PCI DSS v4.0 goes into effect on March 31, 2024

Powerful protection

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a cybersecurity standard founded and supported by leading credit card and payment processing companies. Its primary objective is to ensure the security of cardholder information.

PCI DSS applies to any entity that stores, processes or transmits cardholder data. Even if your business outsources all payment processing, you can still be held responsible by your acquirer or payment brand in the event of a data breach.

Powerful protection

Complying with PCI DSS

There are 12 PCI requirements that organizations must meet to stay compliant, with over 300 sub-requirements in total. Your PCI level will depend on the number of card transactions processed per year.

Whether you’re looking to stay compliant with PCI DSS v3.2.1 or get compliant with v4 before the deadline of 31st March 2025, Defense.com can help. Address multiple requirements from a single platform and strengthen your security.

How Defense.com can help

Powerful protection

Powerful protection

Defend against cyberattacks and safeguard cardholder data with Defense.com Endpoint Detection & Response (EDR).

Protect your devices with anti-malware, anti-exploit, firewall and content control to help you meet PCI DSS compliance requirements.

24/7 monitoring

24/7 monitoring

Log monitoring (SIEM) technology can help you comply with PCI DSS standards and detect malicious activity across your network.

No SecOps team? No problem. Our 24/7 fully managed SIEM service helps you stay compliant without putting pressure on your team.

Manage security threats

Manage security threats

Identify, prioritize and remediate vulnerabilities from a single platform, including data from threat intel feeds, penetration tests and VA scans.

Get actionable remediation advice for each threat to help you quickly respond to issues and keep your systems secure.

Defense.com makes PCI DSS compliance easier

Find out more about each of the 12 requirements and how Defense.com can help you stay compliant.

Requirement 1

Install and maintain network security controls.

  • 1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood.
  • 1.2 Network security controls (NSCs) are configured and maintained.
  • 1.3 Network access to and from the cardholder data environment is restricted.
  • 1.4 Network connections between trusted and untrusted networks are controlled.
  • 1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

How Defense.com can help

  • 1.2 Threat Recon
  • 1.5 Endpoint Protection, MDR

Requirement 2

Apply secure configurations to all system components.

  • 2.1 Processes and mechanisms for applying secure configurations to all system components are defined and understood.
  • 2.2 System components are configured and managed securely.
  • 2.3 Wireless environments are configured and managed securely.

How Defense.com can help

  • 2.2 Endpoint Protection, MDR

Requirement 3

Protect stored account data.

  • 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
  • 3.2 Storage of account data is kept to a minimum.
  • 3.3 Sensitive authentication data (SAD) is not stored after authorization.
  • 3.4 Access to displays of full PAN and ability to copy cardholder data are restricted.
  • 3.5 Primary account number (PAN) is secured wherever it is stored.
  • 3.6 Cryptographic keys used to protect stored account data are secured.
  • 3.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

How Defense.com can help

  • 3.5 Endpoint Protection

Requirement 4

Protect cardholder data with strong cryptography during transmission over open, public networks.

  • 4.1 Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.
  • 4.2 PAN is protected with strong cryptography during transmission.

Requirement 5

Protect all systems and networks from malicious software.

  • 5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
  • 5.2 Malicious software (malware) is prevented, or detected and addressed.
  • 5.3 Anti-malware mechanisms and processes are active, maintained, and monitored.
  • 5.4 Anti-phishing mechanisms protect users against phishing attacks.

How Defense.com can help

  • 5.2 Endpoint Protection
  • 5.3 Endpoint Protection, Log Monitoring (SIEM), Managed SIEM, MDR
  • 5.4 Training and Exams

Requirement 6

Develop and maintain secure systems and software.

  • 6.1 Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.
  • 6.2 Bespoke and custom software are developed securely.
  • 6.3 Security vulnerabilities are identified and addressed.
  • 6.4 Public-facing web applications are protected against attacks.
  • 6.5 Changes to all system components are managed securely.

How Defense.com can help

  • 6.3 Threat Intelligence, Threat Dashboard, Vulnerability Scanning, Asset Tracker, Endpoint Protection
  • 6.4 Threat Dashboard, Vulnerability Scanning, Log Monitoring (SIEM)

Requirement 7

Restrict access to system components and cardholder data by business need to know.

  • 7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
  • 7.2 Access to system components and data is appropriately defined and assigned.
  • 7.3 Access to system components and data is managed via an access control system(s).

Requirement 8

Identify users and authenticate access to system components.

  • 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.
  • 8.2 User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
  • 8.3 Strong authentication for users and administrators is established and managed.
  • 8.4 Multi-factor authentication (MFA) is implemented to secure access into the CDE
  • 8.5 Multi-factor authentication (MFA) systems are configured to prevent misuse.
  • 8.6 Use of application and system accounts and associated authentication factors is strictly managed.

How Defense.com can help

  • 8.2 Log Monitoring (SIEM), Managed SIEM

Requirement 9

Restrict physical access to cardholder data.

