PCI DSS Compliance Guide: Requirements, Checklist & Best Practices

If your business accepts credit cards, you must comply with PCI DSS. Non-compliance fines range from $5,000 to $100,000 per month, and a breach involving cardholder data can cost millions. This guide walks you through every requirement, the new PCI DSS 4.0 changes, and practical implementation steps.

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements created by the PCI Security Standards Council (founded by Visa, Mastercard, American Express, Discover, and JCB). Any organization that stores, processes, or transmits cardholder data must comply — this includes merchants, payment processors, hosting providers, and any third party in the payment chain.

PCI DSS 4.0, released in March 2022, became mandatory on March 31, 2025, replacing version 3.2.1. The new version introduces a more flexible, outcome-based approach while adding stricter requirements around authentication, encryption, and vulnerability management. Organizations that have not upgraded to 4.0 requirements are already non-compliant.

The 12 PCI DSS Requirements

Build and Maintain a Secure Network

Requirement 1: Install and maintain network security controls. Deploy firewalls (or equivalent) between all untrusted networks and the cardholder data environment (CDE). Document all traffic rules, review configurations every six months, and restrict traffic to only what is necessary for business. PCI DSS 4.0 now requires network security controls to be managed through a formal change control process.

Requirement 2: Apply secure configurations to all system components. Change all vendor-supplied defaults (passwords, configurations, SNMP strings) before deploying any system. Maintain a configuration standard for each type of system component. Use our Password Generator to create strong replacement credentials for default accounts.

Protect Account Data

Requirement 3: Protect stored account data. Minimize data storage — do not store cardholder data unless absolutely necessary. Mask PAN (display only last four digits), encrypt stored data using strong cryptography, and implement key management procedures. Never store CVV, PIN, or full track data after authorization.

Requirement 4: Protect cardholder data with strong cryptography during transmission. Use TLS 1.2 or higher for all transmissions of cardholder data over public networks. Verify your SSL/TLS configuration with our SSL Checker. PCI DSS 4.0 now requires TLS certificates to be valid and not expired, with automated monitoring for certificate expiration.

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems and networks from malicious software. Deploy anti-malware on all systems commonly affected by malware, perform periodic evaluations, and keep anti-malware solutions current. PCI DSS 4.0 extends this to include phishing protection mechanisms.

Requirement 6: Develop and maintain secure systems and software. Patch critical vulnerabilities within one month of release. Address all identified vulnerabilities in custom software. Implement secure software development practices. Web-facing applications must be protected by a WAF or undergo code review annually.

Implement Strong Access Control Measures

Requirement 7: Restrict access to system components and cardholder data by business need-to-know. Implement role-based access control (RBAC). Document access rules for each role. Review access privileges at least every six months.

Requirement 8: Identify users and authenticate access to system components. Assign unique IDs to all users. Enforce MFA for all access to the CDE and all remote access. PCI DSS 4.0 requires passwords to be at least 12 characters (up from 7) and MFA for all access to the CDE, not just administrative access. Check password compliance with our Password Strength Checker.

Requirement 9: Restrict physical access to cardholder data. Use physical access controls (badges, locks, cameras) for facilities containing cardholder data or systems. Maintain visitor logs. Destroy media containing cardholder data when no longer needed.

Regularly Monitor and Test Networks

Requirement 10: Log and monitor all access to system components and cardholder data. Implement automated audit trails for all system components. Synchronize clocks using NTP. Review logs daily using automated tools. Retain audit trail history for at least 12 months, with the most recent 3 months immediately available.

Requirement 11: Test security of systems and networks regularly. Run quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). Perform internal vulnerability scans at least quarterly and after significant changes. Conduct annual penetration tests. PCI DSS 4.0 adds requirements for authenticated internal scanning and managing all applicable vulnerabilities (not just CVSS 4.0+).

Maintain an Information Security Policy

Requirement 12: Support information security with organizational policies and programs. Establish and maintain a comprehensive security policy. Conduct annual risk assessments. Implement a security awareness program. Maintain an incident response plan that is tested annually. Manage third-party service providers with formal agreements and ongoing monitoring.

