Payment Card Industry Security

PCI DSS v4.0

The security standard for cardholder data environments.

Knowledge Hub
12 Requirements
Full standard
v4.0
2022 edition
6 Goals
Security objectives
March 2025
v3.2.1 sunset
Overview

The Payment Card Industry Data Security Standard (PCI DSS) is the security standard mandated for all organizations that handle branded payment cards. Version 4.0, released in March 2022, introduced significant new requirements including customized implementation approaches, expanded multi-factor authentication requirements, and enhanced phishing controls.

PCI DSS documentation requirements cover all 12 requirements and their sub-requirements: network documentation, access control records, logging policies, security testing documentation, and the Attestation of Compliance (AOC) or Report on Compliance (ROC) submitted to acquiring banks. Merchants and service providers must maintain evidence that all applicable requirements are satisfied and operating effectively.

Standard Identity
PCI DSS v4.0
Payment Card Industry Security
PCI DSS
Key Requirements

What the standard
requires you to document.

Req 1 – Network Security

Firewall configuration documentation, network architecture diagrams, and network security control documentation.

Req 2 – Secure Configurations

System configuration standards, hardening documentation, and vendor default change records.

Req 3 – Account Data Protection

Data retention and disposal documentation, cardholder data inventory, and encryption documentation.

Req 4 – Data Transmission Security

Cryptographic protocol documentation and certificate management records.

Req 6 – Secure Systems & Software

Vulnerability management program documentation, patch management records, and secure coding documentation.

Req 7 – Access Control

Access control policy, need-to-know documentation, and user access review records.

Req 10 – Logging

Audit log policy, log management procedures, and review records.

Req 12 – Policy & Program

Information security policy, risk assessment records, and incident response plan.

ELDR Documentation

Templates and resources
available from the Knowledge Hub.

PCI DSS v4.0 Control Mapping Matrix — all 12 requirements and sub-requirements
Self-Assessment Questionnaire (SAQ) guidance for applicable SAQ types
Cardholder Data Environment (CDE) scope documentation and data flow diagrams
Network Segmentation documentation and segmentation testing records
Access control policy and user access review records
Vulnerability scanning and penetration testing documentation
Security awareness training records and completion tracking
Incident Response Plan aligned with PCI DSS Requirement 12.10
Request Access

Templates and implementation resources for PCI DSS v4.0 are available through the ELDR Institute Knowledge Hub and via direct request.

Or: [email protected]

Related Frameworks