  • 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
  • 9.2 Physical access controls manage entry into facilities and systems containing cardholder data.
  • 9.3 Physical access for personnel and visitors is authorized and managed.
  • 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.
  • 9.5 Point of interaction (POI) devices are protected from tampering and unauthorized substitution.

Requirement 10

Log and monitor all access to system components and cardholder data.

  • 10.1 Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
  • 10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
  • 10.3 Audit logs are protected from destruction and unauthorized modifications.
  • 10.4 Audit logs are reviewed to identify anomalies or suspicious activity.
  • 10.5 Audit log history is retained and available for analysis.
  • 10.6 Time-synchronization mechanisms support consistent time settings across all systems.
  • 10.7 Failures of critical security control systems are detected, reported, and responded to promptly.

How Defense.com can help

  • 10.2 Endpoint Protection
  • 10.4 Endpoint Protection
  • All elements – Log Monitoring (SIEM)

Requirement 11

Test security of systems and networks regularly.

  • 11.1 Processes and mechanisms for regularly testing security of systems and networks are defined and understood.
  • 11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
  • 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.
  • 11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
  • 11.5 Network intrusions and unexpected file changes are detected and responded to.
  • 11.6 Unauthorized changes on payment pages are detected and responded to.

How Defense.com can help

  • 11.3 Vulnerability Scanning, Endpoint Protection
  • 11.4 Penetration Testing
  • 11.5 Log Monitoring (SIEM)

Requirement 12

Support information security with organizational policies and programs.

  • 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
  • 12.2 Acceptable use policies for end-user technologies are defined and implemented.
  • 12.3 Risks to the cardholder data environment are formally identified, evaluated, and managed.
  • 12.4 PCI DSS compliance is managed.
  • 12.5 PCI DSS scope is documented and validated.
  • 12.6 Security awareness education is an ongoing activity.
  • 12.7 Personnel are screened to reduce risks from insider threats.
  • 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
  • 12.9 Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.
  • 12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.

How Defense.com can help

  • 12.3 Log Monitoring, Managed SIEM, MDR
  • 12.5 Asset Tracker
  • 12.6 Training and exams
  • 12.8 Endpoint Protection, Managed SIEM, MDR
  • 12.10 Endpoint Protection, Log Monitoring (SIEM), Managed SIEM, MDR
Fintech startup trusts Defense.com to comply with PCI DSS

Fintech startup trusts Defense.com to comply with PCI DSS

Discover why an emerging payment technology provider chose Defense.com to help them comply with PCI DSS requirements and monitor their environment 24/7 for security threats.

Read more
Why choose Defense.com?

Why choose Defense.com?

Defense.com helps you address multiple PCI DSS requirements from a single platform, simplifying your compliance. We’re also a PCI DSS Level 1 Service Provider and have a PCI Compliant Managed SOC service.

If you need additional help with PCI DSS compliance, we can also deliver bespoke consultancy and penetration testing services.

Comply with PCI DSS today

Find out how Defense.com can help you stay compliant and strengthen your security posture.

Here’s what our customers say about us

Protecting the world’s leading brands

PCI DSS FAQs

PCI DSS compliance is mandatory for any organization that handles cardholder data. This includes:

  • Merchants that accept card payments for goods or services, regardless of whether they outsource payment processing
  • Service providers that directly handle cardholder data on behalf of other entities
  • Organizations that fulfil both roles

Yes, all businesses that are involved with payment processing need to comply with PCI DSS, regardless of their size or transaction volume. However, small merchants can reduce the amount of effort required to comply due to their simpler environments, limited cardholder data, and fewer systems to protect.

For example, eligible businesses can take a ‘Self-Assessment Questionnaire (SAQ) to assess their security and potentially reduce the scope of PCI DSS compliance as it related to their organization and environment.

It is not a legal requirement for businesses to be PCI DSS compliant. The standard is enforced via contracts between merchants, payment processers and payment providers.

Payment brands can penalize acquiring banks for PCI DSS violations. In addition, if merchants are non-compliant then acquiring banks can remove their ability to accept card payments. Fines can also be passed down to merchants, which can vary from $5,000 to $100,000 per month until the they achieve compliance.

If a PCI DSS data breach occurs then it is also highly likely that the EU GDPR (General Data Protection Regulation) may have also been breached in some form. This regulation levies its own fines of up to of up to €20 million or 4% of global annual turnover.

PCI DSS 4.0 is the latest version of the information security standard designed by the Payment Card Industry Security Standards Council (PCI SSC). V4.0 of the standard was released in March 2022 and supersedes the previous version, v3.2.1.

The PCI SSC defines PCI DSS as:

“The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.”

PCI DSS v4.0 will go into effect on 31st March 2024, at which point v3.2.1 will be retired and will no longer be an active version of the standard . However, organizations will have until 31st March 2025 to fully implement some of the new requirements that were initially defined as best practices in v4.0.

Given that PCI DSS v4.0 has over 300 sub-requirements, it is advised that organizations prepare for the transition as early as possible and define an implementation timeline to remain compliant.