PCI DSS v4.0 compliance consulting for merchants and service providers.

What PCI DSS actually is

The Payment Card Industry Data Security Standard is a contractual security baseline maintained by the PCI Security Standards Council and enforced by the five participating card brands (Visa, Mastercard, American Express, Discover, JCB) through their acquiring-bank and program-manager contracts. PCI DSS is not federal law in the United States, but the contractual obligation to comply is binding on every entity that stores, processes, or transmits cardholder data, and several state statutes (Nevada NRS 603A.215, Washington RCW 19.255.020) reference PCI DSS by name. Failing PCI DSS does not get you fined by the federal government - it gets you fined by your acquirer, raises your interchange rates, exposes you to chargeback liability for fraudulent transactions, and in the worst case ends with your acquirer terminating your merchant account.

The standard runs on a roughly three-year revision cycle. The current version is PCI DSS v4.0.1, published in June 2024 and replacing v4.0 as the only recognized version on January 1, 2025. The full set of v4.0 future-dated requirements becomes mandatory on March 31, 2025 - meaning every entity validating compliance after that date must meet the full v4.0.1 control set, including 64 new or substantively changed sub-requirements that did not exist in v3.2.1. A handful of payment-page integrity requirements (6.4.3 and 11.6.1) have been clarified in v4.0.1 and remain effective on the same March 2025 date. Read our complete PCI DSS guide for businesses for the executive-friendly version of the same material.

The Cardholder Data Environment - the single most important PCI term

Everything in PCI DSS hangs from the definition of the Cardholder Data Environment, or CDE. The CDE is the people, processes, technology, and connections that store, process, or transmit cardholder data or sensitive authentication data. Anything inside the CDE is fully in scope for all 12 PCI DSS requirements. Anything outside the CDE but connected to it ("connected to" or "security impacting" systems) is in scope for a narrower set of segmentation, access control, and monitoring requirements. Anything fully isolated from the CDE through documented segmentation and validated by segmentation testing (Req 11.4.5) is out of scope.

This is where most PCI engagements get expensive. A merchant who assumes "we are SAQ A because we use Stripe Checkout" but actually has a hosted iframe loading a script from their own domain has dragged the parent web server into the CDE. A merchant whose call center agents read card numbers over a recorded VoIP line has put the entire phone system into the CDE. A merchant whose backup vendor stores unencrypted database snapshots that contain truncated PAN data has put the backup repository into the CDE. Real CDE scoping requires looking at the data, not the marketing assumption.

The four merchant levels (and service-provider levels)

Card brands classify merchants into four levels based on annual transaction volume per brand. The level determines validation effort and reporting cadence:

• Level 1 - more than 6 million Visa or Mastercard transactions per year, or any merchant compromised within the past 12 months, or any merchant the card brand has designated Level 1 at its discretion. Validation requires an annual Report on Compliance (ROC) signed by a Qualified Security Assessor and quarterly ASV scans.
• Level 2 - 1 million to 6 million transactions per year (Visa, Mastercard, Discover) or 50,000 to 2.5 million (American Express). Most Level 2 merchants validate via SAQ, but some acquirers require a ROC. Quarterly ASV scans required.
• Level 3 - 20,000 to 1 million e-commerce transactions per year. Validation via SAQ plus quarterly ASV scans.
• Level 4 - fewer than 20,000 e-commerce transactions per year, or up to 1 million total transactions per year across all channels. Validation via SAQ at acquirer discretion. Quarterly ASV scans required for any internet-facing system in the CDE.

Service providers (any entity that stores, processes, or transmits cardholder data on behalf of merchants - payment gateways, payment processors, hosted call centers, managed firewall providers serving the CDE) have a separate two-level classification. Level 1 service providers (more than 300,000 transactions per year processed on behalf of merchants) require an annual ROC by a QSA and six-monthly segmentation testing per Req 11.4.5. Level 2 service providers (under 300,000 transactions) typically validate via SAQ D for Service Providers.

The Self-Assessment Questionnaires - knowing which one applies

There are nine SAQs in v4.0.1, each scoped to a specific acceptance channel. Picking the right one is the single highest-leverage decision in a PCI engagement, because every SAQ is a different number of requirements:

• SAQ A - card-not-present merchants whose payment processing is fully outsourced to a PCI DSS validated third party. The merchant never touches PAN data. Roughly 30 sub-requirements. This is the smallest SAQ and the goal scope for most e-commerce merchants.
• SAQ A-EP - e-commerce merchants who partially outsource payment processing but whose website affects security of the payment transaction (for example, a hosted iframe loaded from the merchant's own domain). Approximately 150 sub-requirements. Larger than many merchants expect because the web server is in scope.
• SAQ B - merchants using imprint machines or standalone dial-out terminals, no electronic cardholder data storage. Very narrow scope, declining usage.
• SAQ B-IP - merchants using standalone IP-connected payment terminals (no electronic cardholder data storage) with the terminals isolated from any other system. The most common SAQ for small card-present retailers.
• SAQ C - merchants with payment application systems connected to the internet, no electronic cardholder data storage. Around 160 sub-requirements.
• SAQ C-VT - merchants using a virtual terminal on a single isolated computer, no electronic cardholder data storage. Useful for low-volume call centers and back-office charge-entry workflows.
• SAQ D for Merchants - any merchant that does not qualify for any of the above. This is the full PCI DSS control set as a self-assessment - over 300 sub-requirements.
• SAQ D for Service Providers - the service-provider analog of SAQ D-Merchant, plus the service-provider-specific requirements (Req 12.8.x, 12.9.x).
• SAQ P2PE - merchants using a validated PCI P2PE point-to-point encrypted payment solution. The smallest SAQ - around 35 sub-requirements - because the P2PE solution removes the merchant from the CDE.

Picking the wrong SAQ is one of the most common findings in acquirer reviews. SAQ A-EP merchants who self-attested as SAQ A frequently get reclassified during a breach investigation, which makes the breach response materially more expensive and exposes the merchant to higher fines under the card-brand assessment regime.

ROC, AOC, ASV - the three letters every PCI engagement produces

A Report on Compliance (ROC) is the full PCI DSS audit report produced annually by a Qualified Security Assessor for Level 1 merchants and Level 1 service providers. It documents every PCI DSS requirement, the testing procedures performed, and the evidence reviewed. A ROC runs hundreds of pages.

An Attestation of Compliance (AOC) is the cover-page summary signed by an authorized merchant or service-provider officer attesting that the SAQ or ROC results are accurate. The AOC is the document that gets sent to acquirers, card-brand programs, and B2B customers conducting vendor due diligence. AOCs come in different flavors matched to each SAQ and ROC type.

An Approved Scanning Vendor (ASV) is a vendor approved by the PCI Security Standards Council to perform external network vulnerability scans against internet-facing components of the CDE. Quarterly passing scans are mandatory for any merchant or service provider with internet-exposed CDE infrastructure. The ASV produces its own attestation that gets bundled into the AOC.

PCI DSS overlap with HIPAA, CMMC, SOC 2, and cyber-insurance underwriting

The fastest path to PCI DSS compliance for an organization already running another security regime is to extend the existing control set rather than build a parallel program. The overlap is genuine and the savings are substantial when planned correctly.

HIPAA and PCI DSS

Any healthcare practice that accepts card payments - which is essentially every healthcare practice - lives under both regimes simultaneously. HIPAA's audit-controls standard at 164.312(b) maps cleanly to PCI DSS Requirement 10 (logging and monitoring). HIPAA's access-control standard at 164.312(a) maps to PCI DSS Requirement 7 and 8 (access control and authentication). Encryption at rest and in transit under HIPAA maps to PCI DSS Requirement 3 and 4. A practice that has built a proper HIPAA program already has 60-70% of the technical controls PCI DSS requires - what remains is the CDE-specific scope work and the cardholder-data-flow analysis.

CMMC and PCI DSS

Defense contractors that also accept card payments (for example, a federal training contractor selling courses to government employees, or a defense supplier accepting purchase-card transactions) run PCI DSS alongside CMMC. NIST SP 800-171 controls map heavily to PCI DSS requirements. The cleanest dual-regime path is to use the CMMC enclave as the PCI CDE boundary - the segmentation work has already been done, the access control is already enforced, and the audit logging is already retained.

SOC 2 Type II and PCI DSS

SaaS providers pursuing SOC 2 Type II as their primary B2B trust signal often discover that their customers (especially payment-adjacent customers) also require PCI DSS validation. SOC 2 Type II's Trust Services Criteria for Security, Availability, and Confidentiality map to PCI DSS Requirements 1 through 12 with material gaps - SOC 2 does not specifically address payment-card data flows, ASV scanning, or segmentation testing. The unified approach is to scope SOC 2 broadly and PCI DSS narrowly to the payment-handling subsystem.

Cyber-insurance underwriting and PCI DSS

Every cyber-insurance carrier in the US market now asks PCI-related questions on the renewal questionnaire. Some carriers will not renew a merchant policy without proof of current PCI DSS compliance. Several carriers offer premium reductions for merchants who can produce a Petronella-style evidence binder. Carriers care most about MFA enforcement, encryption posture, incident response readiness, and ASV scan results - all of which PCI DSS requires. A properly executed PCI program is, in practice, the strongest renewal case a merchant can make.

What the overlap actually saves

For a healthcare practice already running HIPAA, adding PCI DSS as a SAQ B-IP terminal-isolation program is typically a four-to-six-week engagement rather than a four-to-six-month one. For a CMMC Level 2 defense contractor adding PCI to handle purchase-card transactions, the engagement runs eight to twelve weeks because the CDE scoping has to be done explicitly even though the underlying control set already exists. For a SaaS provider with a clean SOC 2 Type II report, adding PCI DSS as a SAQ A-EP web-tier program is typically six to ten weeks - the security work is done, the documentation work is new.