PCI DSS Assessment

PCI DSS 4.0.1 Requirements

The Payment Card Industry Data Security Standard (PCI DSS) consists of 12 core requirements designed to ensure organizations securely handle cardholder data. Version 4.0.1 includes updated requirements effective through March 2025.

PCI DSS 4.0.1 Updates

Key changes and new requirements in the latest version of the PCI DSS standard.

Enhanced Authentication

Stronger requirements for multi-factor authentication and privileged access management.

Customized Approach

New flexibility to meet security objectives through alternative methods.

Risk-Based Validation

More emphasis on risk assessment and validation frequency based on risk levels.

Requirement 1

Install and maintain network security controls

Firewalls and network security controls to protect cardholder data.

Key Sub-requirements:

Install and maintain firewall rules

Restrict network access between untrusted networks

Prohibit direct public access to any system component in the CDE

Install personal firewall software on mobile devices

Requirement 2

Apply secure configurations to all system components

Remove default passwords and configure systems securely.

Key Sub-requirements:

Change default passwords and remove unnecessary default accounts

Remove or disable unnecessary services, protocols, daemons

Configure system security parameters

Implement additional security features for any required services

Requirement 3

Protect stored account data

Protect cardholder data through encryption and secure storage.

Key Sub-requirements:

Keep cardholder data storage to a minimum

Do not store sensitive authentication data after authorization

Mask PAN when displayed

Render PAN unreadable anywhere it is stored

Requirement 4

Protect cardholder data with strong cryptography

Encrypt cardholder data during transmission over open networks.

Key Sub-requirements:

Use strong cryptography and security protocols

Never send unprotected PANs by end user messaging technologies

Protect cryptographic keys used for encryption

Ensure security policies and procedures are maintained

Requirement 5

Protect all systems and networks from malicious software

Deploy and maintain anti-malware solutions.

Key Sub-requirements:

Deploy anti-malware software on all systems

Ensure anti-malware mechanisms are actively running

Keep anti-malware software current

Generate audit logs and review them regularly

Requirement 6

Develop and maintain secure systems and software

Maintain secure development practices and patch management.

Key Sub-requirements:

Establish a process to identify security vulnerabilities

Deploy critical security patches within one month

Develop applications based on secure coding guidelines

Protect public web applications against attacks

Requirement 7

Restrict access to system components and cardholder data by business need to know

Implement role-based access controls.

Key Sub-requirements:

Limit access to system components and cardholder data

Assign unique ID to each person with computer access

Restrict physical access to cardholder data

Define roles and restrict access to privileged functions

Requirement 8

Updated in 4.0.1

Identify users and authenticate access to system components

Implement strong authentication and user identification.

Key Sub-requirements:

Assign unique identification to each user

Implement two-factor authentication for remote access

Secure all individual non-console administrative access

Use strong authentication methods for all users

Requirement 9

Restrict physical access to cardholder data

Control physical access to systems and media.

Key Sub-requirements:

Use appropriate facility entry controls

Protect system consoles

Restrict physical access to wireless access points

Classify media and handle securely

Requirement 10

Log and monitor all access to system components and cardholder data

Implement comprehensive logging and monitoring.

Key Sub-requirements:

Implement audit trails to link all access to system components

Implement automated audit trails for all system components

Record audit trail entries for all system components

Synchronize all critical system clocks and times

Requirement 11

Test security of systems and networks regularly

Perform regular security testing and monitoring.

Key Sub-requirements:

Implement processes to test for the presence of wireless access points

Run internal and external network vulnerability scans

Perform penetration testing on the network perimeter

Deploy intrusion detection and/or intrusion prevention systems

Requirement 12

Updated in 4.0.1

Support information security with organizational policies and programs

Maintain information security policies and procedures.

Key Sub-requirements:

Establish, publish, maintain, and disseminate security policy

Implement a risk assessment process

Develop daily operational security procedures

Assign information security responsibilities to qualified personnel

Implementation Guidance

Start with Assessment

Begin by understanding which requirements apply to your specific environment through our comprehensive assessment tool.

Get Expert Help

For Level 1 merchants or complex environments, consider working with a Qualified Security Assessor (QSA).

Ongoing Compliance

PCI DSS compliance is not a one-time event. Maintain ongoing monitoring, testing, and validation processes.

Ready to Get Started?

Our assessment tool will help you understand exactly which of these requirements apply to your business and generate the appropriate compliance documentation.