Introduction
The Payment Card Industry Data Security Standard (PCI DSS) is the globally recognised baseline for protecting cardholder data (CHD) and sensitive authentication data (SAD) throughout their lifecycle of storage, processing and transmission. Maintained by the PCI Security Standards Council (PCI SSC) - a body founded by American Express, Discover, JCB International, Mastercard and Visa Inc. - the standard applies to any merchant, service provider or other entity that stores, processes or transmits account data, regardless of size, industry or geography. This deep-dive is written for security leaders, compliance managers, internal auditors and technical teams preparing for a formal PCI DSS assessment against the current version of the standard, PCI DSS v4.0.1 (the maintenance release that superseded v4.0 and retired v3.2.1 on 31 March 2024).
Unlike a legal regulation, PCI DSS is a contractual obligation enforced by the individual payment card brands and by acquiring banks. Non-compliance can result in monthly fines, increased transaction fees, mandatory forensic investigation after a breach, and in severe cases the withdrawal of the ability to accept card payments. The standard is prescriptive and technical, but v4.0 introduced a more outcome-focused philosophy through the Customised Approach, alongside the traditional Defined Approach. This guide walks through every requirement family, the assessment evidence auditors expect, scoping discipline, and a phased implementation roadmap.
Copyright and source note
PCI DSS, the PCI DSS Requirements and Security Assessment Procedures, the Self-Assessment Questionnaires (SAQs), the Report on Compliance (ROC) template and the Attestation of Compliance (AOC) are copyrighted works of the PCI Security Standards Council LLC. This guide is original explanatory commentary authored by CyberSigma and does not reproduce the copyrighted text of the standard. Always obtain the official documents from the PCI SSC Document Library and treat the published standard as the single authoritative source for any formal assessment.
What is PCI DSS
PCI DSS is a set of security requirements designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The scope of protection centres on two data categories. Cardholder Data (CHD) comprises the Primary Account Number (PAN), cardholder name, expiration date and service code. Sensitive Authentication Data (SAD) comprises the full track data (magnetic-stripe data or its equivalent on a chip), the card verification code/value (CAV2/CVC2/CVV2/CID) and PINs/PIN blocks. The cardinal rule is that SAD must never be stored after authorisation, even in encrypted form, while CHD may be stored only when there is a legitimate business need and only under strong protection such as strong cryptography with associated key-management processes.
The standard is organised into 12 principal requirements grouped under six control objectives, expanded into several hundred detailed sub-requirements and testing procedures. PCI DSS v4.0 added roughly 60 new requirements. Many were designated 'best practice' until 31 March 2025, after which they became mandatory - meaning any assessment with a report date on or after 1 April 2025 must treat those future-dated requirements as in force. Key v4.0 themes include: continued flexibility through the Customised Approach; increased emphasis on continuous security rather than point-in-time compliance; expanded multi-factor authentication (MFA); stronger anti-phishing and e-commerce skimming controls (notably the new script and header-integrity requirements 6.4.3 and 11.6.1); and clearer definitions of roles and responsibilities via 'Roles and Responsibilities' sub-requirements attached to each of the 12 requirements.
Validation instruments
- Report on Compliance (ROC): a full assessment performed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA); mandatory for Level 1 merchants and most large service providers.
- Self-Assessment Questionnaire (SAQ): a self-validation tool for eligible smaller merchants; variants include SAQ A, A-EP, B, B-IP, C, C-VT, P2PE, D-Merchant and D-Service Provider, each scoped to a specific payment channel and technology.
- Attestation of Compliance (AOC): the signed declaration of compliance status, submitted to the acquirer or payment brand alongside the ROC or SAQ.
- Quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) where applicable under Requirement 11.3.2.
Who must comply
PCI DSS applies to all entities involved in payment card processing - merchants, processors, acquirers, issuers and service providers - as well as any other entity that stores, processes or transmits cardholder data or sensitive authentication data, or that could affect the security of the cardholder data environment (CDE). The rigour of validation is determined by transaction volume, which places each entity into a merchant or service-provider level defined by the individual card brands (levels below reflect Visa/Mastercard conventions; thresholds can differ by brand and by forensic history).