PCI DSS 4.0: Key Changes You Must Know

• Customized approach: Organizations can now design their own controls to meet each objective, provided they can demonstrate the control meets the intent. This provides flexibility but requires more documentation.
• Enhanced authentication: MFA required for ALL CDE access (not just admin). Password minimum increased to 12 characters. Stronger MFA implementation requirements.
• Targeted risk analysis: Many requirements now allow organizations to define their own frequencies for periodic controls based on a documented risk analysis.
• New e-commerce requirements: E-commerce sites must manage payment page scripts, implement mechanisms to detect unauthorized changes to HTTP headers and payment page content.
• Automated log reviews: Manual daily log reviews are no longer sufficient — automated mechanisms are required to detect anomalies.
• Internal vulnerability scanning: Must be authenticated and cover all in-scope assets. Previously, authenticated scanning was recommended but not required.

PCI DSS Compliance Levels

• Level 1: Over 6 million transactions/year. Requires annual on-site assessment by a QSA and quarterly ASV scans.
• Level 2: 1-6 million transactions/year. Requires annual SAQ and quarterly ASV scans. On-site QSA assessment may be required by acquirer.
• Level 3: 20,000-1 million e-commerce transactions/year. Requires annual SAQ and quarterly ASV scans.
• Level 4: Under 20,000 e-commerce or under 1 million total transactions/year. Requires annual SAQ and quarterly ASV scans (requirements vary by card brand).

PCI DSS Compliance Checklist

1. Determine your compliance level and applicable SAQ type
2. Define your cardholder data environment (CDE) scope
3. Conduct a gap analysis against all 12 requirements
4. Implement network segmentation to reduce CDE scope
5. Deploy and configure firewalls at all CDE boundaries
6. Encrypt cardholder data at rest and in transit (TLS 1.2+)
7. Implement MFA for all CDE and remote access
8. Deploy anti-malware and keep signatures current
9. Establish a patch management program (critical patches within 30 days)
10. Configure centralized logging with automated review
11. Schedule quarterly ASV scans and annual penetration tests
12. Document policies, procedures, and incident response plan
13. Train all staff on security awareness annually
14. Complete appropriate SAQ or engage QSA for on-site assessment

Frequently Asked Questions

How much does PCI DSS compliance cost?

Costs vary dramatically by compliance level and current security maturity. Level 4 merchants using SAQ A (outsourced payment processing) may spend $1,000-5,000/year on ASV scans and SAQ completion. Level 1 merchants with complex CDEs can spend $200,000-500,000+/year on QSA assessments, penetration testing, security tools, and remediation. The most effective cost reduction strategy is minimizing your CDE scope through tokenization and payment processor delegation.

Do I need PCI compliance if I use Stripe or PayPal?

Yes, but your scope is dramatically reduced. If you use a payment processor that handles all cardholder data (Stripe Elements, PayPal hosted checkout), you typically qualify for SAQ A — the simplest self-assessment. You still need to maintain secure infrastructure, implement TLS, and complete the SAQ annually. You do NOT need to handle or store card numbers, which eliminates the most burdensome requirements.

What happens if we fail a quarterly ASV scan?

You have 90 days to remediate the findings and re-scan until you pass. Continuous failure to pass ASV scans can result in non-compliance status, which your acquiring bank may escalate to fines or increased transaction fees. Common ASV scan failures include exposed vulnerable software versions, missing security headers, weak SSL/TLS configurations, and open ports with known vulnerabilities. Run our Exposure Checker regularly between ASV scans to catch these issues early.

Is PCI DSS compliance the same as being secure?

No. PCI DSS is a minimum baseline, not a comprehensive security program. Many breached organizations were PCI compliant at the time of their last assessment. Compliance is a point-in-time validation; security is a continuous process. Use PCI DSS as a foundation and build additional controls based on your specific threat landscape, industry best practices, and frameworks like NIST CSF or ISO 27001.

The Bottom Line

PCI DSS compliance is mandatory for any organization in the payment card ecosystem, and PCI DSS 4.0 has raised the bar significantly. Start by minimizing your CDE scope through tokenization and payment processor delegation, then systematically address each of the 12 requirements. Regular vulnerability scanning, strong access controls, encryption, and a tested incident response plan form the foundation. Treat compliance as a continuous program, not an annual checkbox — the organizations that get breached are often the ones that let their controls drift between assessments.

Related tools: Exposure Checker, SSL Checker, Password Generator, Password Strength, CSP Builder, and 70+ more free tools.