What is PCI-DSS v4.0 and who must comply?

Payment Card Industry Data Security Standard (PCI-DSS) version 4.0 applies to any business that processes, stores, or transmits payment card data. This includes retailers, restaurants, healthcare practices, country clubs, and any business accepting credit or debit cards. Non-compliance exposes businesses to fines of $5,000–$100,000 per month from card brands.

What is a PCI-DSS SAQ and which one do I need?

A Self-Assessment Questionnaire (SAQ) is the PCI compliance documentation required for most small and mid-sized merchants. The appropriate SAQ depends on how you process cards: SAQ A for fully outsourced e-commerce, SAQ B for imprint or standalone terminals, SAQ C for payment application systems, and SAQ D for complex environments. Securafy helps determine and complete the correct SAQ.

What are the new PCI-DSS v4.0 requirements?

PCI-DSS v4.0 (effective March 2024 for new requirements) added targeted risk analysis requirements, expanded MFA requirements across all CDE access, new e-commerce security requirements, enhanced logging and monitoring requirements, and a focus on customized implementation approaches. All v4.0 new requirements became mandatory as of March 31, 2025.

What is network segmentation for PCI-DSS?

PCI-DSS network segmentation isolates the Cardholder Data Environment (CDE) from other systems, reducing the scope of the audit and the attack surface. Properly implemented segmentation means a breach in a non-CDE system cannot reach card data. Securafy implements and documents PCI-compliant network segmentation as part of Comply-CARE.

What is quarterly ASV scanning for PCI compliance?

PCI-DSS requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). These scans test the external perimeter of systems in scope for PCI and must result in a passing report for compliance. Securafy coordinates ASV scanning as part of Comply-CARE and tracks remediation of findings through to resolution.

What are the PCI-DSS penalties for non-compliance?

Card brands (Visa, Mastercard, Amex) can impose fines of $5,000–$100,000 per month for non-compliant merchants. Following a breach, fines increase to $50,000–$90 per compromised card record. Merchants may also lose card processing privileges entirely. PCI compliance is not optional — it is a contractual requirement with your payment processor.

NIST CSF 2.0 HIPAA CMMC 2.0 GLBA / FFIEC CJIS PCI DSS Ohio Safe Harbor SOC 2 Cyber Insurance FTC Safeguards

💳 Payment Card Compliance

Pci-dss
Compliance

PCI DSS v4.0 requires any business that processes, stores, or transmits payment card data to implement security controls including network segmentation, quarterly vulnerability scans, annual penetration testing, and documented incident response. Non-compliance carries $5,000–$100,000 monthly fines from card brands. Securafy delivers complete PCI DSS v4.0 compliance management, ASV scanning, and QSA support for Ohio merchants and service providers.

Free PCI Compliance Assessment COMPLY-CARE Services

Monthly Fine Exposure

$100K+

Monthly PCI DSS non-compliance fines range from $5,000 to $100,000+ depending on transaction volume and breach scope.

Free · No Obligation

See where your gaps are — before auditors or attackers find them.

🛡 Book a Free Assessment

★★★★★5.0 Google · Verified reviews

What Is PCI DSS v4.0?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the major card brands (Visa, Mastercard, Amex, Discover) through the Payment Card Industry Security Standards Council (PCI SSC). PCI DSS v4.0 became the only valid version in March 2024, replacing v3.2.1.

PCI DSS applies to any organization that accepts, processes, stores, or transmits cardholder data — regardless of size or transaction volume. The standard contains 12 core requirements and 64 sub-requirements, with specific validation requirements (SAQ or QSA assessment) based on your merchant level and how cards are processed.

PCI DSS v4.0 introduced significant changes including new requirements for targeted risk analysis, multi-factor authentication expansion, anti-phishing controls, and enhanced authentication requirements. Businesses that were compliant under v3.2.1 must re-validate their compliance against v4.0 requirements.

"A single PCI breach can result in $5,000–$100,000 per month in fines, card brand penalties, and full liability for all fraudulent charges traced to the compromise."

Core PCI DSS v4.0 requirements

$100K

Per-month fines for non-compliant merchants

$3.6M

Average cost of a payment card data breach

v4.0

Only valid version since March 2024

The 12 Requirements

PCI DSS v4.0 Core Requirements

🔥

Req 1: Network Security Controls

Install and maintain network security controls (firewalls, routers) that restrict inbound and outbound traffic to only that which is necessary. Network diagrams and cardholder data flow diagrams required.

🔧

Req 2: Secure Configurations

Apply secure configurations to all system components. No default passwords, no unnecessary services, documented baseline configurations, and regular verification that configurations remain compliant.

🔐

Req 3: Protect Stored Account Data

Minimize cardholder data storage. Never store CVV/CVV2 after authorization. Encrypt stored PANs using strong cryptography. Understand exactly where cardholder data resides in your environment.

🔒

Req 4: Encrypt Transmission of Cardholder Data

Use strong cryptography (TLS 1.2 minimum, TLS 1.3 preferred) for all cardholder data transmitted over open, public networks. No unencrypted cardholder data may travel over the internet or public networks.

🛡️

Req 5: Protect Against Malicious Software

Deploy anti-malware solutions on all applicable system components. Maintain anti-malware mechanisms active and current. PCI DSS v4.0 adds anti-phishing as an explicit requirement.

🔨

Req 6: Develop & Maintain Secure Systems

Vulnerability identification and remediation processes, security patching, secure coding practices for internally developed applications, and web application firewall (WAF) for customer-facing web applications.

👤

Req 7: Restrict Access to System Components

Access to cardholder data and system components must be restricted to individuals with a legitimate business need. Least-privilege principle enforced with role-based access controls and documented approval processes.

🆔

Req 8: Identify & Authenticate Users

Unique IDs for all users, strong authentication requirements, MFA for all non-console administrative access and for all remote access — PCI DSS v4.0 significantly expanded MFA requirements vs v3.2.1.

🏢

Req 9: Restrict Physical Access

Physical access controls for systems processing cardholder data. Visitor management, badge access logs, media protection, and destruction procedures for cardholder data storage media.

📊

Req 10: Log & Monitor All Access

Audit logs for all access to cardholder data and system components. Log retention (12 months minimum, 3 months immediately available). Automated log review and alerting for suspicious activity.

🔬

Req 11: Test Security Systems Regularly

Vulnerability scans (quarterly internal and external), penetration testing (annual minimum), intrusion detection/prevention, and file integrity monitoring on critical system files and configurations.

📋

Req 12: Support Information Security

Documented information security policy, risk assessment process, security awareness training, service provider management, incident response plan, and targeted risk analysis for new requirements introduced in v4.0.

Validation Types

SAQ vs. QSA — Which Do You Need?

Your required validation method depends on your merchant level (transaction volume) and how you process cards. Most SMBs nationwide are Level 4 merchants — but the right SAQ type depends on your processing environment.

Merchant Level	Annual Transactions	Validation Required
Level 1	6M+ Visa/Mastercard or any breach	Annual QSA on-site assessment + quarterly network scan
Level 2	1M–6M transactions	Annual SAQ or QSA assessment + quarterly scan
Level 3	20K–1M e-commerce transactions	Annual SAQ + quarterly external vulnerability scan
Level 4	Under 20K e-commerce or under 1M other	Annual SAQ + quarterly external vulnerability scan recommended

How Securafy Helps

PCI DSS Compliance Made Simple

Cardholder Data Discovery

We locate all cardholder data across your environment — file servers, databases, email, backups — to define your true CDE scope. Unknown data storage is one of the most common PCI assessment failures.

SAQ Completion Support

We work through your Self-Assessment Questionnaire with you, ensuring each question is answered accurately based on your actual technical environment — not what you hope is true.

Network Segmentation

We design and implement network segmentation that isolates your Cardholder Data Environment (CDE), dramatically reducing your PCI scope and simplifying your compliance program.

Quarterly Vulnerability Scanning

We provide Approved Scanning Vendor (ASV) external vulnerability scans on a quarterly basis, manage the remediation of scan findings, and produce the compliance reports required for your acquiring bank.

Annual Penetration Testing

We conduct PCI DSS-scoped penetration tests meeting Requirement 11 standards — segmentation testing, external and internal network testing, and application-layer testing where applicable.

Continuous PCI Monitoring

Our 24/7 SOC provides the log monitoring, file integrity monitoring, and intrusion detection required by Requirements 10 and 11 — continuously, not just at audit time.

Common Questions

PCI DSS FAQ

We use a payment processor — do we still need PCI compliance?

Yes, unless you use a fully outsourced solution where cardholder data never touches your systems (a properly implemented P2PE or tokenization solution). If card numbers can appear on a screen in your environment, pass through your network, or be stored anywhere you control, you are in scope for PCI DSS. Using Stripe, Square, or similar processors reduces scope but doesn't eliminate it entirely.

What's new in PCI DSS v4.0 vs v3.2.1?

Key v4.0 changes include: expanded MFA requirements (now required for all access to CDE, not just remote access), mandatory targeted risk analysis for customized implementations, new anti-phishing requirements, stronger cryptographic requirements, new roles and responsibilities documentation for each requirement, and a March 2025 deadline for all new "future-dated" requirements that were optional in early v4.0 adoption.

What are the penalties for PCI non-compliance?

Card brands (Visa, Mastercard) can levy monthly fines of $5,000–$100,000 for non-compliant merchants. In a breach, non-compliant merchants face full liability for all fraudulent charges traced to the compromise, forensic investigation costs, card replacement costs, and potential termination of card acceptance. Fines and liability flow through your acquiring bank — which will pass them directly to you.

How often do we need to reassess PCI compliance?

Annual SAQ completion, annual penetration testing, and quarterly external vulnerability scans are the baseline. However, PCI compliance is a continuous state — any significant change to your payment environment (new systems, new applications, changed network configurations) may require reassessment of affected requirements. Compliance should be maintained continuously, not just validated annually.

From the Blog

Free Resources

Free Cybersecurity Risk Assessment →

@media(max-width:640px){.blog-resources-cluster{grid-template-columns:1fr !important;}}

Related Resources

🛡️

Country Club IT Services

Read 1,500+ Articles on Our Blog

No obligation · Custom proposal within 4 business hours

Ready to Become
Audit-ready?

Securafy builds and maintains compliance programs for Columbus and Cleveland, businesses nationwide. Prevention-First. Compliance-Ready. Award-Winning.

Free Compliance Assessment COMPLY-CARE Services

📧 sales@securafy.com

📞 (330) 906-8888

📍 Columbus & Cleveland, Ohio

Monthly Fine Exposure

$100K+

Monthly PCI DSS non-compliance fines range from $5,000 to $100,000+ depending on transaction volume and breach scope. Securafy delivers full PCI DSS compliance documentation.

Get a Free PCI DSS Assessment →

Free · No Obligation

See where your compliance gaps are — before auditors do.