| Entity type / level | Typical criteria | Validation requirement |
|---|
| Merchant Level 1 | Over 6 million card transactions annually (any channel), or any merchant that has suffered a breach, or one designated Level 1 by a card brand | Annual on-site assessment (ROC) by QSA or ISA, quarterly ASV scans, penetration testing |
| Merchant Level 2 | 1 million to 6 million transactions annually | Annual SAQ (or ROC at brand/acquirer discretion), quarterly ASV scans |
| Merchant Level 3 | 20,000 to 1 million e-commerce transactions annually | Annual SAQ, quarterly ASV scans |
| Merchant Level 4 | Fewer than 20,000 e-commerce transactions, or up to 1 million transactions across all channels | Annual SAQ (at acquirer discretion), quarterly ASV scans as required |
| Service Provider Level 1 | More than 300,000 transactions annually, or storing/processing/transmitting large volumes on behalf of others | Annual on-site ROC by QSA, quarterly ASV scans, penetration testing |
| Service Provider Level 2 | Fewer than 300,000 transactions annually | Annual SAQ D for Service Providers, quarterly ASV scans |
- Payment gateways, processors and payment facilitators (PayFacs) that touch account data.
- SaaS and cloud providers whose services could affect the security of a client CDE (for example hosting, managed firewalls, tokenisation or fraud-scoring platforms).
- Call centres, BPOs and back-office operations that capture PANs over the telephone or via correspondence.
- E-commerce businesses using redirect, iframe or direct-post integrations - each carries a different SAQ eligibility and script-integrity obligation.
- Any organisation that has outsourced payment handling but retains responsibility for vendor oversight and for the portions of PCI DSS it still influences.
Structure of PCI DSS
PCI DSS is structured as six control objectives (goals) that decompose into 12 core requirements. Each core requirement contains sub-requirements, defined testing procedures, guidance and - in v4.0 - customised-approach objectives and applicability notes. The table below maps the goals to their requirements.
| Control objective (goal) | Requirement no. | Requirement title |
|---|
| Build and Maintain a Secure Network and Systems | 1 | Install and Maintain Network Security Controls |
| Build and Maintain a Secure Network and Systems | 2 | Apply Secure Configurations to All System Components |
| Protect Account Data | 3 | Protect Stored Account Data |
| Protect Account Data | 4 | Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
| Maintain a Vulnerability Management Programme | 5 | Protect All Systems and Networks from Malicious Software |
| Maintain a Vulnerability Management Programme | 6 | Develop and Maintain Secure Systems and Software |
| Implement Strong Access Control Measures | 7 | Restrict Access to System Components and Cardholder Data by Business Need to Know |
| Implement Strong Access Control Measures | 8 | Identify Users and Authenticate Access to System Components |
| Implement Strong Access Control Measures | 9 | Restrict Physical Access to Cardholder Data |
| Regularly Monitor and Test Networks | 10 | Log and Monitor All Access to System Components and Cardholder Data |
| Regularly Monitor and Test Networks | 11 | Test Security of Systems and Networks Regularly |
| Maintain an Information Security Policy | 12 | Support Information Security with Organisational Policies and Programmes |
Two additional structural constructs are essential. Appendix A extends the standard for specific scenarios: A1 (multi-tenant service providers), A2 (SSL/early TLS for POS POI terminals) and A3 (the Designated Entities Supplemental Validation, DESV, applied to entities directed by a payment brand or acquirer). The Customised Approach allows an entity to meet the stated Customised Approach Objective of a requirement using controls of its own design, provided it documents a targeted risk analysis and the QSA validates that the objective is met.
Master assessment checklist
This is the core of the guide. Each of the 12 requirements is enumerated below with the principal sub-requirement themes, what an assessor must verify, and the typical evidence expected. Use these tables as the backbone of a readiness or gap assessment; every control area is covered so that nothing is skipped. Evidence should always be current, dated, and traceable to a named owner.
