PCI DSS v4.0.1
Payment Card Industry Data Security Standard
Current Version: PCI DSS v4.0.1 (Published June 2024)
Previous Version: PCI DSS v4.0 (March 2022, retired December 31, 2024)
Authority: PCI Security Standards Council
Mandated By: Visa, Mastercard, American Express, Discover, JCB (payment card brands)
Purpose and Scope
Baseline security requirements to protect payment account data and cardholder data environment (CDE). Applies to ALL entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), regardless of size or transaction volume.
6 Control Objectives and 12 Requirements
Build and Maintain Secure Network
- Install and maintain network security controls
- Apply secure configurations to all system components
Protect Cardholder Data
- Protect stored cardholder data
- Protect cardholder data with strong cryptography during transmission
Maintain Vulnerability Management Program
- Protect all systems from malicious software
- Develop and maintain secure systems and software
Implement Strong Access Control Measures
- Restrict access by business need to know
- Identify users and authenticate access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
Maintain Information Security Policy
- Support information security with organizational policies and programs
Key Changes in v4.0
- 64 new requirements added
- 51 future-dated requirements (best practices until March 31, 2025, then mandatory)
- Enhanced flexibility with Customized Approach option
- Outcome-based language focusing on security objectives
- Strengthened authentication, logging, and cryptography requirements
Merchant Levels (Transaction Volume)
Level 1: 6M+ transactions annually - Annual ROC by QSA + quarterly ASV scans
Level 2: 1M-6M transactions - Annual SAQ + quarterly ASV scans
Level 3: 20K-1M e-commerce transactions - Annual SAQ + quarterly ASV scans
Level 4: <20K e-commerce or <1M total - Annual SAQ + quarterly ASV scans
Service Provider Levels
Level 1: 300K+ transactions annually - Annual ROC by QSA
Level 2: <300K transactions - SAQ D for Service Providers
Assessment Types
- SAQ (Self-Assessment Questionnaire): Multiple types (A, A-EP, B, B-IP, C, C-VT, P2PE, D)
- ROC (Report on Compliance): Required for Level 1 merchants/service providers, conducted by QSA
- ASV Scans: Quarterly external vulnerability scans by Approved Scanning Vendor
Mandatory Nature
NOT federal/state law (except Nevada, which incorporated PCI DSS into state law). PCI DSS is
contractual requirement enforced by:
- Payment card brands (Visa, Mastercard, Amex, Discover, JCB)
- Acquiring banks through merchant agreements
- Payment processors
Compliance mandatory through contracts, not regulation (with state exceptions).
Enforcement
Payment card brands and acquiring banks enforce compliance:
- Monthly fines: $5,000-$100,000 for non-compliance
- Per-transaction fees during non-compliance
- Increased processing costs
- Loss of card acceptance privileges
- Full liability for fraud from breaches
- Brand-specific programs with separate requirements
QSA Role
Qualified Security Assessors (QSAs) are independent security organizations approved by PCI SSC to conduct PCI DSS assessments. Required for Level 1 merchant/service provider validation. Must complete PCI SSC training and maintain certification.
Relationship to Other Frameworks
- ISO 27001: Both address information security; PCI DSS payment-specific
- NIST CSF: PCI DSS aligns with identify, protect, detect, respond, recover
- SOC 2: Both require security controls; PCI DSS prescriptive for payment data
- HIPAA: Different scopes (health vs payment data); may both apply to healthcare
- MA 201 CMR 17.00: MA law covers all personal information; PCI DSS covers payment cards
Effective Dates Timeline
- March 2022: v4.0 published; v3.2.1 and v4.0 both active
- March 31, 2024: v3.2.1 retired; v4.0 only acceptable version
- June 2024: v4.0.1 published with clarifications
- December 31, 2024: v4.0 retired; v4.0.1 only active version
- March 31, 2025: All future-dated requirements become mandatory
Penalties
Determined by payment brands/acquiring banks (NOT PCI SSC):
- Monthly non-compliance fines: $5,000-$500,000+
- Per-transaction fees during non-compliance
- Card brand fines for severe non-compliance
- Increased transaction processing fees
- Revocation of card acceptance privileges
- Breach-related costs: forensics, card replacement, legal, customer notification
Company Size Applicability
Applies to ALL organizations handling payment cards, regardless of size:- No exemptions based on company size
- Sole proprietors and small businesses must comply
- Merchant tiers determine validation method (SAQ vs ROC)
- Even minimal card processing requires compliance
Annual Requirements
- Annual validation (SAQ or ROC depending on merchant level)
- Quarterly external vulnerability scans by ASV
- Reassessment after significant network/system changes
- Ongoing monitoring and testing
- Complete documentation (SAQ/ROC, AOC, ASV reports, compliance evidence)
Massachusetts-Specific Requirements
201 CMR 17.00 Relationship:- MA law requires comprehensive data security for personal information
- PCI DSS specifically addresses payment card data security
- MA organizations must comply with BOTH requirements
- 201 CMR 17.00 is actual state law; PCI DSS is contractual
- 201 CMR 17.00 concepts drawn from PCI DSS but broader scope
Key Benefits of Compliance
- Maintain ability to accept payment cards
- Reduce risk of data breaches and fraud
- Protect customer payment information
- Avoid fines and penalties from payment brands
- Maintain business reputation and customer trust
- Support compliance with state data protection laws
Official Resources
- PCI Security Standards Council: https://www.pcisecuritystandards.org
- Document Library: https://www.pcisecuritystandards.org/document_library/
- PCI DSS v4.0.1 Standard: Available from document library
- Resource Hub: https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub