PCI DSS v4.0 Requirements: Complete Guide to Payment Card Security

You must install and maintain firewalls and other network security controls to protect the cardholder data environment (CDE). This includes defining traffic rules, restricting connections, and reviewing configurations at least every six months.

You must not use vendor-supplied defaults for system passwords and other security parameters. All system components must be hardened according to industry-accepted standards before being deployed into the CDE.

Stored cardholder data must be protected through encryption, truncation, masking, or hashing. You must minimize data storage, never store sensitive authentication data after authorization, and implement strong cryptography for any PAN that must be stored.

Cardholder data must be encrypted with strong cryptography when transmitted over open, public networks. This includes using TLS 1.2 or higher, not sending unencrypted PANs via email or messaging, and protecting wireless networks transmitting cardholder data.

You must deploy anti-malware solutions on all systems commonly affected by malicious software. Anti-malware must be kept current, perform periodic scans, generate audit logs, and cannot be disabled by users.

You must establish a process for identifying and managing vulnerabilities in all system components. Security patches must be applied within defined timeframes, custom software must be developed securely, and public-facing web applications must be protected.

Access to cardholder data and system components in the CDE must be limited to individuals whose job requires it. You must implement role-based access control, deny access by default, and review access assignments at least every six months.

Every user must have a unique ID. Multi-factor authentication is required for all access into the CDE and all remote access. Passwords must meet complexity requirements, be changed every 90 days, and must not be shared.

Physical access to systems and data in the CDE must be restricted. This includes using access controls for facilities, distinguishing between onsite personnel and visitors, securing media containing cardholder data, and destroying media when no longer needed.

You must log all user access to cardholder data, all actions taken by administrators, all access to audit trails, invalid access attempts, and changes to authentication mechanisms. Logs must be reviewed daily, retained for at least 12 months, and protected from tampering.

You must regularly test security systems and processes. This includes quarterly wireless analyzer scans, quarterly ASV vulnerability scans, annual penetration testing, file integrity monitoring, and network intrusion detection.

You must establish, publish, maintain, and disseminate a security policy that addresses all PCI DSS requirements. The policy must be reviewed annually, include a risk assessment process, define security responsibilities, and include an incident response plan. All personnel must be aware of the policy.

PCI DSS v4.0 introduces targeted risk analysis (TRA) for requirements where the entity has flexibility in how often to perform an activity. You must document the frequency chosen, the rationale, and review the analysis at least annually.

You must create, document, and distribute an incident response plan. The plan must address roles and responsibilities, communication procedures, recovery procedures, regulatory notification, and lessons learned. The plan must be tested at least annually.