Requirement 1 - Install and Maintain Network Security Controls
| What to verify | Typical evidence |
|---|
| Network Security Controls (NSCs - firewalls, virtual and cloud equivalents) are defined, configured and maintained (1.2) | NSC configuration standards, change-control records, review of ruleset documentation |
| Ruleset restricts inbound/outbound traffic to only that which is necessary; deny-all default in place (1.2.1, 1.4) | Firewall/NSC rulesets, port/service justification matrix, network diagrams |
| Network segmentation isolates the CDE from untrusted networks and from the rest of the corporate network (1.3, 1.4) | Current network diagram, data-flow diagram, segmentation configuration |
| NSC rulesets are reviewed at least every six months (1.2.7) | Signed six-monthly ruleset review records with dates and reviewer names |
| No direct connections between the internet and the CDE; DMZ used for public-facing components (1.4.4, 1.4.5) | Architecture diagrams, DMZ configuration, egress/ingress controls |
| Anti-spoofing and private IP disclosure prevention in place (1.4.3, 1.4.5) | NAT configuration, anti-spoofing rules, external scan evidence |
| Security controls on any computing device that connects to both untrusted networks and the CDE (1.5.1) | Endpoint/host firewall configuration, mobile device policy, BYOD controls |
Requirement 2 - Apply Secure Configurations to All System Components
| What to verify | Typical evidence |
|---|
| Vendor default accounts and passwords are changed or disabled before install (2.2.2) | Hardening standards, sampled system configs, account inventory |
| System hardening/configuration standards exist for all component types and align to industry benchmarks (2.2.1) | Documented build standards (e.g. CIS-based), gold-image definitions |
| Only necessary services, protocols, daemons and functions are enabled; insecure ones justified and secured (2.2.4, 2.2.5) | Running-services listing, risk analysis for insecure services |
| System security parameters configured to prevent misuse (2.2.6) | Configuration baselines, sampled parameter settings |
| All non-console administrative access is encrypted with strong cryptography (2.2.7) | SSH/TLS configuration, disabled Telnet/HTTP admin evidence |
| Wireless vendor defaults (encryption keys, SNMP community strings, passwords) changed; strong wireless encryption used (2.3.1, 2.3.2) | Wireless configuration, key-rotation records, WPA2/WPA3 evidence |
Requirement 3 - Protect Stored Account Data
| What to verify | Typical evidence |
|---|
| Account data storage is minimised via retention and disposal policy; data purged when no longer needed (3.2.1) | Data-retention policy, quarterly secure-deletion records, discovery scan output |
| Sensitive Authentication Data (SAD) is not stored after authorisation, even if encrypted (3.3.1) | SAD-search results, application/data-store review, forensic sampling |
| Full track data, card verification codes and PIN blocks are not retained (3.3.1.1-3.3.1.3) | Database/log inspection, code review, storage scans |
| PAN is masked when displayed; maximum first six/last four shown only to those with need (3.4.1) | Screenshots of masked displays, role-based display configuration |
| PAN is rendered unreadable wherever stored (one-way hash with salt, truncation, tokens, or strong cryptography) (3.5.1) | Encryption/tokenisation architecture, hashing configuration, sampled stored values |
| Cryptographic keys are protected against disclosure and misuse; key-management procedures are documented (3.6, 3.7) | Key-management policy, key-custodian acknowledgements, KMS/HSM records |
| Key rotation, retirement, split knowledge and dual control for manual clear-text key operations (3.7.4-3.7.9) | Key-rotation logs, dual-control procedures, key-custodian forms |
Requirement 4 - Protect CHD with Strong Cryptography During Transmission
| What to verify | Typical evidence |
|---|
| Strong cryptography and secure protocols protect PAN during transmission over open, public networks (4.2.1) | TLS configuration, protocol/cipher inventory, external scan evidence |
| Certificates used are valid, trusted and not expired or revoked (4.2.1.1) | Certificate inventory with expiry dates, CA trust configuration |
| Only trusted keys and certificates are accepted; insecure versions/ciphers disabled (4.2.1) | Cipher-suite configuration, disabled early-TLS/SSL evidence |
| PAN is never sent via end-user messaging technologies (email, SMS, chat) unless protected by strong cryptography (4.2.2) | Messaging/DLP policy, DLP alerts, awareness records |
| Inventory of trusted keys and certificates used to protect PAN in transit is maintained (4.2.1.1) | Certificate/key inventory, ownership register |
Requirement 5 - Protect All Systems and Networks from Malicious Software
| What to verify | Typical evidence |
|---|
| Anti-malware solution deployed on all applicable system components; coverage evaluated periodically (5.2.1, 5.2.3) | Anti-malware deployment console, coverage report, targeted risk analysis for non-covered systems |
