Valtik Studios
Free Resource · PCI DSS 4.0

PCI DSS 4.0 Requirements Map

All 12 requirement families with 2026 enforcement notes and the specific items biting merchants hardest since the March 2025 mandate.

Get a Free Security CheckSee Services

Goal 1: Build and Maintain a Secure Network and Systems

Requirement 1: Install and Maintain Network Security Controls

  • 1.2. Network security controls configuration and maintenance
  • 1.3. Network access to/from CDE restricted
  • 1.4. Network connections between trusted and untrusted networks controlled
  • 1.5. Risks to CDE from computing devices that connect to both untrusted networks and CDE mitigated

Requirement 2: Apply Secure Configurations to All System Components

  • 2.2. System components configured securely
  • 2.3. Wireless environments configured securely (includes vendor defaults)

Goal 2: Protect Account Data

Requirement 3: Protect Stored Account Data

  • 3.2. Account data storage minimized
  • 3.3. Sensitive authentication data not stored after authorization
  • 3.4. Primary Account Number display masked
  • 3.5. PAN made unreadable wherever stored (encryption, hashing, truncation, tokenization)
  • 3.6. Cryptographic keys protected
  • 3.7. Key management procedures

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission

  • 4.2. PAN protected with strong cryptography during transmission over open public networks

Goal 3: Maintain a Vulnerability Management Program

Requirement 5: Protect All Systems Against Malware

  • 5.2. Malicious software prevented or detected
  • 5.3. Anti-malware mechanisms active, maintained, and monitored
  • 5.4. Anti-phishing mechanisms (workforce-facing)

Requirement 6: Develop and Maintain Secure Systems and Software

  • 6.2. Bespoke and custom software developed securely
  • 6.3. Security vulnerabilities identified and addressed
  • 6.4.3 (2026 enforcement). Payment page scripts inventoried, justified, and authorized
  • 6.5. Changes to system components managed securely

Goal 4: Implement Strong Access Control Measures

Requirement 7: Restrict Access by Business Need-to-Know

  • 7.2. Access to system components and data defined and assigned
  • 7.3. Access controls managed via access control system

Requirement 8: Identify Users and Authenticate Access

  • 8.2. User identification managed throughout the account lifecycle
  • 8.3. Strong authentication established; MFA required for all non-console admin access and all remote access to CDE
  • 8.4. MFA implemented to secure non-console admin access
  • 8.5. MFA systems configured to prevent misuse
  • 8.6. Authentication for applications, scripts, and services

Requirement 9: Restrict Physical Access to Cardholder Data

  • 9.2. Physical access controls
  • 9.3. Personnel authorization and access to CDE managed
  • 9.4. Media security
  • 9.5. POI device security (for card-present merchants)

Goal 5: Regularly Monitor and Test Networks

Requirement 10: Log and Monitor All Access

  • 10.2. Audit logs capture relevant events
  • 10.3. Audit logs protected from destruction and unauthorized modification
  • 10.4. Audit logs reviewed to identify anomalies or suspicious activity
  • 10.5. Audit log history retained
  • 10.6. Time-synchronization mechanisms
  • 10.7. Failures of critical security control systems detected, reported, and responded to

Requirement 11: Test Security of Systems and Networks Regularly

  • 11.2. Wireless access points identified and managed
  • 11.3. External and internal vulnerabilities identified and managed (quarterly ASV scans)
  • 11.4. Penetration testing performed regularly (annual internal + external, plus after significant change; segmentation testing annual/semi-annual)
  • 11.5. Intrusion detection or prevention monitoring
  • 11.6.1 (2026 enforcement). Payment page script changes detected and alerted

Goal 6: Maintain an Information Security Policy

Requirement 12: Support Information Security with Organizational Policies and Programs

  • 12.2. Acceptable use policies
  • 12.3. Risks to cardholder data environment formally managed
  • 12.4. Compliance monitoring
  • 12.5. PCI DSS scope documented and validated
  • 12.6. Security awareness program
  • 12.7. Personnel screened
  • 12.8. Third-party service provider risk managed
  • 12.9. Third-party service providers acknowledge responsibility
  • 12.10. Suspected and confirmed security incidents responded to immediately

2026 biting points

Since the March 2025 mandate, the requirements catching merchants most often:

  • 6.4.3 and 11.6.1. Payment page script inventory and change detection. Most merchants had never audited the third-party scripts on their checkout pages before. Implementation options: Content Security Policy, Subresource Integrity, or commercial tools (Feroot DomainGuard, Human Security).
  • 8.3 phishing-resistant MFA. SMS is out. TOTP at minimum. FIDO2/passkeys preferred for admin access.
  • 11.4 penetration testing. Annual internal + external. Merchants with only quarterly ASV scans are failing.
  • 12.8 third-party service provider risk. Formal vendor risk management, not just "we have a contract."
Merchant vs service provider. Service provider requirements are stricter. If you store, process, or transmit cardholder data on behalf of another merchant, you are a service provider and segmentation testing is semi-annual (not annual), penetration testing requirements are stricter, and formal PCI DSS attestation (AOC) is expected.

Related resources

Ready to start?

Free website security check. No obligation, no sales pitch. Delivered as a plain-English findings report in 48 hours.

Request Free Check