PCI DSS 4.0 Compliance: Protect Cardholder Data Without the Headache
If your business stores, processes, or transmits payment card data — directly or through the systems you operate — PCI DSS applies to you. It is not a law, but it is a contractual requirement from the card brands and your acquiring bank, and the cost of getting it wrong (fines, increased fees, or losing the ability to take card payments) is real.
PCI DSS 4.0 is the current version of the standard. ShieldIQ helps SMEs assess themselves against all 12 requirements in around twenty minutes, understand which Self-Assessment Questionnaire applies, and build the evidence to back it up.
Start your free PCI DSS assessment →
What Is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard maintained by the PCI Security Standards Council, founded by the major card brands (Visa, Mastercard, American Express, Discover, JCB). It sets the security controls every organisation handling cardholder data must meet.
Version 4.0 is the current standard. The previous version (3.2.1) was retired in March 2024, and a set of future-dated 4.0 requirements became mandatory in March 2025 — so "we did PCI a few years ago" is no longer enough.
How you validate depends on how you handle card data and your transaction volume — most SMEs complete a Self-Assessment Questionnaire (SAQ), with the specific SAQ type determined by your payment setup (e.g. fully outsourced e-commerce vs. storing card data yourself).
The 12 Requirements (Six Goals)
PCI DSS 4.0 organises its controls into twelve requirements under six goals. ShieldIQ assesses each and shows you where the gaps are.
Build and Maintain a Secure Network and Systems
1. Install and maintain network security controls (firewalls and equivalents). 2. Apply secure configurations to all system components.
Protect Account Data
3. Protect stored account data (encryption, truncation, masking, key management). 4. Protect cardholder data with strong cryptography during transmission over open networks.
Maintain a Vulnerability Management Programme
5. Protect all systems and networks from malicious software. 6. Develop and maintain secure systems and software (patching, secure development).
Implement Strong Access Control Measures
7. Restrict access to system components and cardholder data by business need-to-know. 8. Identify users and authenticate access (including multi-factor authentication). 9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Log and monitor all access to system components and cardholder data. 11. Test the security of systems and networks regularly (scans, penetration tests).
Maintain an Information Security Policy
12. Support information security with organisational policies and programmes.
What PCI DSS Compliance Actually Requires
PCI DSS 4.0 places more emphasis than ever on treating security as continuous rather than a once-a-year tick-box. In practice, validation expects:
- A clearly defined cardholder data environment (CDE) and scope — knowing exactly where card data flows and lives
- Documented policies and procedures covering all twelve requirements
- Evidence of operation — access reviews, change records, scan and pen-test results, log monitoring, training records
- Multi-factor authentication for access into the CDE
- Regular vulnerability scans and, where applicable, penetration testing
- A completed SAQ or Report on Compliance, plus an Attestation of Compliance
Reducing scope — for example by fully outsourcing payment capture to a compliant provider — is often the single biggest lever an SME has to simplify PCI.
How ShieldIQ Helps You Achieve PCI DSS
Scoping and assessment. ShieldIQ's guided assessment walks you through all twelve requirements and AI-scores your posture, so you know your true starting point and which SAQ fits.
Policy library. Editable policies for access control, secure configuration, change management, incident response, and the information security policy Requirement 12 demands.
Controls tracking. Map your controls to each PCI requirement and track implementation status across the cardholder data environment.
Risk and vulnerability management. Maintain a risk register, track remediation, and record the scans and pen tests Requirements 11 expects.
Network scanner & pen-test records. Run scans and store structured engagement records and findings as audit evidence.
Evidence and activity trail. Keep your logs, access reviews, and documentation in one place — ready for your SAQ or assessor.
Start free — no card required →
PCI DSS and Other Frameworks
The controls behind PCI DSS overlap heavily with the broader frameworks ShieldIQ supports — do the work once, satisfy several:
- ISO 27001 compliance — PCI's policy, access, and risk requirements map closely to ISO 27001 controls
- NIST CSF compliance — NIST's functions cover the monitoring, protection, and response PCI requires
- GDPR compliance — protecting payment data supports GDPR's security-of-processing obligations
- SOC 2 compliance — SOC 2's Security criteria and PCI share substantial control overlap
Frequently Asked Questions
Does PCI DSS apply if I use Stripe / a payment provider and never touch card numbers?
It still applies, but your burden is much lighter. Fully outsourcing payment capture to a PCI-compliant provider typically puts you on the shortest SAQ (e.g. SAQ A) because card data never enters your systems. ShieldIQ helps you confirm your scope and complete the right questionnaire.
What changed in PCI DSS 4.0?
4.0 modernises the standard with stronger authentication (expanded MFA), more flexibility through a "customised approach", greater emphasis on continuous security, and clearer scoping. Several 4.0 requirements became mandatory in March 2025, so older 3.2.1 assessments are out of date.
What is an SAQ and which one do I need?
A Self-Assessment Questionnaire is how most SMEs validate PCI compliance. The type (A, A-EP, B, C, D, etc.) depends on how you accept payments and whether you store card data. ShieldIQ's assessment helps you identify the right SAQ based on your setup.
How often do I need to validate PCI compliance?
Validation is annual, with quarterly vulnerability scans where required by your SAQ type. PCI DSS 4.0's emphasis on continuous security means controls should operate year-round — ShieldIQ keeps your evidence current so annual validation is a review, not a rebuild.