| Anti-malware mechanisms are kept current, perform periodic scans and active/real-time scanning (5.3.1, 5.3.2) | Definition-update logs, scan schedules and results |
| Anti-malware cannot be disabled or altered by users unless authorised for a limited time (5.3.5) | Endpoint policy configuration, exception approval records |
| Anti-phishing mechanisms protect against phishing attacks (5.4.1) | Email-gateway configuration, phishing-simulation results, DMARC/SPF/DKIM |
| Removable electronic media is scanned for malware when in use (5.3.3) | USB/media scanning policy and logs |
Requirement 6 - Develop and Maintain Secure Systems and Software
| What to verify | Typical evidence |
|---|
| Security vulnerabilities are identified and risk-ranked using reputable sources (6.3.1) | Vulnerability-intelligence subscriptions, risk-ranking methodology |
| Security patches are installed; critical/high patches within one month (6.3.3) | Patch-management reports, SLA tracking, sampled patch levels |
| Bespoke and custom software is developed securely following a secure SDLC (6.2.1-6.2.4) | SDLC policy, secure-coding standards, training records |
| Code reviews and application security testing address common vulnerabilities (e.g. injection, XSS) (6.2.3, 6.2.4) | Code-review records, SAST/DAST reports, remediation tracking |
| Public-facing web applications protected by review or a WAF, and via automated technical solution (6.4.1, 6.4.2) | WAF configuration and logs, app-scan reports |
| Payment-page scripts are managed, authorised and their integrity assured against skimming (6.4.3) | Script inventory, integrity-check/CSP configuration, authorisation records |
| Change-control processes separate development/test/production and require documented approvals (6.5.1-6.5.6) | Change tickets, environment separation evidence, back-out plans |
Requirement 7 - Restrict Access by Business Need to Know
| What to verify | Typical evidence |
|---|
| Access to system components and account data is limited to least privilege / need to know (7.2.1, 7.2.2) | Role-to-privilege matrix, access-request records, sampled entitlements |
| An access-control model is defined, covering roles, privileges and objects (7.2.1) | RBAC/ABAC documentation, role definitions |
| Access is assigned based on job classification and function; default deny-all (7.2.2, 7.3.3) | Access-control system configuration, provisioning workflow |
| Privileges for all user IDs and system/application accounts are reviewed at least every six months (7.2.4) | Signed six-monthly access-review records |
| Access-control systems enforce restrictions and default to deny (7.3.1-7.3.3) | Access-control tool configuration, deny-by-default settings |
Requirement 8 - Identify Users and Authenticate Access
| What to verify | Typical evidence |
|---|
| Every user is assigned a unique ID; shared/generic accounts are managed and justified (8.2.1, 8.2.2) | User inventory, shared-account exception register |
| User lifecycle: additions, changes and terminations are managed; inactive accounts removed/disabled within 90 days (8.2.4-8.2.6) | Joiner-mover-leaver records, dormant-account report |
| Strong authentication: passwords at least 12 characters (or 8 with documented constraints), complexity and history enforced (8.3.1-8.3.9) | Password-policy configuration, sampled account settings |
| Multi-factor authentication for all access into the CDE and for all remote/administrative access (8.4.1-8.5.1) | MFA configuration, authentication logs, coverage report |
| MFA is resistant to replay and cannot be bypassed (8.5.1) | MFA solution design, anti-replay configuration |
| Application and system accounts and their credentials are managed and protected; interactive use restricted (8.6.1-8.6.3) | Service-account inventory, secrets-vault configuration, rotation records |
Requirement 9 - Restrict Physical Access to Cardholder Data
| What to verify | Typical evidence |
|---|
| Physical access controls restrict entry to facilities and systems in the CDE (9.2.1) | Badge-system logs, access-control diagrams, site walkthrough notes |
| Visitors are identified, authorised, escorted and logged; access revoked on departure (9.3.1-9.3.4) | Visitor logs, badge policy, escort procedures |
| Media containing account data is physically secured, inventoried and controlled during transport (9.4.1-9.4.5) | Media inventory, chain-of-custody forms, secure-transport records |
| Media is destroyed when no longer needed (cross-cut shredding, incineration, secure wipe) (9.4.6, 9.4.7) | Destruction certificates, shredding logs |
| Point-of-interaction (POI) devices are protected from tampering and substitution; inspected periodically (9.5.1) | POI device inventory with serials, inspection logs, training records |
Requirement 10 - Log and Monitor All Access
| What to verify | Typical evidence |
|---|
| Audit logs are enabled and capture all access to system components and cardholder data (10.2.1) | Logging configuration, sample log extracts, log-source inventory |
| Logs record required events: user access, privileged actions, invalid attempts, changes to accounts, audit-log changes (10.2.1.1-10.2.1.7) | Log records showing user ID, event type, date/time, success/failure, origin, affected resource |
| Logs are protected from alteration and centrally collected (10.3.1-10.3.4) | SIEM/central-log configuration, file-integrity monitoring, access restrictions on logs |
| Time synchronisation using authoritative time sources is in place (10.6.1-10.6.3) | NTP configuration, time-source records |
| Logs are reviewed daily for critical systems (via automated mechanisms) and anomalies are actioned (10.4.1-10.4.3) | SIEM alerting rules, review records, incident tickets |
| Audit-log history retained at least 12 months, with at least 3 months immediately available (10.5.1) | Retention configuration, archive evidence |
| Failures of critical security-control systems are detected, alerted and responded to promptly (10.7.1-10.7.3) | Health-monitoring configuration, failure-response records |
Requirement 11 - Test Security of Systems and Networks Regularly
| What to verify | Typical evidence |
|---|
| Wireless access points are identified and unauthorised ones detected quarterly (11.2.1, 11.2.2) | Wireless-scan reports, authorised-AP inventory |
| Internal and external vulnerability scans are run at least quarterly and after significant change; issues resolved and rescanned (11.3.1, 11.3.2) | Internal scan reports, ASV passing scans, remediation evidence |
| External ASV scans are performed by an Approved Scanning Vendor and pass (11.3.2) | ASV attestation and scan reports |
| Penetration testing (external and internal) is performed at least annually and after significant changes; segmentation testing validates isolation (11.4.1-11.4.6) | Pen-test methodology, reports, remediation and retest evidence, segmentation-test results |
| Intrusion-detection/prevention techniques monitor traffic at the CDE perimeter and critical points (11.5.1) | IDS/IPS configuration, alert records |
| Change- and tamper-detection on payment pages alerts to unauthorised modification of HTTP headers and script content (11.6.1) | Client-side integrity-monitoring configuration and alert logs |
| File-integrity monitoring detects unauthorised changes to critical files (11.5.2) | FIM tool configuration, alert and review records |
Requirement 12 - Support Information Security with Organisational Policies and Programmes
| What to verify | Typical evidence |
|---|
| A comprehensive information-security policy is established, published, maintained and reviewed at least annually (12.1.1-12.1.4) | Signed security policy, annual review record, distribution evidence |
| A targeted risk analysis process supports flexible/PCI-defined frequencies and the customised approach (12.3.1-12.3.4) | Targeted risk-analysis documents, technology-review records |
| Roles and responsibilities for PCI DSS are formally assigned and understood (12.1.3, 12.5.1) | Roles matrix, acknowledgements, scope documentation |
| PCI DSS scope is documented and confirmed at least annually and on significant change (12.5.2, 12.5.3) | Scoping documentation, annual scope-confirmation record, data-flow diagrams |
| Security-awareness training is provided at hire and at least annually, covering current threats (12.6.1-12.6.3) | Training content, completion records, phishing-awareness material |
| Personnel screening is performed prior to hire where permitted (12.7.1) | Background-check policy and records |
| Third-party service provider (TPSP) relationships are managed: due diligence, written agreements, responsibility matrix and monitoring (12.8.1-12.8.5) | TPSP inventory, contracts with PCI responsibility clauses, AOCs, responsibility matrix |
| An incident-response plan exists, is tested annually and covers detection, containment and reporting (12.10.1-12.10.7) | IR plan, test records, on-call roster, breach-notification procedures |
| Additional requirements for TPSPs and for entities under DESV (Appendix A1, A3) are met where applicable | Multi-tenant separation evidence, DESV validation records |
Scoping
Scoping is the single most consequential activity in a PCI DSS programme: it defines which systems, people and processes fall under the standard and therefore the size, cost and risk of the assessment. The Cardholder Data Environment (CDE) comprises the people, processes and technologies that store, process or transmit CHD or SAD. PCI DSS scope, however, is broader than the CDE - it also includes any 'connected-to' or 'security-impacting' systems that can affect the security of the CDE, even if they never touch account data themselves (for example, an authentication server, a jump host, a patch-distribution server, or a hypervisor hosting CDE workloads).
- CDE systems: any system that stores, processes or transmits CHD/SAD, and any system on the same network segment.
- Connected-to / security-impacting systems: systems that can connect to or influence the security of the CDE (e.g. NTP, DNS, AD, SIEM, admin workstations, backup servers).
