12 PCI DSS Requirements Explained and What’s New in PCI v4.0

What Is PCI DSS? 

Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. 

Developed by the PCI Security Standards Council, it aims to protect cardholder data and reduce credit card fraud through heightened security measures across the industry. Compliance is crucial for merchants and service providers handling payment card data to avoid security breaches.

PCI DSS is applicable globally, affecting any organization that deals with credit card transactions. It includes a framework that organizations must follow to protect cardholder information. Adhering to PCI DSS helps protect against data breaches and builds customer trust. These standards are periodically updated to address emerging threats.

Note: The latest major version of PCI DSS, v4.0, was announced in 2022 and the first major provisions took effect in March, 2024. Additional best practices were required to be validated by March, 2025. We’ll discuss the changes in v4.0 after covering the basic details of PCI requirements.

This is part of a series of articles about open source security.

Overview of 12 PCI DSS Requirements

PCI DSS consists of a set of requirements that all payment processing companies must follow to ensure cardholder data protection. These requirements are detailed below.

1. Install and Maintain a Firewall Configuration

A firewall acts as a security barrier, controlling incoming and outgoing traffic to protect cardholder data. Organizations must establish firewall and router configurations that restrict access from untrusted networks, prohibit direct public access, and document all configurations and data flows.

Compliance requirements:

• Define firewall and router configuration standards
• Restrict inbound and outbound traffic
• Prohibit direct public access to the cardholder data environment
• Review firewall and router rule sets at least every six months

2. Do Not Use Vendor-Supplied Defaults 

Default passwords and security settings from vendors are widely known and frequently exploited by attackers. Organizations must change all default credentials and ensure secure configurations.

Compliance requirements:

• Change all vendor-supplied default passwords and security settings
• Develop configuration standards addressing known vulnerabilities
• Encrypt all non-console administrative access
• Maintain an inventory of system components

3. Protect Stored Cardholder Data 

Cardholder data should only be stored when necessary, and sensitive authentication data must never be stored after authorization. Stored data must be protected using encryption, truncation, or tokenization.

Compliance requirements:

• Limit data storage to only what is necessary
• Mask PAN (Primary Account Number) when displayed
• Encrypt PAN wherever stored
• Implement key management procedures for encryption

4. Encrypt Transmission of Cardholder Data 

Cardholder data transmitted over open, public networks must be encrypted to prevent interception by attackers.

Compliance requirements:

• Use strong encryption and security protocols (e.g., TLS, IPSec)
• Implement encryption for wireless transmissions of cardholder data
• Do not send unprotected PAN via email, chat, or other messaging services

5. Protect Systems Against Malware 

Organizations must deploy anti-malware solutions to protect against evolving threats and ensure that security tools remain up to date.

Compliance requirements:

• Install and maintain anti-virus software on all systems commonly affected by malware
• Ensure anti-virus software is regularly updated and actively running
• Conduct periodic scans and log audit results

6. Develop and Maintain Secure Systems and Applications 

Security vulnerabilities in applications and systems can be exploited by attackers. Organizations must ensure that security patches are promptly applied and that secure coding practices are followed.

Compliance requirements:

• Regularly install security patches, addressing critical vulnerabilities within 30 days
• Follow secure coding practices to prevent vulnerabilities like SQL injection
• Implement a change control process for system modifications
• Use security tools such as web application firewalls

7. Restrict Access to Cardholder Data 

Only authorized personnel should have access to cardholder data based on business needs.

Compliance requirements:

• Implement role-based access controls (RBAC)
• Restrict access to only those whose job requires it
• Set default access to "deny all" unless specifically approved

8. Identify and Authenticate Access 

Every user must have a unique ID, and multi-factor authentication (MFA) should be used for access to critical systems.

Compliance requirements:

• Assign unique user IDs to all individuals accessing system components
• Require strong authentication (passwords, tokens, biometrics)
• Implement MFA for non-console administrative and remote access
• Restrict shared or group accounts

9. Restrict Physical Access to Cardholder Data

Physical security controls must be in place to prevent unauthorized access to cardholder data stored on premises.

Compliance requirements:

• Implement access controls to sensitive areas
• Use ID badges to distinguish personnel from visitors
• Secure media containing cardholder data and properly destroy it when no longer needed
• Conduct periodic inspections of devices that handle payment card data

10. Track and Monitor All Access 

All access to network resources and cardholder data must be logged to detect unauthorized activity.

Compliance requirements:

• Maintain audit logs linking access to individual users
• Record details such as access time, user ID, and type of event
• Secure logs to prevent tampering
• Review logs daily for suspicious activity

11. Regularly Test Security Systems and Processes 

Regular security testing is essential to identify and address vulnerabilities before they can be exploited.

Compliance requirements:

• Perform quarterly vulnerability scans and address identified issues
• Conduct annual penetration tests
• Deploy intrusion detection/prevention systems (IDS/IPS)
• Use file integrity monitoring to detect unauthorized changes

12. Maintain an Information Security Policy

A formal security policy must be established and enforced for all personnel to ensure ongoing protection of cardholder data.

Compliance requirements:

• Develop and distribute a security policy, reviewing it annually
• Conduct risk assessments at least once a year
• Provide security awareness training to employees
• Implement an incident response plan

{{expert-tip}}

Understanding PCI DSS 4.0 Updates 

The release of PCI DSS 4.0 represents a significant update aimed at addressing evolving security threats and providing greater flexibility for organizations to achieve compliance. Introduced by the PCI Security Standards Council, the updated framework includes improvements to existing requirements and introduces new measures to improve the overall effectiveness of security practices. 

