PCI DSS v4.0 compliancevalidated by operators.Not documentation factories.
Validate encryption, segmentation, access controls, and logging for cardholder data protection under PCI DSS v4.0. Covers card-present and e-commerce environments, third-party assessments, and QSA-ready documentation.
PCI DSS v4.0 · CARDHOLDER DATA SECURITY
v4.0 raises the bar. Your controls must follow.
PCI DSS v3.2.1 retired March 31, 2024. All organisations must now operate under v4.0 — with tighter MFA requirements, mandatory payment page script integrity controls, and continuous vulnerability management. We validate real controls, not just documentation.
0
Requirement categories covered
0+
QSA-ready evidence items
0
Security controls deployed
0%
QSA engagement time reduction
Network Security
Firewall rules, network diagrams, CDE segmentation and traffic restriction controls.
Data Encryption
AES-256 at rest, TLS 1.3 in transit, HSM-backed key management for all PAN.
Access Control
MFA enforced for all CDE access, least-privilege model, quarterly access reviews.
Continuous Testing
Quarterly ASV scans, annual pen tests, payment page integrity monitoring, seg tests.
PCI DSS FRAMEWORK
12 Requirements. One validated standard.
Network Security Controls
Network
5
sub-reqs
v4.0 note: Expanded beyond firewalls to all network security controls; added cloud-environment specifics and 6-month rule review cadence
KEY CONTROLS
Firewall install & maintenance
Network diagram (incl. wireless)
Restricted inbound/outbound CDE traffic
No direct public-internet CDE access
Firewall rule review every 6 months
CARDHOLDER DATA ENVIRONMENT
CDE scoping. Define your compliance boundary.
Incorrect CDE scoping is one of the most common QSA findings. Too broad — unnecessary compliance burden. Too narrow — gaps and breach liability. Get the boundary right from day one.
SCOPE ZONES
CDE
PAN stored here
OOS (segmented)
Connected-to systems
Cardholder Data Environment
Systems that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). Directly in scope. Every PCI DSS requirement applies.
EXAMPLE SYSTEM TYPES
SCOPE REDUCTION TECHNIQUES
v3.2.1 → v4.0 MIGRATION
What changed in v4.0. The delta that matters.
PCI DSS v3.2.1 retired March 31, 2024. Eight key areas changed significantly. Some future-dated requirements (marked below) take effect March 31, 2025.
VALIDATION ROADMAP
Compliance lifecycle. 8 phases to AOC.
CDE Scoping
W1–3
Identify all systems storing, processing, or transmitting cardholder data. Map all data flows into and out of the CDE. Document network diagrams with CDE boundaries clearly marked.
ALL PHASES
REQ 11.3 · NETWORK ISOLATION VALIDATION
Segmentation testing. CDE isolation confirmed.
PCI DSS v4.0 Req 11.3.4 mandates segmentation pen testing annually and after any segmentation-relevant change. We automate the test cycle and provide QSA-ready evidence for every boundary test.
NETWORK LAYER ARCHITECTURE
INTERNET
Untrusted public network
DMZ
Web servers / WAF / load balancers
CDE
Payment app · DB · HSM
INTERNAL
Corporate network (segmented)
OOS
Out-of-scope (air-gapped)
External Firewall Rule Review
Internet → DMZ boundary
All 247 rules reviewed; 3 stale rules removed
DMZ → CDE Segmentation Pen Test
DMZ host → payment DB
No path found from DMZ to cardholder database
Internal Host → CDE Access Test
Corp workstation → CDE VLAN
VLAN ACL blocks all lateral movement
Wireless Network → CDE Path
Guest WiFi → CDE subnet
Wireless fully air-gapped from CDE VLAN
Service Provider Access Review
3P vendor VPN → CDE systems
1 of 4 vendor VPN accounts lacks MFA — remediation scheduled
POS Terminal Network Isolation
POS VLAN → corporate network
POS VLAN restricted to payment gateway IP only
E-Commerce Server Segmentation
Web tier → payment app tier
WAF + internal ALB enforces single-path only
CDE Outbound Traffic Control
CDE → external destinations
Approved egress list: 98% compliant — 2 rules under review
QSA-READY DOCUMENTATION
Evidence engine. 400+ items, audit-ready.
EVIDENCE CATEGORIES
Policies & Procedures
Req 1, 2, 7, 8, 9, 12
48
items
Network Diagrams
Req 1, 2, 11
12
items
Vulnerability Scans
Req 11
52
items
Pen Test Reports
Req 11
8
items
Access Reviews
Req 7, 8
36
items
Change Records
Req 6, 8
94
items
Encryption Config
Req 3, 4
22
items
Training Records
Req 12
128
items
QSA READINESS SCORE
Audit-Ready
2 minor gaps pending remediation. 400+ evidence items compiled and linked to requirement sub-sections.
QSA ENGAGEMENT STATS
Avg. ROC completion
8–10 weeks
Evidence items
400+ organised
Audit prep reduction
↓ 50%
AOC issuance
Annual cycle
REQ 5, 6, 11 · CONTINUOUS VULNERABILITY MANAGEMENT
Vuln management. Continuous — not quarterly.
PCI DSS v4.0 moved from quarterly-scan-only to continuous monitoring. Req 6.3.3 requires all patches at highest available level. Req 11.3 mandates targeted risk analysis to determine internal scan frequency.
ACTIVE SCAN PROGRAMME
External ASV Scan
3 days agoQuarterly (Req 11.3.2)
Approved Scanning Vendor
Internal Network Scan
3 days agoQuarterly (Req 11.3.1)
Tenable / Qualys
Web Application DAST
1 day agoAfter code change (Req 6)
Burp Suite / OWASP ZAP
Payment Page Integrity
4 min agoContinuous (Req 11.6.1)
Script hash comparison
Container Image Scan
2 hrs agoOn push (Req 6.3.3)
Trivy / Spakto
CDE Config Compliance
1 hr agoContinuous (Req 2)
Chef InSpec / Lynis
REMEDIATION SLA — PCI DSS v4.0
v4.0 PATCH REQUIREMENT
Req 6.3.3 requires all security patches and updates installed at the highest available level — moving beyond the previous critical-patches-within-30-days model. Continuous patch monitoring is now mandatory.
WHY SPAKTO
Not consultants. PCI DSS accelerators.
100%
v4.0 Coverage
All 12 requirements including new Req 6.4.3, 8.4.2, 11.6.1
Frequently Asked
Frequently asked
questions.
answered
Any organisation that stores, processes, or transmits cardholder data — credit card PANs, CVV codes, or magnetic stripe data — must comply. This includes merchants, payment processors, acquirers, issuers, and service providers. The Self-Assessment Questionnaire (SAQ) type depends on transaction volume and how data is handled.
CDE scope defines which systems are subject to PCI DSS requirements. Proper scoping is critical — overly broad scope creates unnecessary compliance burden, while insufficient scope creates gaps and breach risk. Network segmentation, tokenisation, and P2PE can all reduce CDE scope — sometimes by 60–80%. Incorrect scoping is one of the most common QSA audit findings.
Req 6.4.3 (effective March 31, 2025) requires organisations to maintain an inventory of all scripts on payment pages, justify their presence, and implement a method to confirm script integrity on each page load. This targets web-skimming attacks (Magecart) which inject malicious scripts to steal cardholder data at the browser level.
Key v4.0 changes include: MFA required for all CDE access (not just remote access), minimum 12-character passwords, new Req 6.4.3 requiring payment page script inventory and integrity controls, Req 11.6.1 mandating payment page change-detection, continuous vulnerability monitoring, and the new customised approach for risk-based control design.
PCI DSS v4.0 requires external and internal penetration testing at least annually and after significant infrastructure or application changes (Req 11.3.1 and 11.3.2). Application-layer testing against Req 6 controls must be included. Segmentation controls must also be tested annually to confirm CDE isolation — and within 6 months of any change.
A cardholder data breach triggers mandatory notification to your acquiring bank and card brands, a forensic investigation by a PCI Forensic Investigator (PFI), potential fines ranging from $5,000 to $100,000 per month per card brand, and possible suspension of payment processing. Organisations with current PCI DSS compliance typically face significantly lower fines and faster remediation timelines.
Ready for PCI DSS v4.0?
Validate your CDE, close v4.0 gaps, and reach QSA-ready attestation. Start with a no-obligation scope and gap assessment.