- Out-of-scope systems: only truly isolated systems with adequate network segmentation and no ability to affect CDE security - and the isolation must be validated by penetration testing.
- Segmentation is not mandatory but is strongly recommended to reduce scope; if used, its effectiveness must be tested at least annually (every six months for service providers).
- Scope reduction techniques: tokenisation, point-to-point encryption (P2PE), outsourcing to compliant providers, and iframe/redirect e-commerce integrations that keep PAN off the merchant's servers.
Scope confirmation is annual and mandatory
Under Requirement 12.5.2, entities must document and confirm PCI DSS scope at least once every 12 months and upon significant change (service providers: every six months). An accurate, current data-flow diagram and asset inventory is the foundation of a defensible scope. Under-scoping is the most common root cause of failed assessments and post-breach findings.
Implementation approach
A successful PCI DSS programme is delivered in phases. The following five-phase roadmap moves an organisation from an undefined state to sustained, audit-ready compliance. Each phase lists indicative activities and the deliverables that de-risk the eventual formal assessment.
Phase 1 - Discovery and scoping
- Activities: identify all payment channels; perform cardholder-data discovery scans; map data flows; build asset inventory; determine merchant/service-provider level and applicable SAQ or ROC.
- Deliverables: current data-flow diagrams, network diagrams, CDE and in-scope inventory, validation-type determination, project charter.
Phase 2 - Gap assessment
- Activities: assess current state against all 12 requirements; identify control gaps; risk-rank findings; validate segmentation assumptions; review third-party AOCs.
- Deliverables: gap-analysis report, prioritised remediation plan with owners and timelines, provisional Customised/Defined approach decisions.
Phase 3 - Remediation
- Activities: implement or tune NSCs, encryption, MFA, logging and monitoring; harden systems; deploy anti-malware and FIM; write/update policies and procedures; establish training and TPSP management.
- Deliverables: hardening standards, key-management procedures, updated policies, deployed technical controls, remediation-closure evidence.
Phase 4 - Validation and testing
- Activities: run internal and ASV scans until passing; conduct penetration testing and segmentation testing; complete evidence collection; perform an internal readiness (pre-assessment) review.
- Deliverables: passing scan reports, pen-test report with remediation, complete evidence library, readiness sign-off.
Phase 5 - Formal assessment and sustainment
- Activities: engage QSA for ROC or complete SAQ; sign AOC; submit to acquirer/brand; establish business-as-usual (BAU) monitoring and continuous-compliance cadence.
- Deliverables: ROC/SAQ, signed AOC, BAU calendar (daily log review, quarterly scans, six-monthly reviews, annual pen-test and scope confirmation).
Maturity and capability model
PCI DSS itself is pass/fail at the point of assessment, but organisations benefit from tracking their compliance maturity to move from reactive, point-in-time validation to sustained security-as-BAU. The following model gauges programme capability.
| Level | Name | Characteristics |
|---|
| 1 | Initial / ad hoc | No formal scope; controls inconsistent; compliance treated as a one-off scramble before the deadline; frequent gaps. |
| 2 | Developing | Scope documented; core controls in place but manually maintained; evidence gathered reactively; some requirements only met near assessment time. |
| 3 | Defined | Policies and procedures documented for all 12 requirements; roles assigned; BAU cadence emerging; evidence collected routinely. |
| 4 | Managed | Automated monitoring (SIEM, FIM, integrity checks); metrics tracked; continuous compliance embedded; targeted risk analyses drive control frequencies. |
| 5 | Optimised | Security integrated into engineering and change processes; customised-approach controls validated; continuous assurance; compliance is a by-product of strong security. |
Assessment and audit approach
- Confirm validation type and level (SAQ vs ROC) with the acquirer or payment brand, and select the correct SAQ variant if self-assessing.
- Define and document scope: finalise data-flow and network diagrams, asset inventory, and segmentation boundaries.
- Select the assessment approach per requirement: Defined Approach (meet requirements as written) or Customised Approach (meet the objective via designed controls with a targeted risk analysis).
- Conduct interviews, observations, configuration reviews and sampling across in-scope system components and personnel.
- Test each sub-requirement against its defined testing procedure and record the result as In Place, Not Applicable, Not Tested or Not in Place.
- For any Customised Approach items, review the entity's controls matrix, targeted risk analysis and testing evidence to confirm the objective is met.
- Validate compensating controls (Defined Approach only) against the compensating-controls worksheet where a requirement cannot be met as stated.
