← All guides
Payments · 9 min read

PCI DSS v4.0 Readiness Guide

If your organisation stores, processes or transmits cardholder data, PCI DSS applies to you. This guide breaks the standard down into the decisions and steps that actually move you toward compliance, and highlights what is new in version 4.0.

FreeGet "PCI DSS v4.0 Readiness Guide" as a PDF

Plus occasional, practical compliance guidance from our senior auditors. No spam — unsubscribe anytime.

1. Understand what PCI DSS protects

PCI DSS is the card-industry security standard for protecting cardholder data (the card number and related data). It applies to merchants and service providers alike. The single biggest driver of both cost and risk is how much of your environment falls "in scope" — so scoping comes first.

2. Define your Cardholder Data Environment (CDE)

Your CDE is every system that stores, processes or transmits cardholder data, plus anything connected to it. Map exactly where card data enters, flows and rests.

  • Diagram card-data flows end to end, including third parties.
  • Use network segmentation to isolate the CDE and shrink scope.
  • Consider tokenisation or outsourcing card handling to reduce what you must protect.

3. Know your validation level

How you validate depends on your role (merchant vs service provider) and transaction volume. Merchants fall into Levels 1–4; Level 1 requires a Report on Compliance (ROC) by a QSA, while lower levels may use a Self-Assessment Questionnaire (SAQ). Choosing the correct SAQ type is essential — the wrong one wastes effort.

4. The 12 requirements at a glance

  • Build & maintain a secure network (firewalls, no vendor defaults).
  • Protect stored cardholder data & encrypt transmission.
  • Maintain a vulnerability management programme (anti-malware, secure development).
  • Implement strong access control (need-to-know, unique IDs, physical access).
  • Monitor & test networks (logging, vulnerability scans, penetration testing).
  • Maintain an information security policy.

5. What changed in v4.0

Version 4.0 is the current standard and introduces meaningful shifts you should plan for:

  • Customised approach: meet a requirement’s objective with alternative controls, backed by a targeted risk analysis.
  • Stronger authentication: expanded MFA expectations, including for all access into the CDE.
  • Anti-phishing and expanded requirements for service providers.
  • Some requirements are "future-dated" — treat them as best practice now and mandatory at the stated date.

6. Close the common gaps

  • Unsegmented networks that pull everything into scope.
  • Missing or weak encryption and key-management practices.
  • Incomplete MFA on remote and administrative access.
  • Ad-hoc logging that can’t support an investigation.
  • No routine internal and external vulnerability scanning or penetration testing.

7. Assemble evidence and validate

Compliance is proven with evidence — configurations, scan results, policies and records. Coordinate ASV scans and penetration testing, remediate findings, retest, and then complete the SAQ or QSA-led ROC. Build the evidence habit continuously rather than scrambling before the assessment.

8. A sensible roadmap

  • Weeks 1–2: scope the CDE and map data flows.
  • Weeks 3–6: segment, remediate high-risk gaps, stand up logging and MFA.
  • Weeks 7–10: scans, penetration test, evidence collection.
  • Weeks 11+: formal validation (SAQ or QSA ROC) and attestation.

How CyberSigma helps

We are authorised to perform PCI QSA work across the CEMEA region. Our senior assessors help you scope accurately, remediate efficiently and complete the formal assessment — from readiness to a signed Attestation of Compliance.

This guide is educational and not legal advice. Requirements evolve — validate specifics against the current standard or regulation for your situation.

Turn this guide into a plan

Our CERT-In empanelled auditors can take you from reading about it to certified — with a scoped, guided programme.

Book a consultation →