1. What Is PCI DSS? (2025 Update)
PCI DSS (Payment Card Industry Data Security Standard) is the global security standard for any organization that accepts, processes, stores, or transmits credit/debit card data.
“PCI DSS applies to all entities involved in payment card processing — including merchants, processors, acquirers, issuers, and service providers.” — PCI Security Standards Council, 2025
Current Version: PCI DSS v4.0.1
- Released: March 2024
- Mandatory from: March 31, 2025
- v3.2.1 retired after this date
2. Who Must Comply?
| Entity | Compliance Required? | Validation |
|---|---|---|
| Merchants (online, in-store, MOTO) | Yes | SAQ or ROC |
| Payment Gateways / Processors | Yes | ROC + AOC |
| Web Hosting / SaaS (if card data touches) | Yes | ROC |
| Call Centers (taking cards over phone) | Yes | SAQ D or ROC |
| POS Vendors / ISVs | Yes (if software handles cards) | ROC + P2PE (if applicable) |
Even if you outsource — you’re still responsible.
3. PCI DSS 4.0.1: Key Changes in 2025
| Change | Impact | Action Required |
|---|---|---|
| Customized Approach | Replace controls with equivalent security | Document in ROC |
| Targeted Risk Analysis | Annual per requirement | Mandatory for all |
| Multi-Factor Authentication (MFA) | Required for all access (not just admin) | Enable MFA everywhere |
| E-commerce Scripts | Must inventory & monitor | Use CSP + script allowlist |
| Phishing Awareness | Annual training + simulated attacks | Update HR policy |
4. The 12 PCI DSS Requirements – Simplified
| # | Requirement | 1-Sentence Summary | Tools |
|---|---|---|---|
| 1 | Firewall | Block public access to card data | Palo Alto, pfSense |
| 2 | No Defaults | Change “admin/admin” | Password manager |
| 3 | Protect Card Data | Encrypt + don’t store CVV | Tokenization |
| 4 | Encrypt in Transit | TLS 1.3 only | Let’s Encrypt |
| 5 | Antivirus | On all in-scope systems | CrowdStrike, Defender |
| 6 | Secure Development | OWASP Top 10 | SAST/DAST |
| 7 | Access Control | Need-to-know only | Okta, Azure AD |
| 8 | Unique IDs + MFA | No shared logins | Duo, Google Auth |
| 9 | Physical Security | Lock server rooms | CCTV + badge access |
| 10 | Logging | 12 months logs | Splunk, ELK |
| 11 | Vulnerability Scans | Quarterly ASV scans | Qualys, Tenable |
| 12 | Policies | Annual training + risk assessment | Drata, Vanta |
5. SAQ Types: Which One Do You Need?
| SAQ | Eligibility | Questions | Example |
|---|---|---|---|
| A | Fully outsourced e-commerce (iframe/redirect) | 22 | Shopify Payments |
| A-EP | Partially outsourced (direct post) | 191 | Custom JS form |
| B | Imprint or standalone terminals | 41 | Old-school swipe |
| B-IP | PTS-approved PIN pads | 87 | Verifone VX |
| C | Integrated POS | 161 | Square, Toast |
| C-VT | Call center (no storage) | 88 | Manual entry |
| P2PE | Hardware P2PE | 35 | Ingenico + encryption |
| D-Merchant | Everyone else | 359 | Custom app |
Free Tool: SAQ Eligibility Quiz (built into site)
6. Step-by-Step Compliance Roadmap (30-90 Days)
Phase 1: Scope (Week 1)
- Map card data flow
- Segment network (VLANs, firewalls)
- Define in-scope systems
Phase 2: Gap Assessment (Weeks 2–3)
- Use Prioritized Approach Tool (free from PCI SSC)
- Document compensating controls
Phase 3: Remediate (Weeks 4–8)
| Task | Tool |
|---|---|
| Tokenize card data | Basis Theory, Stripe |
| Enable MFA | Okta, Microsoft Authenticator |
| Run ASV scan | Qualys, Trustwave |
| Train staff | KnowBe4, Proofpoint |
Phase 4: Validate & Submit (Weeks 9–12)
- Complete SAQ or ROC
- Get AOC signed by executive
- Submit to acquirer by deadline
7. Free Tools: SAQ Selector, Checklist, ROC Template
| Tool | Link | Use Case |
|---|---|---|
| SAQ Selector Quiz | /saq-selector | 2-min quiz → correct SAQ |
| PCI DSS Checklist (PDF) | /pci-checklist-2025 | Print & audit |
| ROC Template (DOCX) | /roc-template | For Level 1 merchants |
| Scope Diagram Template | /scope-diagram | Visualize card flow |
8. Common Fail Reasons + How to Avoid Them
| Fail | % of Reports | Fix |
|---|---|---|
| Storing CVV | 41% | Use tokenization |
| Default passwords | 38% | Automate with Ansible |
| No MFA | 35% | Enforce via IAM |
| Missing logs | 29% | SIEM + 12-month retention |
| No ASV scan | 27% | Schedule quarterly |
Source: Verizon DBIR 2025 – Payment Card Breaches
9. FAQ: Answers from a QSA
Is PCI DSS a law?
No — but contractual. Your bank (acquirer) requires it. Non-compliance → fines up to $100K/month.
Do I need a QSA?
Only Level 1 merchants (>6M txns/year). Others self-assess via SAQ.
Can I be compliant without encryption?
Yes — with tokenization or P2PE. Encryption alone is not enough.
What’s the difference between ROC and AOC?
- ROC = Report on Compliance (full audit)
- AOC = Attestation of Compliance (summary, signed)
Is Shopify PCI compliant?
Shopify is — but you still need SAQ A if using Checkout.
Final Checklist: Are You PCI Ready?
- Card data encrypted or tokenized
- MFA enabled for all access
- ASV scan passed (last 90 days)
- SAQ or ROC completed
- AOC signed by executive
- Submitted to bank
