no six-monthly review evidence.
  • Incomplete MFA: administrative or remote access covered but access into the CDE from within the corporate network overlooked.
  • Patch-SLA breaches for critical and high vulnerabilities beyond the one-month window.
  • Weak or undocumented cryptographic key management - no split knowledge, dual control or rotation records.
  • Logging gaps: logs not centralised, not reviewed daily, retained under 12 months, or missing required event fields.
  • E-commerce script and header-integrity controls (6.4.3, 11.6.1) not implemented, leaving pages exposed to skimming.
  • Third-party risk blind spots: missing AOCs, absent responsibility matrices, and no ongoing TPSP monitoring.
  • Dormant and shared accounts not disabled or justified; leaver access left active.
  • Point-in-time compliance mindset - controls degrade after the assessment because BAU cadence is not embedded.
  • Untested incident-response plan and no defined breach-notification path.

PCI DSS mapped to other frameworks

PCI DSS controls overlap substantially with broader security frameworks, allowing organisations to reuse evidence and align programmes. The mapping below is indicative and should be validated against the official crosswalks.

PCI DSS areaISO/IEC 27001:2022 (Annex A)NIST CSF 2.0SOC 2 (Trust Services)CIS Controls v8
Req 1-2 Network & configurationA.8.20-8.22, A.8.9PR.IR, PR.PSCC6.6, CC6.71, 4, 12, 13
Req 3-4 Data protection & cryptographyA.8.24, A.5.33PR.DSCC6.1, CC6.73
Req 5-6 Malware & secure developmentA.8.7, A.8.25-8.28PR.PS, DE.CMCC7.1, CC8.17, 10, 16
Req 7-8 Access & authenticationA.8.2-8.5, A.5.15-5.18PR.AACC6.1, CC6.2, CC6.35, 6
Req 9 Physical securityA.7.1-7.14PR.AA, PR.IRCC6.4(mapped via governance)
Req 10-11 Logging & testingA.8.15-8.16, A.8.8DE.CM, DE.AE, ID.RACC7.1, CC7.28, 13, 18
Req 12 Governance & IRA.5.1-5.10, A.5.24-5.30GV, RS, RCCC1.x, CC2.x, CC9.x14, 17
How CyberSigma helps
CyberSigma is a CERT-In empanelled cybersecurity partner with PCI QSA-led expertise. We take organisations end-to-end through PCI DSS v4.0.1: precise scoping and cardholder-data discovery to minimise cost and risk; a rigorous gap assessment across all 12 requirements; hands-on remediation of network, cryptography, access, logging and e-commerce script controls; ASV scanning and penetration testing; and QSA-led formal assessment culminating in a signed ROC and AOC. Beyond certification, we embed business-as-usual continuous-compliance monitoring so your security stays audit-ready year-round. Talk to CyberSigma to build a defensible, sustainable PCI DSS programme.
Free 1-minute check
PCI DSS Scope Checker
See if you’re in scope and your likely SAQ type or level — free, in under a minute.
Try it free →

Frequently asked questions

Which SAQ do I need?
It depends on how you accept payments (e.g., fully outsourced hosted page vs handling card data directly). Choosing the correct SAQ is essential — our free PCI DSS scope checker gives an indication.
What changed in PCI DSS v4.0.1?
v4.0 introduced expanded MFA, stronger authentication, targeted risk analyses, payment-page script integrity and more; v4.0.1 is a minor clarification update. Several requirements are now mandatory after being future-dated.
Who needs a QSA?
Level 1 merchants and many service providers require a Qualified Security Assessor–led assessment. CyberSigma is PCI QSA authorised across the CEMEA region.

Need help with PCI DSS?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.