PCI DSS 4.0 Timeline 

PCI DSS 4.0 was officially released in March 2022, with a transition period to help organizations move from version 3.2.1 to the new standard. The transition follows a phased approach with two key deadlines:

‍

• March 31, 2024: By this date, organizations were required to comply with all immediate requirements in PCI DSS 4.0. This marks the retirement of PCI DSS 3.2.1, meaning assessments conducted from April 2024 onward will be based entirely on the new version.
• March 31, 2025: By this date, organizations were required to implement and validate additional best practice requirements in PCI DSS 4.0. Until this date, these best practices were recommended but not mandatory for compliance assessments.

Key Changes in PCI DSS 4.0 

Emphasis on customized approaches

PCI DSS 4.0 introduces a customized validation approach, allowing organizations to tailor security measures to their business models and risk profiles. This allows organizations to meet security objectives while leveraging technologies and processes that align with their unique operational environments.

Stronger authentication requirements

To combat increasingly sophisticated attacks, PCI DSS 4.0 strengthens authentication requirements. Multi-factor authentication (MFA) is now mandatory for all access to cardholder data, including for both administrative users and system components.

Enhanced monitoring and testing

The updated standard emphasizes ongoing security monitoring and testing. Organizations must implement automated mechanisms to detect and respond to anomalies in real time. This includes continuous threat detection and logging.

Stronger encryption protocols

PCI DSS 4.0 expands encryption requirements, mandating the use of stronger encryption algorithms and key management practices. These improvements address vulnerabilities associated with outdated cryptographic protocols.

New requirements for risk assessments

Organizations are required to conduct more frequent and thorough risk assessments under PCI DSS 4.0. These assessments must account for emerging threats and changes in the organization’s environment.

Clearer guidance on roles and responsibilities

The new version provides more detailed guidance on assigning security responsibilities within an organization. This includes explicit documentation of roles for managing and maintaining compliance.

Transition and implementation timeline

PCI DSS 4.0 includes a transition period during which organizations can adopt the new requirements while still meeting the current standards. This phased approach ensures organizations have sufficient time to adjust their processes, train personnel, and implement necessary changes before full enforcement.

5 Best Practices for Adhering to PCI Requirements 

Organizations can ensure compliance with PCI DSS by implementing the following best practices.

1. Conduct Regular Risk Assessments

Risk assessments help organizations identify vulnerabilities in their cardholder data environments (CDE) and take proactive measures to mitigate threats. Regular assessments ensure compliance with PCI DSS Requirement 12.2, which mandates formal risk evaluations at least annually or upon significant changes to the environment.

By systematically evaluating critical assets, threats, and potential impact, organizations can prioritize security measures and apply targeted controls to protect sensitive payment data. This reduces the risk of data breaches and helps maintain a compliant security posture over time.

2. Implement Security Awareness Training

Human error is a leading cause of security breaches, making employee training essential for maintaining PCI DSS compliance. PCI DSS Requirement 12.6 mandates security awareness programs to educate employees about handling cardholder data securely and recognizing potential threats like phishing attacks and social engineering.

Regular training ensures that personnel understand security policies, their role in protecting payment data, and how to respond to security incidents. Organizations should conduct periodic training sessions and reinforce best practices to strengthen their overall security culture.

3. Employ Encryption and Tokenization

Encryption and tokenization help protect stored and transmitted cardholder data by making it unreadable to unauthorized users. PCI DSS Requirement 3.4 requires organizations to render PAN (Primary Account Number) unreadable wherever it is stored, while Requirement 4.1 mandates strong encryption for data transmission across public networks.

Tokenization replaces sensitive card data with unique tokens, reducing exposure and limiting PCI DSS compliance scope. When implemented effectively, these techniques significantly lower the risk of data theft and improve regulatory compliance.

4. Develop Incident Response Plans

A well-defined incident response plan is crucial for detecting, containing, and mitigating security incidents. PCI DSS Requirement 12.10 mandates organizations to establish and maintain an incident response plan, ensuring they can act quickly in case of a data breach.

An effective plan includes defined roles, response procedures, and clear escalation paths for different incident scenarios. Regular testing and updates to the response plan help organizations stay prepared for evolving threats and minimize potential damage from security incidents.

5. Engage Qualified Security Assessors (QSAs)

QSAs provide expert guidance on PCI DSS compliance by conducting assessments, identifying gaps, and ensuring security controls are properly implemented. PCI DSS Requirement 11.3 mandates penetration testing, which QSAs can help conduct to evaluate the effectiveness of an organization’s security posture.

Working with QSAs ensures that compliance efforts are thorough and align with industry best practices. They assist in validating security measures, providing remediation strategies, and helping organizations maintain compliance with evolving PCI DSS standards.

Related content: Read our guide to eBPF security

How Oligo’s Real-Litime Security Supports PCI Compliance

Oligo helps simplify PCI DSS 4.0 compliance by identifying what’s actually running within applications that process payment data. From maintaining an inventory of software components, to continuously reviewing and remediating vulnerabilities, Oligo provides real-time data to simplify PCI audits and reviews. 

Learn more about how Oligo helps you comply with PCI DSS 4.0