Payment Card Industry Data Security Standard
The global standard that sets security requirements for any entity that stores, processes or transmits payment-card data.
What PCI DSS 4.0 actually is.
PCI DSS is the payment-card industry's mandated baseline for protecting cardholder data. v4.0 introduced 64 new or clarified requirements, including targeted risk analysis, DMARC-style phishing controls, client-side script-integrity monitoring (6.4.3) and detection of payment-page script tampering (11.6.1). Merchants and service providers are required to comply; levels of validation depend on annual transaction volumes and scheme requirements.
All entities that store, process or transmit cardholder data and/or sensitive authentication data - merchants, service providers, acquirers, issuers and processors.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Build and maintain secure networks
Install and maintain network security controls; apply secure configurations to system components.
-
02
Protect account data
Protect stored account data and protect it with strong cryptography during transmission over open networks.
-
03
Maintain a vulnerability management program
Protect against malicious software, and develop and maintain secure systems and software.
-
04
Implement strong access control
Restrict access to system components and cardholder data by business need-to-know; identify users; restrict physical access.
-
05
Regularly monitor and test networks
Log and monitor access, and test the security of systems and networks regularly.
-
06
Maintain an information-security policy
Support information security with organisational policies and programs.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
Payment Card Industry Data Security Standard
pcisecuritystandards.org/document_library
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against PCI DSS 4.0.
Assessment, engineering and operational services that line up with the framework's control areas.
PCI DSS Consulting & Compliance
Australia's first certified QSA Company. Twenty years of PCI DSS assessments, pen tests and v4.0 script monitoring for merchants, service providers and banks.
Penetration Testing
Find it before the attackers do - CREST-certified engagements that deliver actionable findings, not compliance checkboxes.
Vulnerability Scanning
Continuous, authenticated discovery with triaged remediation guidance - not a dump of CVEs.
Managed Detection & Response
Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
Where PCI DSS 4.0 shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.