PCI-DSS Compliance Services — Protect Cardholder Data, Avoid Costly Penalties
What Is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security requirements established by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — through the PCI Security Standards Council (PCI SSC). Any organization that accepts, processes, stores, or transmits cardholder data must comply with PCI-DSS.
PCI DSS version 4.0 became mandatory on March 31, 2024, replacing version 3.2.1. Version 4.0 introduced significant changes including a customized approach to validation, enhanced authentication requirements, and expanded encryption mandates. Several "future-dated" requirements from 4.0 become mandatory on March 31, 2025, making 2025 a critical compliance year.
Non-compliance can result in fines of $5,000 to $100,000 per month from your acquiring bank, increased transaction fees, liability for fraud losses, and ultimately the loss of your ability to accept credit card payments.
PCI-DSS Compliance Levels
Your compliance validation requirements depend on your annual transaction volume:
Level 1 — Over 6 Million Transactions/Year
Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), quarterly network vulnerability scans by an Approved Scanning Vendor (ASV), and annual penetration testing.
Level 2 — 1 to 6 Million Transactions/Year
Annual Self-Assessment Questionnaire (SAQ), quarterly ASV scans, and annual penetration testing. Some acquirers may require a QSA-validated assessment.
Level 3 — 20,000 to 1 Million E-commerce Transactions/Year
Annual SAQ, quarterly ASV scans. Applies specifically to e-commerce merchants.
Level 4 — Under 20,000 E-commerce or Up to 1 Million Other Transactions/Year
Annual SAQ and quarterly ASV scans (recommended). Most small and mid-sized businesses fall into this category.
The 12 PCI-DSS Requirements
PCI-DSS 4.0 organizes its requirements into six goals and twelve requirement families. Here is what each requires and how we help you achieve compliance.
1. Install & Maintain Network Security Controls
Firewalls, network segmentation, and security controls that restrict traffic between the cardholder data environment (CDE) and untrusted networks. PCI 4.0 expanded this beyond traditional firewalls to include all network security controls.
2. Apply Secure Configurations
Vendor-supplied defaults must be changed before deployment. This includes default passwords, SNMP community strings, unnecessary accounts, and insecure protocols. We create and enforce configuration baselines for all systems in the CDE.
3. Protect Stored Account Data
Stored cardholder data must be encrypted, truncated, tokenized, or hashed. PAN must never be stored in cleartext. Sensitive authentication data (CVV, PIN blocks) must never be stored after authorization, even if encrypted.
4. Encrypt Transmission Over Open Networks
Cardholder data transmitted over public or untrusted networks must be encrypted with strong cryptography. PCI 4.0 requires TLS 1.2 or higher and prohibits fallback to insecure protocols.
5. Protect Against Malicious Software
Anti-malware solutions must be deployed on all systems commonly affected by malware, kept current, and configured to perform periodic scans and real-time monitoring. PCI 4.0 added requirements for detecting and protecting against phishing attacks.
6. Develop & Maintain Secure Systems
Security patches must be applied within defined timeframes — critical patches within one month. Custom applications must follow secure development practices. PCI 4.0 added requirements for web application firewalls and automated code reviews.
7. Restrict Access by Business Need
Access to cardholder data and CDE systems must be limited to individuals whose job requires it. Role-based access control, least privilege, and documented access approval processes are essential.
8. Identify Users & Authenticate Access
Every user must have a unique ID. PCI 4.0 requires multi-factor authentication for all access to the CDE — not just remote access. Password requirements are strengthened to 12+ characters, and MFA must use at least two different authentication factors.
9. Restrict Physical Access
Physical access to the CDE must be controlled with badge access, visitor logs, video surveillance, and secure destruction of media containing cardholder data. Point-of-sale terminals must be inspected for tampering.
10. Log & Monitor All Access
All access to cardholder data and network resources must be logged and monitored. PCI 4.0 requires automated mechanisms to detect and alert on security events, with log review automated rather than manual where possible.
11. Test Security Regularly
Quarterly internal and external vulnerability scans, annual penetration testing, wireless access point detection, and file integrity monitoring. PCI 4.0 added requirements for authenticated internal scanning and segmentation testing every six months.
12. Support Information Security with Policies
A comprehensive information security policy must be maintained, reviewed annually, and communicated to all personnel. PCI 4.0 expanded this to require a documented and targeted risk analysis for each requirement where the customized approach is used.
Understanding SAQ Types
The Self-Assessment Questionnaire (SAQ) you must complete depends on how your business handles cardholder data. Choosing the correct SAQ is critical — using the wrong one can invalidate your compliance.
SAQ A — Card-Not-Present, Fully Outsourced
For e-commerce or mail/phone order merchants that fully outsource all cardholder data processing to PCI-compliant third parties. No electronic storage, processing, or transmission of cardholder data on your systems. The simplest SAQ with only 22 questions.
SAQ A-EP — E-commerce with Website Impact
For e-commerce merchants whose website controls the redirect to a third-party payment processor. Your website can impact the security of the payment transaction even though it never directly handles card data. More requirements than SAQ A.