- Aggregate findings into the ROC (or complete the SAQ), remediate any Not-in-Place items, and re-test until all applicable requirements are In Place.
- Complete and sign the Attestation of Compliance (AOC); attach passing ASV scans and pen-test evidence.
- Submit the AOC and supporting artefacts to the acquirer/brand, and initiate the BAU cadence for the next cycle.
Evidence request list
Assessors request evidence across several categories. Prepare a structured, indexed evidence library keyed to each requirement to accelerate the assessment.
- Governance and policy: information-security policy, acceptable-use policy, targeted risk analyses, roles-and-responsibilities matrix, annual scope-confirmation record.
- Architecture: current network diagrams, data-flow diagrams, CDE and asset inventories, segmentation design.
- Network and configuration: firewall/NSC rulesets and six-monthly reviews, hardening/build standards, sampled configurations, wireless configuration.
- Data protection: data-retention and disposal policy, discovery-scan results, encryption and tokenisation architecture, key-management procedures and custodian forms.
- Access and authentication: RBAC matrix, user inventory, six-monthly access reviews, MFA configuration and coverage, joiner-mover-leaver records.
- Physical security: badge/visitor logs, media-handling and destruction records, POI device inventory and inspection logs.
- Logging and monitoring: logging configuration, SIEM alerting rules, daily-review records, retention evidence, FIM and IDS/IPS configuration.
- Testing: internal and ASV scan reports, penetration-test and segmentation-test reports, remediation and retest evidence.
- Vulnerability and change management: patch reports and SLAs, SDLC and secure-coding standards, code-review and SAST/DAST reports, change tickets.
- Third parties and incident response: TPSP inventory and contracts, provider AOCs, responsibility matrix, incident-response plan and annual test records.
- Awareness: security-awareness training content and completion records, phishing-simulation results.
Roles and responsibilities
| Role | PCI DSS responsibilities |
|---|
| Executive sponsor / CISO | Owns the compliance mandate, approves scope and budget, accountable for the AOC and residual risk. |
| PCI compliance manager | Coordinates the programme, maintains evidence library, liaises with QSA/ASV and acquirer, tracks remediation. |
| Network and infrastructure team | Maintains NSCs, segmentation, hardening standards, time sync and secure configurations (Req 1, 2). |
| Application/development team | Implements secure SDLC, code review, WAF, script-integrity and change control (Req 6). |
| Security operations / SOC | Runs logging, SIEM, IDS/IPS, FIM, daily log review and anti-malware (Req 5, 10, 11). |
| Identity and access management | Manages unique IDs, least privilege, MFA and access reviews (Req 7, 8). |
| Cryptography / key custodians | Manages encryption, tokenisation and key lifecycle under split knowledge/dual control (Req 3, 4). |
| Physical security / facilities | Controls facility and media access, visitor management and POI protection (Req 9). |
| Vendor management / procurement | Manages TPSP due diligence, contracts, AOC collection and responsibility matrices (Req 12.8). |
| QSA / ISA | Performs the assessment, validates evidence and customised approaches, authors the ROC. |
| Approved Scanning Vendor (ASV) | Performs and attests quarterly external vulnerability scans (Req 11.3.2). |
KPIs to track
- Percentage of in-scope systems compliant with hardening/build standards.
- Percentage of critical/high patches applied within the one-month SLA (Req 6.3.3).
- Number of open ASV scan failures and mean time to remediate to a passing scan.
- MFA coverage across CDE, remote and administrative access (target 100%).
- Percentage of accounts reviewed on the six-monthly access-review cycle.
- Number of overdue firewall/NSC ruleset reviews (target zero).
- Daily log-review completion rate and mean time to detect/respond to critical alerts.
- Security-awareness training completion rate (target 100% within cycle).
- Number of TPSPs with current AOCs on file versus total TPSP inventory.
- Time to remediate high/critical penetration-test findings.
- Number of dormant accounts not disabled within 90 days (target zero).
- Percentage of payment pages with active script-integrity monitoring (Req 6.4.3 / 11.6.1).
Readiness checklist
- Validation type and merchant/service-provider level confirmed with the acquirer.
- Current data-flow and network diagrams produced and validated within the last 12 months.
- Cardholder-data discovery scan completed with no unexpected PAN/SAD storage.
- CDE and in-scope asset inventory complete and reconciled.
