Every business that stores, processes, or transmits cardholder data has a compliance obligation. PCI DSS 4.0.1 introduced 64 new requirements — most businesses that were compliant in 2024 have gaps today. We close them.
PCI-DSS v4.0.1 organizes its 12 requirements into 6 control goals. Understanding which goal area your gaps fall into determines where you start.
PCI DSS 4.0.1 replaced 3.2.1 in March 2022 but gave organizations until March 31, 2025 to fully transition. That grace period is over. If you haven't revisited your program since early 2024, you likely have compliance gaps.
Check Your Posture →Multi-factor authentication is now mandatory for all access to the cardholder data environment — not just remote access. If your admins log into CDE systems from inside the network without MFA, you have a gap.
Organizations can now implement alternative controls that achieve the stated objective, documented via a Targeted Risk Analysis (TRA). This replaces rigid prescriptive requirements with outcome-based flexibility — but it requires formal documentation.
Requirement 6.4 now mandates automated technical solutions to detect and protect against e-commerce web skimming attacks. Requirement 5.4 requires phishing-resistant controls for all personnel.
Minimum password length increased to 12 characters (up from 7). Passwords must be changed at least every 90 days unless an alternative authentication mechanism is used.
Annual security awareness training requirements now apply to all personnel — including contractors and third parties with CDE access — not just internal employees.
PCI-DSS applies to any entity that stores, processes, or transmits payment card data — regardless of size, industry, or transaction volume. Your compliance level (SAQ type or ROC) is determined by how you handle card data and your annual transaction volume.
E-commerce and mail/telephone-order merchants who have fully outsourced all payment processing to a PCI-DSS compliant third party. No cardholder data stored, processed, or transmitted on your systems.
Merchants using only imprint machines or standalone dial-out or IP-connected terminals — no electronic cardholder data storage, no internet-connected payment systems.
Merchants with payment application systems connected to the internet. Includes virtual terminal merchants processing via isolated, internet-connected devices not connected to other business systems.
All merchants not fitting SAQ A–C, and all service providers eligible to complete an SAQ. Full set of PCI-DSS requirements applies. Most complex compliance profile — often requires external guidance.
Merchants processing over 6 million Visa or Mastercard transactions annually. Requires annual on-site assessment by a Qualified Security Assessor (QSA) and a formal Report on Compliance — not a self-assessment questionnaire.
Any entity that stores, processes, or transmits cardholder data on behalf of another organization. SaaS platforms, hosting companies, payment gateways, and managed service providers all carry PCI-DSS obligations if they touch CDE scope.
NIST CSF and PCI-DSS share significant conceptual overlap. Organizations that have implemented NIST CSF controls frequently find that 40–60% of PCI-DSS requirements are already addressed. Here's how the frameworks map.
| NIST CSF Function | Description | Primary PCI-DSS Requirements | Est. Coverage |
|---|---|---|---|
| GV — Govern | Organizational context, risk management strategy, supply chain | Req 12 (Security Policy), Req 8.2 (Access Management) | |
| ID — Identify | Asset management, risk assessment, improvement planning | Req 2 (Secure Config), Req 3 (Data Protection), Req 11.3 (Vulnerability Assessment) | |
| PR — Protect | Access control, awareness, data security, platform security | Req 1 (Network Controls), Req 4 (Encryption), Req 7–9 (Access Controls), Req 5–6 (Vuln Mgmt) | |
| DE — Detect | Continuous monitoring, anomaly detection | Req 10 (Logging & Monitoring), Req 11.4 (Penetration Testing), Req 11.5 (IDS/IPS) | |
| RS — Respond | Incident management, analysis, communication, mitigation | Req 12.10 (Incident Response Plan) | |
| RC — Recover | Recovery planning, communications | Req 12.10.2 (Post-Incident Review), Req 3.8 (Backup/Restoration) |
What this means for you: If you've already invested in a NIST CSF program — or purchased a Rhodigital NIST Policy Package — a meaningful portion of your PCI-DSS gap work is already done. A cross-mapping assessment identifies exactly which PCI requirements your existing controls satisfy and which still need dedicated attention, saving weeks of redundant remediation work. See the NIST Policy Package →
PCI compliance isn't a single event — it's a structured sequence. We follow a phased engagement model that ends with a filed SAQ or ROC preparation, not an open-ended consulting relationship.
Define your Cardholder Data Environment (CDE): which systems store, process, or transmit cardholder data, and which are in scope. Interview key staff, review network diagrams, document your payment processing flows. The scope definition is the most consequential decision in PCI compliance — getting it wrong costs you either over-compliance (too much scope, too expensive) or regulatory exposure (too little scope, actual gaps).
Systematic review of all in-scope systems against the 12 PCI-DSS requirements. Each control is marked Compliant, Partially Compliant, or Non-Compliant with evidence citations. The output is a prioritized gap register with remediation effort estimates — no ambiguity about what you need to do or why.
Close the gaps. This phase covers policy and procedure documentation (Req 12), technical control configuration, security awareness training program setup, and any tooling changes needed. For organizations with existing NIST CSF policies, this phase is significantly shorter — we adapt existing documentation to satisfy PCI requirements rather than building from scratch.
Complete and file the appropriate SAQ (A through D based on your scope), or prepare evidence packages for Level 1 QSA ROC engagement. You receive a complete evidence folder documenting every control in place — useful for auditors, card brands, acquiring banks, and cyber insurance underwriters.
Start with a free security posture check. Understand where you stand before your acquiring bank or card brand auditor tells you.