PCI DSS compliance,without the assessment scramble.
All 12 PCI DSS v4.0 requirements managed by autonomous agents — continuous evidence collection, scoped CDE tracking, and assessment-ready reporting for SAQ or QSA audit processes.
Framework Overview
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the PCI Security Standards Council (PCI SSC) — founded by American Express, Discover, JCB, Mastercard, and Visa. It applies to any organisation that stores, processes, or transmits payment cardholder data.
PCI DSS v4.0, released in March 2022, became the mandatory version on 31 March 2024. It introduces more flexibility in how organisations can meet requirements, while also adding new controls for e-commerce security and stronger authentication requirements.
Unlike most frameworks, non-compliance with PCI DSS can result in card brands restricting or terminating an organisation's ability to process payments — a direct and immediate business impact beyond fines.
Merchant Compliance Levels
6M+ Visa/MC transactions/year
Annual on-site QSA audit + quarterly scans
1M–6M Visa/MC transactions/year
Annual SAQ + quarterly network scans
20K–1M e-commerce transactions/year
Annual SAQ + quarterly scans
Under 20K e-commerce / under 1M other
Annual SAQ recommended + quarterly scans
Core Requirements
12 requirements. All tracked. All automated.
Install and Maintain Network Security Controls
Network security controls (firewalls) to protect the cardholder data environment from untrusted networks.
Apply Secure Configurations
All system components must be configured securely — no vendor defaults, no unnecessary services.
Protect Stored Account Data
Cardholder data must be protected wherever stored — through truncation, encryption, or other mechanisms.
Protect Cardholder Data in Transit
Strong cryptography to protect Primary Account Numbers (PANs) transmitted over open, public networks.
Protect Against Malicious Software
Anti-malware solutions deployed on all systems, kept current, and actively monitoring.
Develop and Maintain Secure Systems and Software
Vulnerability management, secure development practices, and protection of public-facing applications.
Restrict Access to Cardholder Data
Access to system components and cardholder data must be restricted to only those with a business need.
Identify Users and Authenticate Access
Unique IDs for all users, strong authentication, and MFA for all access to the cardholder data environment.
Restrict Physical Access to Cardholder Data
Physical access to systems that store, process, or transmit cardholder data must be controlled and monitored.
Log and Monitor All Access to System Components
Audit logs capturing all access to cardholder data, reviewed regularly for anomalies.
Test Security of Systems and Networks Regularly
Regular vulnerability scanning, penetration testing, and intrusion detection/prevention systems.
Support Information Security with Organisational Policies
A comprehensive information security policy addressing all PCI DSS requirements, reviewed annually.
Available Now
ISO 27001 satisfies many PCI DSS Requirement 12 obligations.
PCI DSS Requirement 12 — the information security policy requirement — has extensive overlap with ISO 27001's management system requirements. Organisations with ISO 27001 typically satisfy 40–60% of PCI DSS requirements before any PCI-specific work begins.