- Segmentation implemented and tested (annually, or six-monthly for service providers).
- NSC rulesets documented and reviewed within the last six months.
- System hardening standards defined and applied to all component types.
- SAD confirmed not stored post-authorisation; stored PAN rendered unreadable.
- Key-management procedures documented with custodian acknowledgements.
- Strong cryptography enforced on all transmission over open, public networks.
- Anti-malware, FIM and anti-phishing controls deployed and current.
- Secure SDLC, WAF and payment-page script controls operating.
- Least-privilege access model and six-monthly access reviews evidenced.
- MFA enforced for CDE, remote and all administrative access.
- Physical access, media handling and POI inspection controls in place.
- Centralised logging, daily review, time sync and 12-month retention operating.
- Quarterly internal and ASV scans passing; annual pen-test and segmentation test complete.
- Security-awareness training delivered within the cycle to all personnel.
- TPSP inventory, contracts, AOCs and responsibility matrix maintained.
- Incident-response plan documented and tested within the last 12 months.
- Annual scope confirmation recorded and signed.
- Evidence library indexed by requirement and ready for the assessor.
Common gaps
- Under-scoping: failing to include connected-to and security-impacting systems, or relying on untested segmentation.
- Inadvertent SAD storage: full track data, CVV or PIN blocks retained in application logs, debug files or database columns.
- Stale firewall/NSC rulesets with permissive 'any-any' rules and no six-monthly review evidence.
- Incomplete MFA: administrative or remote access covered but access into the CDE from within the corporate network overlooked.
- Patch-SLA breaches for critical and high vulnerabilities beyond the one-month window.
- Weak or undocumented cryptographic key management - no split knowledge, dual control or rotation records.
- Logging gaps: logs not centralised, not reviewed daily, retained under 12 months, or missing required event fields.
- E-commerce script and header-integrity controls (6.4.3, 11.6.1) not implemented, leaving pages exposed to skimming.
- Third-party risk blind spots: missing AOCs, absent responsibility matrices, and no ongoing TPSP monitoring.
- Dormant and shared accounts not disabled or justified; leaver access left active.
- Point-in-time compliance mindset - controls degrade after the assessment because BAU cadence is not embedded.
- Untested incident-response plan and no defined breach-notification path.
PCI DSS mapped to other frameworks
PCI DSS controls overlap substantially with broader security frameworks, allowing organisations to reuse evidence and align programmes. The mapping below is indicative and should be validated against the official crosswalks.
| PCI DSS area | ISO/IEC 27001:2022 (Annex A) | NIST CSF 2.0 | SOC 2 (Trust Services) | CIS Controls v8 |
|---|
| Req 1-2 Network & configuration | A.8.20-8.22, A.8.9 | PR.IR, PR.PS | CC6.6, CC6.7 | 1, 4, 12, 13 |
| Req 3-4 Data protection & cryptography | A.8.24, A.5.33 | PR.DS | CC6.1, CC6.7 | 3 |
| Req 5-6 Malware & secure development | A.8.7, A.8.25-8.28 | PR.PS, DE.CM | CC7.1, CC8.1 | 7, 10, 16 |
| Req 7-8 Access & authentication | A.8.2-8.5, A.5.15-5.18 | PR.AA | CC6.1, CC6.2, CC6.3 | 5, 6 |
| Req 9 Physical security | A.7.1-7.14 | PR.AA, PR.IR | CC6.4 | (mapped via governance) |
| Req 10-11 Logging & testing | A.8.15-8.16, A.8.8 | DE.CM, DE.AE, ID.RA | CC7.1, CC7.2 | 8, 13, 18 |
| Req 12 Governance & IR | A.5.1-5.10, A.5.24-5.30 | GV, RS, RC | CC1.x, CC2.x, CC9.x | 14, 17 |
How CyberSigma helps
CyberSigma is a CERT-In empanelled cybersecurity partner with PCI QSA-led expertise. We take organisations end-to-end through PCI DSS v4.0.1: precise scoping and cardholder-data discovery to minimise cost and risk; a rigorous gap assessment across all 12 requirements; hands-on remediation of network, cryptography, access, logging and e-commerce script controls; ASV scanning and penetration testing; and QSA-led formal assessment culminating in a signed ROC and AOC. Beyond certification, we embed business-as-usual continuous-compliance monitoring so your security stays audit-ready year-round. Talk to CyberSigma to build a defensible, sustainable PCI DSS programme.