Skip to main content

Getting Started with PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for any organization that stores, processes, or transmits cardholder data. PCI DSS v4.0 is the current version, with the transition period from v3.2.1 completed on March 31, 2024. Additional future-dated requirements in v4.0 become mandatory on March 31, 2025. PCI DSS is maintained by the PCI Security Standards Council and enforced through the payment card brands (Visa, Mastercard, American Express, Discover, JCB). Compliance is validated through Self-Assessment Questionnaires (SAQs) or on-site assessments by a Qualified Security Assessor (QSA), depending on your transaction volume and merchant level. Matproof maps PCI DSS v4.0 requirements to controls, policies, and evidence workflows so you can prepare for your annual assessment.
Activate PCI DSS under Settings - Frameworks - PCI DSS. Controls are pre-populated across all 12 requirements and their sub-requirements.

Am I in Scope?

PCI DSS applies to any entity that stores, processes, or transmits cardholder data or sensitive authentication data, including:
  • Merchants (online and physical)
  • Payment processors and acquirers
  • Issuers
  • Service providers that handle cardholder data on behalf of other entities
Reduce your scope by minimizing where cardholder data is stored and processed. Using a PCI-compliant payment processor (like Stripe or Adyen) that tokenizes card data can significantly reduce the number of applicable requirements.

The 12 PCI DSS Requirements

PCI DSS is organized into six goals and 12 requirements:
GoalRequirementMatproof Module
Build and Maintain a Secure Network1. Install and maintain network security controlsControls
2. Apply secure configurations to all system componentsControls
Protect Account Data3. Protect stored account dataControls, Evidence
4. Protect cardholder data with strong cryptography during transmissionControls
Maintain a Vulnerability Management Program5. Protect all systems and networks from malicious softwareControls
6. Develop and maintain secure systems and softwareControls, Policies
Implement Strong Access Control Measures7. Restrict access to system components and cardholder data by business need to knowControls, People
8. Identify users and authenticate access to system componentsControls
9. Restrict physical access to cardholder dataControls
Regularly Monitor and Test Networks10. Log and monitor all access to system components and cardholder dataControls, Evidence
11. Test security of systems and networks regularlyControls, Cloud Tests
Maintain an Information Security Policy12. Support information security with organizational policies and programsPolicies, People

PCI DSS v4.0 Key Changes

If you were compliant with v3.2.1, these are the most significant changes in v4.0:
ChangeImpact
Customized approachOrganizations can now meet requirements using alternative controls with a customized validation approach, in addition to the traditional defined approach
Targeted risk analysisRequired for certain requirements where frequency or scope is determined by the entity
Enhanced authenticationMulti-factor authentication required for all access to the cardholder data environment (not just remote access)
Automated technical controlsGreater emphasis on automated mechanisms for detection and response
Security awarenessEnhanced training requirements including phishing awareness
1
Step 1 - Define your cardholder data environment (CDE)
2
  • Identify all systems that store, process, or transmit cardholder data
  • Map data flows showing how cardholder data enters, moves through, and exits your environment
  • Identify all connected systems and networks
  • Document the CDE scope in Settings - Organization
  • Review scope annually and after any significant change to your environment
    • 3
    Scope creep is the most common PCI DSS compliance failure. Any system connected to the CDE is in scope. Use network segmentation to limit scope and reduce the number of applicable controls.
    4
    Step 2 - Generate PCI DSS policies
    5
    Go to Policies - Generate and create the required policy set:
    6
  • Information Security Policy
  • Acceptable Use Policy
  • Access Control Policy
  • Network Security Policy
  • Encryption and Key Management Policy
  • Incident Response Policy
  • Change Management Policy
  • Vulnerability Management Policy
  • Physical Security Policy
    • 7
    Each policy must be reviewed at least annually and updated when the environment changes.
    8
    Step 3 - Network security and secure configurations
    9
    Requirements 1 and 2 establish the foundation:
    10
  • Document and implement network security controls (firewalls, network segmentation)
  • Establish secure configuration standards for all system components
  • Remove or disable unnecessary services, protocols, and accounts
  • Link configuration evidence to the relevant controls in Matproof
    • 11
    Step 4 - Protect account data
    12
    Requirements 3 and 4 address data protection:
    13
  • Inventory all locations where cardholder data is stored
  • Implement strong cryptography for stored data (Requirement 3) and data in transit (Requirement 4)
  • Document your encryption key management procedures
  • Implement data retention and disposal policies
  • Never store sensitive authentication data after authorization
    • 14
    Step 5 - Vulnerability management
    15
    Requirements 5 and 6:
    16
  • Deploy anti-malware solutions on all systems commonly affected by malware
  • Establish a vulnerability management program with regular scanning
  • Apply critical security patches within one month of release
  • Implement secure software development practices if you develop payment applications
  • Conduct vulnerability scans quarterly (internal and external ASV scans)
    • 17
    Step 6 - Access control and authentication
    18
    Requirements 7, 8, and 9:
    19
  • Implement role-based access control - restrict access to cardholder data by business need to know
  • Assign unique IDs to all users with access to system components
  • Implement multi-factor authentication for all access to the CDE
  • Implement physical access controls for facilities housing cardholder data
  • Document and link access reviews as evidence in Matproof
    • 20
    Step 7 - Logging, monitoring, and testing
    21
    Requirements 10 and 11:
    22
  • Enable audit logging for all system components in the CDE
  • Review logs daily (automated log monitoring tools are recommended)
  • Conduct quarterly internal and external vulnerability scans
  • Perform annual penetration testing of the CDE
  • Implement change detection mechanisms for critical files
    • 23
    Step 8 - Security policy and training
    24
    Requirement 12:
    25
  • Ensure all policies are current and reviewed annually
  • Conduct security awareness training for all personnel upon hire and annually
  • Include phishing simulation exercises (new in v4.0)
  • Maintain an incident response plan and test it annually
  • Conduct a targeted risk analysis where required by specific sub-requirements
    • 26
    Step 9 - Assessment preparation
    27
  • Go to Audit Programs - New Audit - PCI DSS
  • Run an internal assessment against all applicable requirements
  • Remediate gaps documented as Corrective Actions
  • Determine your merchant level and appropriate validation method (SAQ or QSA assessment)
  • Engage a QSA if required, or complete the appropriate SAQ

    • Merchant Levels

    LevelTransaction Volume (Visa)Validation
    1Over 6 million transactions per yearAnnual on-site QSA assessment + quarterly ASV scan
    21-6 million transactions per yearAnnual SAQ + quarterly ASV scan
    320,000 - 1 million e-commerce transactions per yearAnnual SAQ + quarterly ASV scan
    4Fewer than 20,000 e-commerce or up to 1 million other transactions per yearAnnual SAQ + quarterly ASV scan (recommended)
    Merchant levels and validation requirements vary by card brand. The table above reflects Visa’s classification. Check with your acquiring bank for your specific obligations.

    Next Steps