Valtik Studios
Free Resource · PCI DSS 4.0

PCI DSS 4.0 Requirements Map

All 12 requirement families with 2026 enforcement notes and the specific items biting merchants hardest since the March 2025 mandate.

Get a Free Security CheckSee Services

Goal 1: Build and Maintain a Secure Network and Systems

Requirement 1: Install and Maintain Network Security Controls

  • 1.2 — Network security controls configuration and maintenance
  • 1.3 — Network access to/from CDE restricted
  • 1.4 — Network connections between trusted and untrusted networks controlled
  • 1.5 — Risks to CDE from computing devices that connect to both untrusted networks and CDE mitigated

Requirement 2: Apply Secure Configurations to All System Components

  • 2.2 — System components configured securely
  • 2.3 — Wireless environments configured securely (includes vendor defaults)

Goal 2: Protect Account Data

Requirement 3: Protect Stored Account Data

  • 3.2 — Account data storage minimized
  • 3.3 — Sensitive authentication data not stored after authorization
  • 3.4 — Primary Account Number display masked
  • 3.5 — PAN made unreadable wherever stored (encryption, hashing, truncation, tokenization)
  • 3.6 — Cryptographic keys protected
  • 3.7 — Key management procedures

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission

  • 4.2 — PAN protected with strong cryptography during transmission over open public networks

Goal 3: Maintain a Vulnerability Management Program

Requirement 5: Protect All Systems Against Malware

  • 5.2 — Malicious software prevented or detected
  • 5.3 — Anti-malware mechanisms active, maintained, and monitored
  • 5.4 — Anti-phishing mechanisms (workforce-facing)

Requirement 6: Develop and Maintain Secure Systems and Software

  • 6.2 — Bespoke and custom software developed securely
  • 6.3 — Security vulnerabilities identified and addressed
  • 6.4.3 (2026 enforcement) — Payment page scripts inventoried, justified, and authorized
  • 6.5 — Changes to system components managed securely

Goal 4: Implement Strong Access Control Measures

Requirement 7: Restrict Access by Business Need-to-Know

  • 7.2 — Access to system components and data defined and assigned
  • 7.3 — Access controls managed via access control system

Requirement 8: Identify Users and Authenticate Access

  • 8.2 — User identification managed throughout the account lifecycle
  • 8.3 — Strong authentication established; MFA required for all non-console admin access and all remote access to CDE
  • 8.4 — MFA implemented to secure non-console admin access
  • 8.5 — MFA systems configured to prevent misuse
  • 8.6 — Authentication for applications, scripts, and services

Requirement 9: Restrict Physical Access to Cardholder Data

  • 9.2 — Physical access controls
  • 9.3 — Personnel authorization and access to CDE managed
  • 9.4 — Media security
  • 9.5 — POI device security (for card-present merchants)

Goal 5: Regularly Monitor and Test Networks

Requirement 10: Log and Monitor All Access

  • 10.2 — Audit logs capture relevant events
  • 10.3 — Audit logs protected from destruction and unauthorized modification
  • 10.4 — Audit logs reviewed to identify anomalies or suspicious activity
  • 10.5 — Audit log history retained
  • 10.6 — Time-synchronization mechanisms
  • 10.7 — Failures of critical security control systems detected, reported, and responded to

Requirement 11: Test Security of Systems and Networks Regularly

  • 11.2 — Wireless access points identified and managed
  • 11.3 — External and internal vulnerabilities identified and managed (quarterly ASV scans)
  • 11.4 — Penetration testing performed regularly (annual internal + external, plus after significant change; segmentation testing annual/semi-annual)
  • 11.5 — Intrusion detection or prevention monitoring
  • 11.6.1 (2026 enforcement) — Payment page script changes detected and alerted

Goal 6: Maintain an Information Security Policy

Requirement 12: Support Information Security with Organizational Policies and Programs

  • 12.2 — Acceptable use policies
  • 12.3 — Risks to cardholder data environment formally managed
  • 12.4 — Compliance monitoring
  • 12.5 — PCI DSS scope documented and validated
  • 12.6 — Security awareness program
  • 12.7 — Personnel screened
  • 12.8 — Third-party service provider risk managed
  • 12.9 — Third-party service providers acknowledge responsibility
  • 12.10 — Suspected and confirmed security incidents responded to immediately

2026 biting points

Since the March 2025 mandate, the requirements catching merchants most often:

  • 6.4.3 and 11.6.1 — payment page script inventory and change detection. Most merchants had never audited the third-party scripts on their checkout pages before. Implementation options: Content Security Policy, Subresource Integrity, or commercial tools (Feroot DomainGuard, Human Security).
  • 8.3 phishing-resistant MFA — SMS is out. TOTP at minimum. FIDO2/passkeys preferred for admin access.
  • 11.4 penetration testing — annual internal + external. Merchants with only quarterly ASV scans are failing.
  • 12.8 third-party service provider risk — formal vendor risk management, not just "we have a contract."
Merchant vs service provider — service provider requirements are stricter. If you store, process, or transmit cardholder data on behalf of another merchant, you are a service provider and segmentation testing is semi-annual (not annual), penetration testing requirements are stricter, and formal PCI DSS attestation (AOC) is expected.

Related resources

Ready to start?

Free website security check — no obligation, no sales pitch. Delivered as a plain-English findings report in 48 hours.

Request Free Check