International StandardMandatory (contractual)· PCI DSS v4.0.1 (June 2024)

PCI DSS: Payment Card Industry Data Security Standard

PCI DSS v4.0.1 — issued by Payment Card Industry Security Standards Council.

Speak to a PCI DSS SpecialistExplore the Compliance Platform
Latest version
v4.0.1 (June 2024)
Requirements
12 requirements organised under 6 control objectives
v3.2.1 fully retired
31 March 2024
v4.0 future-dated requirements
Effective 31 March 2025
Assessment levels
1 (>6M txns/yr) to 4 (<20K txns/yr)
OVERVIEW

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is the global security standard for any organisation that stores, processes, or transmits cardholder data. It is mandated contractually by the major card brands (Visa, Mastercard, American Express, Discover, JCB) through their respective acquirer relationships.

Version 4.0 was released in March 2022 with a transition period through 31 March 2024 (when v3.2.1 was retired) and additional future-dated requirements becoming mandatory on 31 March 2025. Version 4.0.1 (June 2024) refined v4.0 with errata and clarifications. The current version maintains 12 core requirements but introduces a 'customised approach' allowing organisations to design their own controls to meet the standard's objectives, alongside the traditional 'defined approach' with prescribed controls.

Assessment requirements depend on the merchant or service provider level — Level 1 (the largest, processing >6 million transactions annually) requires an annual on-site assessment by a Qualified Security Assessor (QSA); smaller levels can self-assess via Self-Assessment Questionnaires (SAQ). Service providers face additional scrutiny.

APPLICABILITY

Who must comply with PCI DSS?

  • 01Merchants accepting payment cards (in-store, online, mobile, MOTO)
  • 02Service providers handling cardholder data on behalf of merchants
  • 03Acquiring banks and payment processors
  • 04Hospitality, retail, and e-commerce operators in Qatar with international card acceptance
  • 05Any entity that stores, processes, or transmits primary account numbers (PAN)
CONTROL DOMAINS

PCI DSS structure at a glance

The PCI DSS framework is organised into the following control areas. Vantage GRC pre-maps each one so evidence collected once contributes to your compliance picture across overlapping frameworks.

Build and Maintain a Secure Network and Systems

1. Install and maintain network security controls
2. Apply secure configurations to all system components

Protect Account Data

3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission

Maintain a Vulnerability Management Program

5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software

Implement Strong Access Control Measures

7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly

Maintain an Information Security Policy

12. Support information security with organisational policies and programs
KEY REQUIREMENTS

What PCI DSS requires you to do

  1. 1Determine your merchant or service provider level and applicable assessment route (RoC by QSA, SAQ self-assessment, or AOC).
  2. 2Define the cardholder data environment (CDE) — every system and process that stores, processes, or transmits cardholder data.
  3. 3Implement the 12 PCI DSS requirements within the CDE.
  4. 4Conduct quarterly internal vulnerability scans and external scans by an Approved Scanning Vendor (ASV).
  5. 5Conduct annual penetration testing.
  6. 6Submit annual Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ) plus Attestation of Compliance (AOC) to your acquirer.
HOW VANTAGE HELPS

Vantage's approach to PCI DSS

Vantage GRC includes the PCI DSS v4.0.1 control library mapped against ISO 27001 and Qatar NIA, with separate scope tracking for the cardholder data environment. For Qatar hospitality and e-commerce operators with PCI obligations, this consolidates payment-card compliance with broader cybersecurity programmes and reduces the audit overhead of demonstrating compliance to acquirers.

Book a 30-Min ConsultationExplore the Platform
RELATED FRAMEWORKS

PCI DSS works alongside

International

ISO 27001

Information Security Management System

Qatar Mandate

NIA

National Information Assurance Framework

FAQ

PCI DSS questions

Who needs to be PCI DSS compliant?

Any merchant or service provider that stores, processes, or transmits cardholder data. PCI DSS is contractually mandated by acquirer agreements with Visa, Mastercard, American Express, Discover, and JCB. The exact assessment requirements depend on your merchant or service provider level (1-4 for merchants).

What's new in PCI DSS v4.0?

v4.0 introduces a 'customised approach' allowing organisations to design controls meeting the standard's objectives, alongside the traditional 'defined approach.' It also strengthens authentication (multi-factor for all CDE access), expands targeted risk analyses, and adds emerging-area requirements (e-commerce script integrity, phishing controls). Many of these became mandatory on 31 March 2025.

Can ISO 27001 controls satisfy PCI DSS requirements?

There is significant overlap — particularly around access control, vulnerability management, logging, and physical security — but PCI DSS has additional, prescriptive requirements specific to the cardholder data environment (e.g. ASV scans, masking of PAN). ISO 27001 is necessary but not sufficient for PCI DSS compliance.

Ready to operationalise PCI DSS compliance?

Talk to a Vantage GRC consultant about your PCI DSS programme — pre-mapped controls, evidence management, and audit-ready dashboards. Doha-based.

Book a ConsultationExplore the Platform