PCI DSS v4.0 is now the only valid standard. Any Ohio business that accepts, processes, stores, or transmits payment card data must comply — regardless of size. Non-compliance means card brand fines, increased transaction fees, and liability for all fraudulent charges in a breach. Securafy delivers PCI-compliant managed IT for Ohio merchants.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the major card brands (Visa, Mastercard, Amex, Discover) through the Payment Card Industry Security Standards Council (PCI SSC). PCI DSS v4.0 became the only valid version in March 2024, replacing v3.2.1.
PCI DSS applies to any organization that accepts, processes, stores, or transmits cardholder data — regardless of size or transaction volume. The standard contains 12 core requirements and 64 sub-requirements, with specific validation requirements (SAQ or QSA assessment) based on your merchant level and how cards are processed.
PCI DSS v4.0 introduced significant changes including new requirements for targeted risk analysis, multi-factor authentication expansion, anti-phishing controls, and enhanced authentication requirements. Businesses that were compliant under v3.2.1 must re-validate their compliance against v4.0 requirements.
"A single PCI breach can result in $5,000–$100,000 per month in fines, card brand penalties, and full liability for all fraudulent charges traced to the compromise."
Install and maintain network security controls (firewalls, routers) that restrict inbound and outbound traffic to only that which is necessary. Network diagrams and cardholder data flow diagrams required.
Apply secure configurations to all system components. No default passwords, no unnecessary services, documented baseline configurations, and regular verification that configurations remain compliant.
Minimize cardholder data storage. Never store CVV/CVV2 after authorization. Encrypt stored PANs using strong cryptography. Understand exactly where cardholder data resides in your environment.
Use strong cryptography (TLS 1.2 minimum, TLS 1.3 preferred) for all cardholder data transmitted over open, public networks. No unencrypted cardholder data may travel over the internet or public networks.
Deploy anti-malware solutions on all applicable system components. Maintain anti-malware mechanisms active and current. PCI DSS v4.0 adds anti-phishing as an explicit requirement.
Vulnerability identification and remediation processes, security patching, secure coding practices for internally developed applications, and web application firewall (WAF) for customer-facing web applications.
Access to cardholder data and system components must be restricted to individuals with a legitimate business need. Least-privilege principle enforced with role-based access controls and documented approval processes.
Unique IDs for all users, strong authentication requirements, MFA for all non-console administrative access and for all remote access — PCI DSS v4.0 significantly expanded MFA requirements vs v3.2.1.
Physical access controls for systems processing cardholder data. Visitor management, badge access logs, media protection, and destruction procedures for cardholder data storage media.
Audit logs for all access to cardholder data and system components. Log retention (12 months minimum, 3 months immediately available). Automated log review and alerting for suspicious activity.
Vulnerability scans (quarterly internal and external), penetration testing (annual minimum), intrusion detection/prevention, and file integrity monitoring on critical system files and configurations.
Documented information security policy, risk assessment process, security awareness training, service provider management, incident response plan, and targeted risk analysis for new requirements introduced in v4.0.
Your required validation method depends on your merchant level (transaction volume) and how you process cards. Most Ohio SMBs are Level 4 merchants — but the right SAQ type depends on your processing environment.
| Merchant Level | Annual Transactions | Validation Required |
|---|---|---|
| Level 1 | 6M+ Visa/Mastercard or any breach | Annual QSA on-site assessment + quarterly network scan |
| Level 2 | 1M–6M transactions | Annual SAQ or QSA assessment + quarterly scan |
| Level 3 | 20K–1M e-commerce transactions | Annual SAQ + quarterly external vulnerability scan |
| Level 4 | Under 20K e-commerce or under 1M other | Annual SAQ + quarterly external vulnerability scan recommended |
We locate all cardholder data across your environment — file servers, databases, email, backups — to define your true CDE scope. Unknown data storage is one of the most common PCI assessment failures.
We work through your Self-Assessment Questionnaire with you, ensuring each question is answered accurately based on your actual technical environment — not what you hope is true.
We design and implement network segmentation that isolates your Cardholder Data Environment (CDE), dramatically reducing your PCI scope and simplifying your compliance program.
We provide Approved Scanning Vendor (ASV) external vulnerability scans on a quarterly basis, manage the remediation of scan findings, and produce the compliance reports required for your acquiring bank.
We conduct PCI DSS-scoped penetration tests meeting Requirement 11 standards — segmentation testing, external and internal network testing, and application-layer testing where applicable.
Our 24/7 SOC provides the log monitoring, file integrity monitoring, and intrusion detection required by Requirements 10 and 11 — continuously, not just at audit time.
Securafy builds and maintains compliance programs for Columbus and Cleveland, Ohio businesses. Prevention-First. Compliance-Ready. Award-Winning.
Official Regulatory Resources