12 requirements. 6 goals. One platform. CyberHeed manages your PCI-DSS compliance from initial assessment through continuous monitoring - so you can focus on processing payments, not managing spreadsheets.
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security requirements established by the PCI Security Standards Council - founded by Visa, Mastercard, American Express, Discover, and JCB. Any organisation that stores, processes, or transmits cardholder data must comply. Non-compliance means fines, increased transaction fees, loss of the ability to process cards, and liability for fraud losses.
Any business that accepts card payments - from single-location retail shops to global e-commerce platforms. Merchant levels (1 through 4) are determined by annual transaction volume. Level 1 merchants (over 6 million transactions) require annual on-site assessments by a Qualified Security Assessor (QSA). Levels 2-4 can complete Self-Assessment Questionnaires (SAQs).
Organisations that process, store, or transmit cardholder data on behalf of merchants - payment gateways, hosting providers, managed security services. Service providers face the most rigorous compliance requirements because a breach at a service provider can affect thousands of merchants simultaneously.
Entities that handle the actual transaction authorisation and settlement. Processors are held to the highest standard and must demonstrate compliance annually through a Report on Compliance (ROC) conducted by a QSA.
Any fintech that touches card data - payment orchestration platforms, buy-now-pay-later providers, embedded finance companies. If card numbers flow through your systems, PCI-DSS applies regardless of your business model.
PCI-DSS v4.0, released in March 2022 with mandatory compliance from 31 March 2025, represents the most significant update since the standard was created:
Organisations can now meet requirements using customised controls rather than defined approaches. This gives flexibility but requires demonstrating that alternative controls meet the security objective equally or better.
Requirements now call for targeted risk analysis to determine frequency of certain activities (e.g., log reviews, vulnerability scans) rather than prescribing fixed intervals for everything.
Stronger requirements for multi-factor authentication, including MFA for all access to the cardholder data environment (CDE), not just remote access. Phishing-resistant MFA is strongly recommended.
Greater emphasis on security as a continuous process. Roles and responsibilities must be documented for every requirement. Security awareness training must address phishing and social engineering explicitly.
PCI-DSS is organised into six goals, each containing two requirements. Together they cover every aspect of payment card security - from network architecture to physical access to ongoing monitoring.
Requirement 1 - Install and Maintain Network Security Controls Firewalls, network segmentation, restricting traffic between trusted and untrusted networks. Define and document all connections to and from the cardholder data environment.
Requirement 2 - Apply Secure Configurations to All System Components Change vendor defaults, remove unnecessary services, harden systems. No default passwords, no unnecessary functionality. Every system component in scope must be securely configured.
Requirement 3 - Protect Stored Account Data Minimise data storage, encrypt stored PAN, mask displayed PAN, protect encryption keys. If you don't need to store card data, don't. If you must, encrypt it with strong cryptography.
Requirement 4 - Protect Cardholder Data with Strong Cryptography During Transmission Encrypt cardholder data during transmission over open, public networks. Use trusted certificates, strong protocols (TLS 1.2+), and verify certificate authenticity.
Requirement 5 - Protect All Systems and Networks from Malicious Software Deploy anti-malware on all systems commonly affected by malware. Ensure anti-malware solutions are current, actively running, and generating audit logs.
Requirement 6 - Develop and Maintain Secure Systems and Software Identify and manage security vulnerabilities. Develop software securely. Protect web applications against known attacks. Change control processes for all system changes.
Requirement 7 - Restrict Access to System Components and Cardholder Data by Business Need to Know Limit access to only those individuals whose job requires it. Define access control policies. Implement role-based access. Review access rights regularly.
Requirement 8 - Identify Users and Authenticate Access to System Components Unique IDs for every user. Strong authentication. Multi-factor authentication for all access to the CDE. Password/passphrase policies. No shared or generic accounts.
Requirement 9 - Restrict Physical Access to Cardholder Data Physical access controls for facilities with cardholder data. Visitor management. Media controls. Point-of-interaction device protections. Secure destruction of media.
Requirement 10 - Log and Monitor All Access to System Components and Cardholder Data Audit logging for all system components. Time synchronisation. Review logs daily. Retain audit trail history for at least 12 months. Automated alerting.
Requirement 11 - Test Security of Systems and Networks Regularly Wireless access point testing, vulnerability scans (internal and external), penetration testing, intrusion detection, change-detection mechanisms, and file integrity monitoring.
Requirement 12 - Support Information Security with Organisational Policies and Programmes Information security policy, acceptable use, risk assessment, security awareness training, incident response plan, and service provider management.
Every phase of PCI-DSS compliance - from initial scoping through ongoing monitoring - managed in one platform.
SmartPrep guides your team through structured conversations covering network architecture, cardholder data flows, access controls, encryption, logging, and physical security. AI adapts based on your answers, identifies your SAQ type, and captures how your payment environment actually operates.
At the end, your documentation suite is generated from what your team described - not templates filled in, but documents that reflect your reality.
Upload evidence for any of the 300+ sub-requirements. AI reads each document, assesses whether it satisfies the requirement, and tells you specifically what's strong and what a QSA would flag. Network diagrams, data flow diagrams, configuration baselines, scan reports - all validated against the specific requirement.
AutoMatch maps your existing security documentation to PCI-DSS requirements automatically. Hours of cross-referencing, handled in minutes.
PCI-DSS requires continuous compliance - quarterly vulnerability scans, annual penetration tests, daily log reviews, regular access reviews. CyberHeed tracks every recurring obligation with owners, deadlines, and evidence.
When your annual assessment or QSA visit arrives, your evidence is current and your posture is demonstrable. No last-minute scrambles.
PCI-DSS shares significant overlap with ISO 27001 and NIST CSF. Access control, encryption, vulnerability management, incident response, and security policies are common across all three. CyberHeed maps controls automatically - evidence collected once counts everywhere.
ISO 27001's Annex A controls cover access management, cryptography, network security, vulnerability management, and incident response - all core PCI-DSS requirement areas. Your ISMS provides the governance foundation PCI-DSS demands.
NIST CSF's Protect and Detect functions map closely to PCI-DSS Goals 1-5. Risk assessment, access control, data security, and continuous monitoring requirements align between frameworks.
Other frameworks: [Links to: iso-27001.html], [Links to: nist-csf.html], [Links to: essential-eight.html], [Links to: cps-234.html], [Links to: cps-230.html], [Links to: desc-isr.html], [Links to: nca-ecc.html], [Links to: dfsa.html]
12 requirements. 300+ sub-controls. One platform to assess, evidence, and monitor them all.
Book a Demo