SAQ B — Imprint-Only or Standalone Terminals
For merchants using only standalone, dial-out payment terminals or imprint machines with no electronic cardholder data storage. No internet connection to the payment terminal.
SAQ B-IP — Standalone IP-Connected Terminals
For merchants using standalone PTS-approved payment terminals connected to the internet. No electronic cardholder data storage. The terminal must be segmented from other systems.
SAQ C — Payment Applications Connected to the Internet
For merchants with payment application systems connected to the internet but no electronic cardholder data storage. Applies to many retail POS system configurations.
SAQ D — All Other Merchants & Service Providers
The most comprehensive SAQ covering all PCI-DSS requirements. Required for merchants that store cardholder data electronically and for all service providers. Over 300 questions covering the full scope of PCI-DSS 4.0.
Key Changes in PCI DSS 4.0
PCI DSS 4.0 introduced significant changes that affect how organizations approach compliance. Here are the most impactful updates.
MFA Required for All CDE Access
Previously, MFA was required only for remote access. PCI 4.0 requires MFA for all access to the cardholder data environment — including on-premises, console access. This is a major change that affects network architecture and access workflows.
Customized Approach
PCI 4.0 introduces a "customized approach" that allows organizations to meet the intent of a requirement through alternative controls — as long as they can demonstrate equivalent security through a targeted risk analysis. This provides flexibility but requires rigorous documentation.
Enhanced Authentication Requirements
Passwords must now be at least 12 characters (up from 7). Account lockout after 10 failed attempts. Session idle timeout of 15 minutes. Service accounts must have unique credentials with limited privileges and must be reviewed periodically.
Targeted Risk Analysis
Several requirements now mandate documented, targeted risk analyses — for example, determining the frequency of log reviews, the scope of vulnerability scans, and the periodicity of security awareness training. One-size-fits-all schedules are no longer sufficient.
Our PCI-DSS Compliance Services
PCI Gap Assessment
We assess your current environment against all applicable PCI-DSS 4.0 requirements, identify gaps, and create a prioritized remediation roadmap. We determine the correct SAQ type and scope your cardholder data environment.
Learn More About PCI Gap AssessmentNetwork Segmentation
We design and implement network segmentation to isolate your cardholder data environment from the rest of your network. Proper segmentation reduces your PCI scope — often dramatically — which reduces cost and complexity.
Learn More About Network SegmentationEncryption & Tokenization
AES-256 encryption for stored cardholder data, TLS 1.2+ for data in transit, and tokenization strategies to remove card data from your environment entirely where possible. Proper key management procedures included.
Learn More About Encryption & TokenizationVulnerability Scanning & Pen Testing
Quarterly ASV scans, internal vulnerability scanning, and annual penetration testing per PCI-DSS requirements. We remediate findings and rescan to ensure passing results before your SAQ submission.
Learn More About Vulnerability Scanning & Pen TestingLog Management & Monitoring
Centralized logging with SIEM integration, automated alerting, and regular log review processes that satisfy Requirement 10. We retain logs for the required 12 months with 3 months immediately available.
Learn More About Log Management & MonitoringSAQ Preparation & Support
We help you complete the correct Self-Assessment Questionnaire with accurate, defensible answers. For Level 1 merchants, we coordinate with your QSA and prepare evidence for the Report on Compliance.
Learn More About SAQ Preparation & SupportOur PCI Compliance Process
Scope & Assess
Define your cardholder data environment, identify all data flows, determine the correct SAQ type, and assess current controls against PCI-DSS 4.0 requirements.
Remediate
Implement network segmentation, encryption, access controls, logging, vulnerability management, and all other required technical controls. Develop policies and train staff.
Validate
Complete quarterly ASV scans, annual penetration testing, and internal vulnerability scans. Verify all controls are operating effectively. Complete the SAQ or prepare for QSA assessment.
Maintain
Ongoing monitoring, quarterly scans, annual reassessment, policy updates, and continuous compliance management. PCI compliance is not a one-time event.
Why BrightWorks IT for PCI Compliance
Network Architecture Expertise
Proper network segmentation is the single most effective way to reduce PCI scope and compliance cost. We design CDE architectures that minimize your attack surface while maintaining operational efficiency — often reducing the number of applicable requirements by 50% or more.
Implementation + Validation
We don't just tell you what to fix — we implement the controls, run the scans, and prepare the documentation. Our clients submit their SAQs with confidence because we've already validated every control before submission.
PCI 4.0 Ready
We have already updated our processes, templates, and technical implementations for PCI DSS 4.0 — including the future-dated requirements effective March 2025. Our clients are ahead of the curve, not scrambling to catch up.
Related Compliance Services
HIPAA Compliance
For healthcare organizations that also process patient payments.
SOC 2 Readiness
For SaaS and service organizations needing SOC 2 alongside PCI.
State Privacy Laws
Privacy regulations that may apply to your customer payment data.
Cyber Insurance
Insurance carriers require many of the same controls as PCI-DSS.
PCI-DSS Compliance FAQ
Frequently Asked Questions
Ready to Make IT Your Competitive Advantage?
Schedule a free, no-obligation IT assessment with our team. We'll show you exactly where your technology stands — and where it should be.
Or fill out the form below and we'll get back to you within one business day: