PCI DSS Compliance Validation Workflow

Introduction: The PCI DSS 4.0.1 Imperative {#introduction-the-pci-dss-imperative}

As of March 31, 2025, all requirements in PCI DSS v4.0.1 are fully mandatory. The grace period for previously optional "best practice" items has ended, fundamentally raising the security bar for every organization that stores, processes, or transmits cardholder data.

PCI DSS compliance is not optional for any business accepting payment cards. The consequences of non-compliance include:

Monthly fines from $5,000 to $100,000 per month
Increased transaction fees (0.5-2% surcharge)
Loss of ability to process card payments
Legal liability in the event of a data breach
Average breach cost of $4.88 million (2025 Verizon DBIR)

According to the 2025 Verizon Data Breach Investigations Report, payment card data remains one of the most targeted asset types in cyberattacks. The stakes for non-compliance have never been higher.

This comprehensive workflow guides organizations through the complete PCI DSS compliance validation process, from merchant level classification through Self-Assessment Questionnaire (SAQ) completion and ongoing maintenance. Whether you're a small merchant completing SAQ A (22 questions) or a Level 1 service provider undergoing a full QSA audit (350+ requirements), this guide provides the roadmap to achieve and maintain compliance.

Understanding PCI DSS 4.0.1 Changes {#understanding-pci-dss-changes}

PCI DSS v4.0.1 (March 2024) introduced significant changes from version 3.2.1:

Key Enhancements:

Authenticated vulnerability scans mandatory (no more unauthenticated scans)
Disk encryption alone insufficient (application-layer encryption required)
Multi-factor authentication for ALL CDE access (not just remote access)
Network segmentation testing annually (penetration testing validation)
Service provider scoping validation every 6 months (was annual)
Targeted risk analysis approach (flexibility with documentation requirements)

Compliance Timeline:

March 31, 2024: PCI DSS v4.0.1 becomes active standard
March 31, 2025: ALL v4.0 requirements mandatory (grace period ended)
Organizations on v3.2.1 are now non-compliant

The transition from v3.2.1 to v4.0.1 typically requires 3-6 months of remediation for most organizations.

Stage 1: Merchant Level Classification & Assessment Type Selection (1-2 days) {#stage-1-merchant-level-classification}

Understanding Merchant Levels {#understanding-merchant-levels}

PCI DSS defines four merchant levels based on annual transaction volume across all card brands (Visa, Mastercard, Amex, Discover combined):

Merchant Level Classification:

Level	Annual Transactions	Validation Requirements	Assessment Type
Level 1	Over 6 million	QSA audit (ROC) + quarterly ASV scans	External QSA required
Level 2	1-6 million	SAQ + quarterly ASV scans	SAQ (QSA optional)
Level 3	20,000-1 million (e-commerce)	SAQ + quarterly ASV scans	SAQ (QSA optional)
Level 4	Under 20,000 (e-commerce) or under 1M (other)	SAQ + quarterly ASV scans	SAQ (QSA optional)

Service Provider Classifications:

Level 1: Over 300,000 transactions/year - QSA audit mandatory
Level 2: Under 300,000 transactions/year - SAQ acceptable (some card brands require QSA)

Service providers are held to stricter standards than merchants due to their impact on the broader payment ecosystem.

Selecting the Correct SAQ Type {#selecting-the-correct-saq-type}

Choosing the wrong SAQ type results in invalid compliance attestation. There are 8 SAQ types for different merchant environments:

SAQ A (22 questions) - Fully Outsourced E-commerce:

Payment processing completely outsourced to PCI-compliant third parties
No electronic cardholder data storage, processing, or transmission
Payment pages hosted externally (redirect model)
Examples: Shopify hosted checkout, PayPal redirect, Stripe Checkout redirect
Lowest compliance burden
Timeline: 2-4 weeks typical

SAQ A-EP (178 questions) - E-commerce with Embedded Forms:

Payment processing outsourced but embed payment form on website
Use iframes or JavaScript from PCI-compliant provider
Website controls payment page but doesn't receive cardholder data
Examples: Stripe Elements, Braintree Hosted Fields
Medium complexity
Timeline: 6-12 weeks typical

SAQ B (41 questions) - Standalone Terminals:

Standalone dial-out terminals not connected to internet
Imprint machines (manual card processing)
No electronic cardholder data storage
Retail point-of-sale environments
Timeline: 4-8 weeks typical

SAQ B-IP (82 questions) - IP-Connected Terminals:

Standalone IP-connected POS terminals
Terminals validated to PCI PTS (Point-to-Point Encryption)
No other systems on same network segment
No cardholder data storage
Timeline: 6-10 weeks typical

SAQ C (160 questions) - Payment Application on Shared Device:

Payment application and internet on same device
No electronic cardholder data storage
Examples: Virtual terminals on office computers
Timeline: 8-12 weeks typical

SAQ C-VT (80 questions) - Virtual Terminal Only:

Web-based virtual terminals only (manual card number entry)
Hosted by PCI-compliant third party
No cardholder data storage
Examples: Authorize.net Virtual Terminal, PayPal Virtual Terminal
Timeline: 4-8 weeks typical

SAQ P2PE-HW (28 questions) - Point-to-Point Encryption:

Validated Point-to-Point Encryption solution
PCI-listed P2PE hardware from PCI SSC approved list
No other cardholder data processing
Dramatic scope reduction (smallest SAQ)
Timeline: 4-6 weeks typical

SAQ D Merchant (329 questions) - All Other Merchants:

E-commerce sites receiving cardholder data directly
Merchants storing cardholder data electronically
Custom payment integrations
Multiple payment channels
Most comprehensive merchant SAQ
Timeline: 3-6 months typical

SAQ D Service Provider (353 questions) - Service Providers Only:

Only option for service providers
Includes additional service provider requirements
Most comprehensive assessment
Timeline: 6-12 months typical

Implementation Planning {#implementation-planning}

Use our Compliance Readiness Checklist to:

Assess current PCI DSS maturity
Identify applicable merchant level
Receive SAQ type recommendation
Generate initial gap analysis
Estimate compliance timeline

Budget planning with our Cybersecurity Budget Calculator:

QSA audit costs: $15,000-$150,000 (varies by scope and organization size)
ASV scanning: $1,200-$5,000/year for quarterly external scans
Tool licensing: Firewalls, IDS/IPS, SIEM, encryption, file integrity monitoring
Remediation projects: Network segmentation, tokenization, P2PE implementation
Personnel training: Security awareness, incident response

Typical Cost Ranges by Merchant Level:

Level 4 (SAQ A): $5,000-$15,000 initial + $3,000-$8,000/year ongoing
Level 3 (SAQ A-EP/D): $20,000-$60,000 initial + $10,000-$25,000/year
Level 2 (SAQ D): $50,000-$150,000 initial + $25,000-$60,000/year
Level 1 (QSA Audit): $150,000-$500,000 initial + $80,000-$250,000/year

Deliverables {#stage-1-deliverables}

Merchant level classification document with transaction volume verification
SAQ type selection with detailed justification
Compliance project timeline (3-18 months depending on scope)
Budget allocation and resource requirements
Executive stakeholder notification and project kickoff documentation

Stage 2: Scope Definition & Cardholder Data Environment Mapping (2-5 days) {#stage-2-scope-definition}

Understanding Cardholder Data {#understanding-cardholder-data}

PCI DSS distinguishes between cardholder data (which can be stored if protected) and sensitive authentication data (which must NEVER be stored after authorization):

Cardholder Data (storage allowed if protected):

Primary Account Number (PAN) - 16-digit card number (most critical element)
Cardholder name
Expiration date
Service code

Sensitive Authentication Data (NEVER store after authorization):

Full magnetic stripe data (Track 1 and Track 2)
CAV2/CVC2/CVV2/CID (3-4 digit security code on back of card)
PIN or PIN block

Storing sensitive authentication data after transaction authorization is an automatic PCI DSS violation, even if encrypted. This is non-negotiable.

Defining the Cardholder Data Environment {#defining-the-cde}

The Cardholder Data Environment (CDE) includes all system components that store, process, or transmit cardholder data:

System Components in CDE:

Web servers accepting payment forms
Payment applications (POS systems, e-commerce platforms)
Databases storing PAN (even if encrypted)
Payment gateways and processors
Point-of-sale terminals
Merchant payment processing systems

Connected Systems (also in scope):

Systems on same network segment as CDE
Systems providing security services to CDE (firewalls, IDS/IPS, SIEM, authentication servers)
Systems with administrative access to CDE
Backup systems storing CDE data
Log servers receiving CDE system logs
Jump boxes/bastion hosts with CDE access

People with CDE Access:

All personnel with physical or logical access to cardholder data
Administrators, developers, DBAs, support staff
Third-party contractors with access
Remote users connecting via VPN to CDE

Processes Handling Cardholder Data:

Payment transaction processing
Card data storage and retrieval
Reporting accessing cardholder data
Backup and disaster recovery procedures
Data destruction and purging

Data Flow Mapping Exercise {#data-flow-mapping}

Document EVERY stage where cardholder data exists:

E-commerce Payment Flow Example:

1. Customer enters card data
   → Web browser (HTTPS/TLS 1.2+ encryption)

2. Data transmitted via encrypted connection
   → Load balancer (SSL/TLS termination)

3. Web server receives payment request
   → Web application server [IN SCOPE]

4. Payment data sent to payment gateway
   → API call to Stripe/Authorize.net/processor

5. Response with token/authorization
   → Web application server receives tokenized response

6. Store transaction record
   → Database [SCOPE DEPENDS on whether PAN stored]

7. Authorization to payment network
   → Payment processor to card issuing bank

8. Settlement and funding
   → Merchant bank account (out of scope)

Critical Questions for Each Data Flow Stage:

Is full PAN present or tokenized?
What systems touch the data?
How is data encrypted in transit (TLS version, cipher suites)?
How is data encrypted at rest (algorithm, key management)?
Who has access to systems at this stage?
Are there logging mechanisms capturing cardholder data?
What backup systems store this data?

Network Diagram Documentation {#network-diagram-documentation}

Create comprehensive network diagrams showing:

All network zones (DMZ, internal, CDE, management, out-of-scope)
Firewalls and segmentation enforcement points
Data flows with protocols and port numbers
System components with IP addresses and hostnames
Wireless networks (if applicable to CDE)
VPN connections and remote access points
Third-party connections (processors, gateways, managed service providers)

Use network diagram tools (Lucidchart, Draw.io, Microsoft Visio) combined with our Subnet Calculator for:

Network segmentation planning
VLAN design for CDE isolation
IP address allocation and subnet mask calculations
CIDR notation for firewall rules

Scope Reduction Strategies {#scope-reduction-strategies}

Best Practice: Minimize PCI scope = Minimize compliance burden

The smaller your CDE, the fewer systems require PCI controls, resulting in lower costs and simpler maintenance.

Strategy 1: Tokenization

Replace PAN with non-sensitive random token
Token stored in merchant database; actual PAN stored in secure token vault at processor
Reduces scope dramatically (potentially SAQ D to SAQ A-EP or A)
Providers: Stripe, Braintree, Spreedly, TokenEx
Cost: 2-5 cents per tokenization transaction
Implementation timeline: 2-8 weeks
ROI: 70-90% reduction in compliance costs

Strategy 2: Point-to-Point Encryption (P2PE)

Encrypt cardholder data at the moment of card swipe/dip
Data remains encrypted until reaching payment processor
PCI-validated P2PE solutions from PCI SSC P2PE Solutions List
Reduces SAQ from D (329 questions) to P2PE-HW (28 questions)
Providers: Bluefin, Shift4, OpenEdge
Cost: $50-$200 per terminal + per-transaction fees
Implementation timeline: 4-12 weeks
ROI: 85-95% scope reduction for card-present environments

Strategy 3: Network Segmentation

Isolate CDE from rest of corporate network using VLANs and firewalls
Strict firewall rules enforcing deny-all, permit-by-exception
Reduces in-scope systems by 50-90%
Requires annual penetration testing to validate (PCI Requirement 11.4.5)
Implementation timeline: 4-8 weeks
Cost: $10,000-$50,000 for enterprise network redesign
ROI: Dramatic reduction in number of systems requiring PCI controls

Strategy 4: Hosted Payment Pages

Redirect customer to third-party payment page (Stripe, PayPal, Braintree)
Merchant never receives or touches cardholder data
Qualifies for SAQ A (22 questions) - simplest compliance path
Trade-off: Less control over payment user experience
Cost: Transaction fees only (2.9% + $0.30 typical)
Implementation timeline: 1-4 weeks
ROI: 90%+ reduction in compliance burden

Strategy 5: Eliminate Cardholder Data Storage

Don't store PAN unless absolutely necessary for business requirements
Use payment gateway's customer vault/stored card features
Purge historical transaction data (PAN) after retention requirement met
Configure applications to NOT log PAN in error messages or debug logs
Cost: Minimal (process change)
Timeline: 2-4 weeks
ROI: Removes entire data-at-rest protection requirements

Annual Scoping Validation {#annual-scoping-validation}

PCI Requirement 12.5.2: Annual Scoping Exercise (Merchants) or Semi-Annual (Service Providers)

Required activities once per year minimum (service providers: every 6 months):

Confirm all data flows and cardholder data storage locations
Validate all system components remain accurately identified
Review network segmentation controls effectiveness
Document all connections from third parties
Justify any systems claimed to be out-of-scope
Update network diagrams to reflect infrastructure changes
Re-assess impact of business changes (new payment channels, cloud migrations, M&A)

Triggers for immediate re-scoping:

New payment channels (mobile app, additional e-commerce site, recurring billing)
Infrastructure changes (cloud migration, data center move, hosting provider change)
Application updates adding payment features
Mergers and acquisitions
New third-party service provider connections
Security incidents or breaches

Common Scoping Mistakes {#common-scoping-mistakes}

1. Missing Systems:

Backup/disaster recovery systems storing CDE data
Development and test environments with production data copies
Logging servers receiving CDE system logs
Jump boxes and bastion hosts with CDE administrative access
Contractor laptops with VPN access to CDE

2. Incomplete Data Flow Documentation:

Email containing cardholder data (customer service replies with card numbers)
Spreadsheets with card numbers (manual reconciliation processes)
Paper records not properly destroyed (mail-order forms, fax copies)
Screenshots or debugging logs inadvertently capturing PAN
Ticketing systems storing cardholder data in support requests

3. Inadequate Segmentation Documentation:

Flat network architecture (everything in scope due to lack of isolation)
Weak firewall rules allowing any-to-any traffic
No segmentation testing or validation
Wireless networks bridging to CDE without controls
Insufficient VLAN separation

Deliverables {#stage-2-deliverables}

Complete CDE inventory with all in-scope systems (asset tags, IP addresses, OS versions, patch levels)
Network diagrams with CDE boundaries clearly marked and color-coded
Data flow diagrams for all payment channels (card-present, e-commerce, mail/telephone order, mobile)
Network segmentation architecture documentation
Scoping justification document (rationale for in-scope and out-of-scope determinations)
Scope reduction roadmap (tokenization, P2PE, or segmentation project plans if applicable)

Stage 3: Network Segmentation Validation & Firewall Configuration (3-7 days) {#stage-3-network-segmentation}

PCI DSS Network Segmentation Requirements {#network-segmentation-requirements}

Requirement 1: Install and maintain network security controls (NSCs)

Key sub-requirements:

1.2.1: Configuration standards defined and implemented for all NSCs
1.2.5: Configuration reviews at least every 6 months
1.3.1: Inbound traffic to CDE restricted to authorized sources
1.4.2: Outbound traffic from CDE restricted to authorized destinations
1.5.1: Security features enabled on all NSCs (logging, alerts, anti-spoofing)

Network Segmentation Benefits: Properly implemented and validated network segmentation removes entire network zones from PCI scope, dramatically reducing compliance burden.

Critical Rule: Segmentation Validation Required Segmentation must be validated through annual penetration testing (Requirement 11.4.5) to confirm out-of-scope systems cannot reach CDE.

Firewall Rule Best Practices {#firewall-rule-best-practices}

Default Deny Policy Required: All firewall rules must follow "deny-all, permit-by-exception" approach.

Example CDE Firewall Ruleset (Inbound to Payment Application Server):

Rule	Source	Destination	Protocol/Port	Justification	Approved By	Review Date
1	Load Balancer (10.10.10.5)	Payment App (10.20.30.10)	TCP/443 (HTTPS)	Customer payment form submission	Security Manager	2025-06-01
2	Payment App (10.20.30.10)	Database (10.20.30.20)	TCP/5432 (PostgreSQL)	Store tokenized transaction records	Security Manager	2025-06-01
3	Jump Host (10.5.5.5)	Payment App (10.20.30.10)	TCP/22 (SSH)	Administrative access for maintenance	CISO	2025-06-01
4	Payment App (10.20.30.10)	SIEM (10.50.50.10)	UDP/514 (Syslog)	Security event logging and monitoring	Security Manager	2025-06-01
5	Payment App (10.20.30.10)	Payment Gateway (203.0.113.50)	TCP/443 (HTTPS)	Authorization requests to processor	Security Manager	2025-06-01
999	ANY	ANY	ANY	DENY ALL	Security Manager	2025-06-01

Each Firewall Rule Requires:

Source IP address/network range and destination IP/network range
Protocol and specific port number (avoid "any")
Business justification for the connection
Approval by authorized personnel (documented)
Review at least every 6 months with re-approval

Requirement 1.2.7: Protocols Between Trusted/Untrusted Networks For traffic from Internet to CDE, document:

Legitimate business reason for each allowed protocol
Specific protocols and ports in use
Security features enabled (TLS 1.2+, authentication mechanisms)

Network Segmentation Implementation {#network-segmentation-implementation}

Use our Subnet Calculator for:

VLAN design and IP address allocation
Network zone planning (DMZ, CDE, Internal, Management, Guest)
Subnet mask calculations for firewall rules
CIDR notation for access control lists

Recommended Network Zone Architecture:

Zone 1: Internet (Untrusted)

Public internet
Potential attackers
No direct CDE access

Zone 2: DMZ (Semi-Trusted)

Public-facing web servers
Load balancers
SSL/TLS termination points
Reverse proxies
Limited inbound: TCP/443, TCP/80 (redirect to 443)
Strict outbound to CDE

Zone 3: CDE (Most Restricted)

Payment application servers
Databases storing PAN (encrypted)
Payment processing systems
Deny-all default policy
Only explicitly permitted connections

Zone 4: Internal Corporate (Out of Scope)

Employee workstations
File servers
Email servers
NO connectivity to CDE (verified by penetration testing)

Zone 5: Management (Privileged)

Jump hosts/bastion hosts
Administrative workstations
SIEM and logging systems
Security tools
MFA required for all access

Wireless Network Requirements {#wireless-network-requirements}

If wireless networks exist in the environment:

Change all default SSIDs and passwords on wireless access points
Enable WPA2 or WPA3 with strong encryption (AES)
Separate wireless networks from CDE (guest Wi-Fi MUST NOT access CDE)
Disable SSID broadcast if feasible
Rotate wireless encryption keys quarterly (if using shared keys)
Implement 802.1X authentication for corporate wireless networks

Recommendation for High-Security Environments: Prohibit ALL wireless access to CDE. Require wired connections only for CDE access.

Segmentation Testing and Validation {#segmentation-testing}

Requirement 11.4.5: Segmentation Controls Validated Annually Penetration testing must validate segmentation effectiveness at least annually and after any significant infrastructure changes.

Segmentation Testing Methodology:

Step 1: Select Test Systems Choose representative sample of out-of-scope systems:

Employee workstations (corporate VLAN)
Guest Wi-Fi connected devices
Partner extranet systems
Contractor remote access systems

Step 2: Attempt CDE Connections From each test system, attempt to:

Connect to CDE systems via all protocols (HTTP/HTTPS, SSH, RDP, database ports)
Access CDE applications directly
Pivot through intermediate systems to reach CDE
Scan for open ports on CDE systems

Step 3: Document Results All successful connections indicate segmentation failure:

Which system successfully connected
What protocol/port was used
Path taken (direct or pivoted)
Screenshot evidence
Impact assessment

Example Test Cases:

Can employee laptop on corporate VLAN reach payment database on TCP/5432? Should fail
Can guest Wi-Fi user connect to POS terminal on TCP/22? Should fail
Can developer workstation SSH to production payment server? Should fail (unless explicitly authorized)
Can internet-facing web server directly access internal database without application tier? Should fail

If Segmentation Testing Fails:

All connected systems immediately become in-scope (compliance burden increases)
Fix segmentation controls (add firewalls, configure VLANs, implement ACLs)
Re-test until validation succeeds
Update network diagrams and scope documentation
Extend PCI controls to newly in-scope systems

Deliverables {#stage-3-deliverables}

Complete firewall ruleset documentation (all rules with business justifications)
Network segmentation architecture diagram with zones clearly defined
Segmentation penetration testing report (annual validation)
Configuration standards for network security controls
Wireless network security policy and configuration documentation (if applicable)
6-month firewall rule review schedule and process

Stage 4: Encryption Validation - Data in Transit and At Rest (3-5 days) {#stage-4-encryption-validation}

Data in Transit Requirements {#data-in-transit-requirements}

PCI Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

Requirement 4.2.1: Strong Cryptography Mandatory

Approved Protocols (2025):

TLS 1.2 (minimum, mandatory)
TLS 1.3 (preferred, latest standard)
SSH v2 for administrative access
IPsec VPN with AES-256 for site-to-site connections

Prohibited Protocols (as of March 31, 2025):

SSL v2, SSL v3 (completely deprecated)
TLS 1.0, TLS 1.1 (no longer PCI compliant)
RC4, 3DES, MD5 cipher suites
Any protocol using weak cryptography

Requirement 4.2.1.2: Cipher Suite Requirements Encryption must use strong cryptographic algorithms:

Key Exchange: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for perfect forward secrecy
Encryption: AES-128-GCM or AES-256-GCM
Hashing: SHA-256 or stronger (NOT MD5 or SHA-1)

Example Strong Cipher Suites:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_AES_256_GCM_SHA384 (TLS 1.3)
TLS_AES_128_GCM_SHA256 (TLS 1.3)

TLS Configuration Testing {#tls-configuration-testing}

Use our X.509 Decoder to:

Validate TLS version (must be 1.2 or 1.3)
Check cipher suite strength and configuration
Identify weak or deprecated protocols
Verify certificate validity and certificate chain
Test for SSL/TLS vulnerabilities (POODLE, BEAST, Heartbleed)

Testing Procedure:

Step 1: Scan All External-Facing Payment Systems Test EVERY endpoint transmitting cardholder data:

E-commerce checkout pages (https://store.example.com/checkout)
Payment APIs (https://api.example.com/payments)
Virtual terminals (https://vt.example.com)
Mobile app backend services
Third-party integration webhooks receiving payment data

Step 2: Verify TLS 1.2+ Exclusive Support

# Using OpenSSL command line to test TLS versions
openssl s_client -connect payment.example.com:443 -tls1_2
# Should succeed with connection established

openssl s_client -connect payment.example.com:443 -tls1_1
# Should FAIL with error (connection refused or protocol not supported)

Step 3: SSL Labs Validation Run Qualys SSL Labs scan (https://www.ssllabs.com/ssltest/) and verify:

Overall grade: A or A+ (B or lower = non-compliant)
Protocol Support: TLS 1.2 and 1.3 only
Cipher Strength: 256-bit or 128-bit AES minimum
Forward Secrecy: Yes (ECDHE key exchange)
Vulnerabilities: None detected (POODLE, BEAST, Heartbleed, CRIME, etc.)

Data at Rest Encryption Requirements {#data-at-rest-requirements}

PCI Requirement 3: Protect stored cardholder data

Requirement 3.3.1: Stored PAN Must Be Unreadable Choose one of the following methods:

Option 1: One-Way Hashing (Preferred for Verification)

Use strong cryptographic hash (SHA-256 or stronger) with unique salt
Cannot reverse hash to retrieve original PAN
Suitable for validation/lookup (checking duplicate transactions, fraud detection)
NOT suitable if you need to retrieve original card number

Option 2: Truncation (Display Only)

Show only first 6 and last 4 digits (BIN + last 4)
Example: 4111 11XX XXXX 1111
Suitable for receipts, customer service lookup, transaction history display
NOT encryption (cannot retrieve full PAN)

Option 3: Index Tokens (Tokenization - Highly Recommended)

Replace PAN with randomly generated token
Token stored in merchant database; actual PAN stored in secure token vault at processor
Reversible (can retrieve PAN via detokenization API if needed)
Providers: Stripe, Braintree, TokenEx, Spreedly
Cost: 2-5 cents per tokenization
Significantly reduces PCI scope

Option 4: Strong Cryptographic Encryption (If You Must Store PAN)

AES-256 or AES-128 encryption (minimum standard)
Encryption keys stored SEPARATELY from encrypted data (critical requirement)
Key management system required (see Requirement 3.6)

Requirement 3.4.2: Disk Encryption NOT Sufficient Alone (New in v4.0) Organizations must use disk-level/partition encryption PLUS one of the following:

File-level encryption
Column-level database encryption
Application-level encryption before writing to storage

Why This Change:

Disk encryption only protects against physical theft
If operating system is compromised, disk encryption provides no protection
Application-layer encryption protects even if OS is breached

Encryption Key Management {#encryption-key-management}

PCI Requirement 3.6 & 3.7: Cryptographic Key Management

Requirement 3.6.1: Key Management Procedures Must Include:

1. Key Generation:

Use cryptographically secure random number generators (FIPS 140-2 compliant)
Minimum key strength: AES-256 or AES-128
Generate in secure, offline environment or Hardware Security Module (HSM)

2. Key Distribution:

Encrypt keys during transmission (never transmit plaintext keys)
Use split knowledge (no single person has complete key)
Implement two-person control for key access
Document key custodians with role-based access controls

3. Key Storage:

Store keys in encrypted form using Key Encryption Keys (KEK)
Use HSM or secure key management system (AWS KMS, Azure Key Vault, Google Cloud KMS)
Physically secure key storage media
Separate storage location from encrypted data (NEVER same database/server)

4. Key Rotation:

Rotate encryption keys at least annually
Immediate rotation if key compromised or personnel with key access terminate employment
Re-encrypt data with new keys after rotation
Maintain key rotation documentation

5. Key Retirement and Destruction:

Securely destroy old keys after rotation grace period
Cryptographic erasure (overwrite with random data 3+ times)
Document destruction date, method, and personnel performing destruction

Requirement 3.7.1: Access to Encryption Keys Limited to Key Custodians

Role-based access control (RBAC)
Least privilege principle (only key custodians, not general developers or DBAs)
Multi-factor authentication required for key access
Comprehensive logging of all key access and usage

Key Management System Options:

Hardware Security Modules (HSMs): Thales, Utimaco, Gemalto (expensive: $10,000-$100,000+, highest security)
Cloud KMS: AWS KMS ($1/key/month), Azure Key Vault, Google Cloud KMS (cost-effective, managed service)
Open-Source: HashiCorp Vault (free, self-hosted, requires expertise)

Common Encryption Failures {#common-encryption-failures}

1. Storing Sensitive Authentication Data (Automatic Non-Compliance):

NEVER store CVV2/CVC2/CAV2 (3-digit security code) after authorization
NEVER store full magnetic stripe data (Track 1 or Track 2)
NEVER store PIN blocks
Even if encrypted, storing this data is prohibited

2. Weak Encryption Algorithms:

Using DES, 3DES, RC4 (all deprecated)
ECB cipher mode (insecure, use GCM or CBC with proper IV)
Hard-coded encryption keys in source code
Insufficient key length (less than 128 bits)

3. Keys Stored with Encrypted Data:

Encryption key in application.properties file on same server as encrypted database
Key in environment variable on database host
Defeats entire purpose of encryption (attacker gains both)

4. No Key Rotation Process:

Using same encryption key for 5+ years
No documented key rotation procedure
No process to re-encrypt data with new keys

5. Cleartext PAN in Logs:

Application logs containing full PAN
Error messages displaying cardholder data
Debug logs with unmasked card numbers
Configure applications to mask/truncate PAN in all logs

Deliverables {#stage-4-deliverables}

TLS configuration documentation (supported protocols, cipher suites, certificate details)
SSL Labs A/A+ rating screenshots for all payment endpoints
Data-at-rest encryption architecture document (which systems, which algorithms, key management)
Encryption key management policy and detailed procedures
Key custodian assignment documentation (names, roles, access controls)
Key rotation schedule (annual minimum) with automated reminders
Evidence of insecure protocol disablement (TLS 1.0/1.1 disabled, SSL disabled)

Stage 5: Access Control & Authentication Hardening (3-5 days) {#stage-5-access-control}

Access Control Requirements {#access-control-requirements}

PCI Requirement 7: Restrict Access to Cardholder Data by Business Need-to-Know

Requirement 7.2.1: Access Based on Job Function and Least Privilege Access to system components and data must be assigned based on:

Individual job function and responsibilities
Business need-to-know principle
Least privilege (minimum access necessary to perform job)

Example Role-Based Access Matrix:

Role	CDE Access	Full PAN Access	Database Access	Admin Rights	MFA Required
Payment App Admin	Yes	No (last 4 only)	Read-only	Yes	Yes (TOTP)
Database Admin	Yes	No (encrypted only)	Full	Yes	Yes (hardware token)
Developer	No (dev/test only)	No	No	No	Yes (for VPN)
Customer Service	Limited	No (last 4 only)	No	No	Yes
QSA Auditor	Read-only	No (last 4 only)	Read-only logs	No	Yes
Finance Team	Query only	No (tokenized)	Read-only	No	Yes

Requirement 7.2.4: User Access Review Every 6 Months

Validate all users still require their current access level
Remove access for terminated employees immediately (same day)
Adjust access for role changes promptly
Document review with management approvals
Maintain review records for 3+ years

Multi-Factor Authentication Requirements {#multi-factor-authentication}

PCI Requirement 8: Identify Users and Authenticate Access to System Components

Requirement 8.3.1: Multi-Factor Authentication (MFA) Required For:

ALL access into the CDE (administrative AND user-level)
ALL remote access to entity's network (VPN, remote desktop)
ALL administrative access to system components

This is a significant change from PCI DSS v3.2.1, which only required MFA for remote access.

Acceptable MFA Methods:

Something you know (password) + something you have (hardware token, smartphone app)
TOTP (Time-based One-Time Password): Google Authenticator, Microsoft Authenticator, Duo
Hardware security keys: Yubikey, Titan Security Key (FIDO2/WebAuthn)
Push notifications: Duo Push, Okta Verify
NOT acceptable: SMS-based codes (vulnerable to SIM swapping attacks)

Requirement 8.3.6: MFA Systems Must Prevent Replay Attacks

Time-based one-time passwords with 30-60 second validity window
Challenge-response tokens
FIDO2/WebAuthn cryptographic authentication
Nonce-based authentication

Password Requirements {#password-requirements}

Requirement 8.4.2: Password Complexity Standards

Minimum length: 12 characters (15+ characters recommended for extended validity)
Complexity: Mix of uppercase, lowercase, numbers, special characters
OR: Minimum 8 characters if system limitations prevent longer passwords (document limitations)
Password changed every 90 days (OR use 15+ character passwords with annual change)

Use our Password Strength Checker to:

Validate password complexity meets PCI 12+ character requirement
Test against common password databases
Identify weak passwords before deployment
Educate users on password strength

Use our Secure Password Generator to:

Generate PCI-compliant passwords (12-15+ characters)
Create secure random passwords for service accounts
Generate passphrases for administrator accounts

Requirement 8.4.3: Password History Requirements

Remember last 4 passwords minimum
Users cannot reuse any of the previous 4 passwords
Prevents password cycling to return to familiar password

Requirement 8.5.1: Default Credentials Must Be Changed Before deploying to production:

Change default usernames (admin, root, sa, administrator)
Change default passwords provided by vendors
Applies to: Operating systems, databases, applications, network devices, POS terminals, firewalls, routers

Privileged Access Management {#privileged-access-management}

Requirement 8.6.1: Service Accounts and Shared Accounts All non-personal accounts must be:

Documented with business justification
Approved by management before creation
Subject to same password and MFA requirements as user accounts
Interactive login disabled where possible (use API keys, certificates instead)

Requirement 8.6.3: Privileged Password Changes Change privileged account passwords:

At least every 90 days
Immediately when personnel with knowledge of password leave organization or change roles
After any suspected compromise

Privileged Access Monitoring:

Log all privileged account usage with timestamps
Generate alerts on after-hours privileged access
Review logs weekly for suspicious activity (lateral movement, privilege escalation attempts)
Correlate privileged access with change management tickets

User Access Review Process {#user-access-review-process}

Semi-Annual Access Review Procedure (Every 6 Months):

Step 1: Generate User Access Report

Export all users with CDE access from Active Directory, IAM systems, application databases
Include: Username, role, access level, last login date, manager
Flag inactive accounts (no login in 90+ days)
Highlight recently added users (verify need)

Step 2: Manager Review and Approval

Department managers review their team members' access levels
Approve current access OR request modifications
Document approval in email, ticketing system, or access review platform
Set deadline for review completion (30 days typical)

Step 3: Remediation Actions

Remove access for terminated employees (should have been done immediately, this is verification)
Disable inactive accounts (no login in 90+ days)
Adjust access for role changes (promotions, transfers, role modifications)
Document all changes in change management system

Step 4: Documentation and Audit Trail

Compile access review report with all manager approvals
Document remediation tickets and completion dates
Store evidence for minimum 3 years (some banks require 5-7 years)
Present summary to executive management

Deliverables {#stage-5-deliverables}

Access control policy document with RBAC matrix and job function definitions
Complete user access list (all CDE users with roles, permissions, last login dates)
MFA implementation documentation (which systems, which MFA methods, enrollment rates)
Semi-annual access review reports with manager approvals and signatures
Privileged account inventory (service accounts, shared accounts, administrative accounts)
Password policy documentation (complexity, expiration, history requirements)

Stage 6: Quarterly Vulnerability Scanning (Ongoing - Every 90 Days) {#stage-6-vulnerability-scanning}

PCI DSS Vulnerability Scanning Requirements {#vulnerability-scanning-requirements}

Requirement 11.3.1: External Vulnerability Scans Quarterly

Must use PCI-approved Approved Scanning Vendor (ASV) from PCI SSC list
Scan all external-facing IP addresses in scope (internet-accessible systems)
Quarterly frequency (every 90 days) without exception
After ANY significant change (new firewall rule, OS update, application deployment)

Requirement 11.3.2: Internal Vulnerability Scans Quarterly

Can use internal tools OR third-party scanners (ASV not required for internal scans)
Scan all internal systems within CDE
Quarterly frequency (every 90 days)
After significant infrastructure or application changes

Requirement 11.3.1.2: Authenticated Scans Mandatory (New in v4.0, Required as of March 31, 2025)

Internal scans must be authenticated scans (credentialed scanning)
Scanner logs into systems using read-only administrative credentials
Checks for missing patches, configuration vulnerabilities, local security issues
Unauthenticated scans miss 30-50% of vulnerabilities

Requirement 11.3.1.3: Passing Scan Results Required

No vulnerabilities rated CVSS 4.0 or higher (Critical or High severity)
Medium and Low vulnerabilities acceptable but should be tracked for remediation
Must re-scan after remediation to confirm fixes successful

Approved Scanning Vendors {#approved-scanning-vendors}

Top PCI-Approved ASV Providers:

Qualys ($1,500-$3,000/year for quarterly external scans)
Trustwave ($1,200-$2,500/year)
Rapid7 InsightVM ($2,000-$4,000/year)
Tenable Nessus Professional ($2,390/year)
SecurityMetrics ($1,500-$3,000/year)
ControlScan ($1,800-$3,500/year)

Verify ASV is on current PCI SSC Approved Scanning Vendor list: https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors

ASV Scan Process:

Provide ASV with in-scope external IP address ranges (e.g., 203.0.113.0/24)
Schedule scan during maintenance window or low-traffic period
ASV performs automated scan (typically 2-4 hours for 10-50 IPs)
Receive scan report (100-500 pages typical)
Review findings and remediate critical/high vulnerabilities
Request re-scan (usually 1-2 free re-scans included per quarter)
Achieve passing scan status (no CVSS 4.0+ vulnerabilities)
Download ASV Attestation of Scan Compliance (submit to acquiring bank)

Internal Vulnerability Scanning Tools {#internal-scanning-tools}

Commercial Vulnerability Scanners:

Tenable Nessus Professional ($2,390/year) - Industry standard, comprehensive coverage
Qualys VMDR ($1,995+/year) - Cloud-based, continuous monitoring option
Rapid7 InsightVM ($2,000+/year) - Real-time vulnerability monitoring
Greenbone OpenVAS (open-source, free but requires significant expertise)

Cloud-Native Vulnerability Scanners:

AWS Inspector (for AWS EC2, Lambda, ECR) - $0.30-$0.50 per assessment
Azure Defender for Cloud (for Azure VMs) - $15/server/month
Google Cloud Security Command Center (for GCP) - $5-$50/resource/month

Vulnerability Remediation Workflow {#vulnerability-remediation-workflow}

Step 1: Scan Execution

External ASV scan preparation:

Schedule during maintenance window to minimize business impact
Notify firewall/IDS team to whitelist ASV source IPs (prevent scan blocking)
Ensure all in-scope external IPs are included
Typical scan duration: 2-4 hours for 10-50 IP addresses

Internal authenticated scan preparation:

Deploy scanner on internal network (same VLAN as CDE if possible)
Provide domain administrator credentials or read-only admin accounts
Configure scanner for authenticated scan mode
Scan all CDE servers, databases, payment applications, network devices

Step 2: Results Analysis

Use our CVE Vulnerability Search to:

Research specific CVE numbers found in scan reports
Understand CVSS severity scores (0-10 scale)
Review exploitability and public exploit availability
Determine remediation priority and urgency

Example vulnerability findings:

Vulnerability	CVE	CVSS Score	Severity	Affected System	Remediation
Apache HTTP Server Remote Code Execution	CVE-2021-41773	9.8	Critical	Web Server (10.20.30.10)	Upgrade to Apache 2.4.51+
OpenSSL Weak TLS Versions	CVE-2021-3449	7.5	High	Payment Gateway (203.0.113.10)	Disable TLS 1.0/1.1, upgrade OpenSSL to 1.1.1+
Windows Missing Security Patches	Multiple	7.2	High	Database Server (10.20.30.20)	Install latest Microsoft security updates
Self-Signed SSL Certificate	N/A	5.3	Medium	Internal Admin Portal	Replace with CA-signed certificate
Weak SSH Ciphers Enabled (3DES)	N/A	4.3	Medium	Linux Servers (10.20.30.x)	Disable 3DES and weak ciphers in sshd_config

Step 3: Remediation Prioritization

Use our Risk Matrix Calculator to:

Prioritize vulnerability remediation by risk score
Calculate risk = likelihood × impact
Document risk acceptance decisions for low-priority vulnerabilities

PCI Remediation Timeline (Requirement 6.3.3):

Critical (CVSS 9.0-10.0): Within 7 days (immediate action required)
High (CVSS 7.0-8.9): Within 30 days (PCI requirement)
Medium (CVSS 4.0-6.9): Within 90 days (tracked but acceptable for passing scan)
Low (CVSS 0.1-3.9): Risk-based remediation (document acceptance if not fixing)

Step 4: Patching and Re-testing

Patch management process:

Test patches in development/staging environment first
Schedule change control window (maintenance window with stakeholder approval)
Apply patches to production CDE systems
Verify application functionality (confirm payment processing still works)
Request ASV re-scan (external) or execute internal re-scan
Validate passing scan status (all CVSS 4.0+ vulnerabilities resolved)

Step 5: Documentation and Evidence Collection

Required documentation for PCI auditors:

Quarterly scan reports (all quarters, showing pass/fail status and dates)
Vulnerability remediation tickets from change management system (Jira, ServiceNow)
Re-scan reports demonstrating vulnerabilities fixed
ASV Attestation of Scan Compliance (quarterly, one per quarter)
Compensating controls documentation (if any vulnerabilities cannot be patched)

Quarterly Scanning Calendar {#quarterly-scanning-calendar}

Best Practice Schedule:

Quarter	Scan Window	Remediation Window	Rescan Window	ASV Attestation Due
Q1 2025	Jan 1-15	Jan 16-Feb 15	Feb 16-28	March 1
Q2 2025	Apr 1-15	Apr 16-May 15	May 16-31	June 1
Q3 2025	Jul 1-15	Jul 16-Aug 15	Aug 16-31	Sept 1
Q4 2025	Oct 1-15	Oct 16-Nov 15	Nov 16-30	Dec 1

Rationale: Scan in first two weeks of quarter, allowing 4-6 weeks for remediation and 2 weeks for re-scanning before quarter ends. This prevents last-minute scrambles.

Deliverables {#stage-6-deliverables}

Quarterly external ASV scan reports (all four quarters, passing attestations)
Quarterly internal authenticated vulnerability scan reports
Vulnerability remediation tracking spreadsheet or dashboard
Re-scan evidence showing before/after vulnerability status
ASV Attestation of Scan Compliance for each quarter (submit to acquiring bank)
Compensating controls documentation (if any vulnerabilities cannot be remediated)

Stage 7: Annual Penetration Testing (Once Per Year + After Significant Changes) {#stage-7-penetration-testing}

PCI DSS Penetration Testing Requirements {#penetration-testing-requirements}

Requirement 11.4.1: Penetration Testing at Least Annually

Frequency: Once per year minimum (12-month cycle)
Trigger: Any significant infrastructure or application upgrade/change
Scope: Network-layer, application-layer, and segmentation controls

Requirement 11.4.2: Methodology Must Be Defined and Documented

Industry-accepted approach required (OWASP, PTES, NIST SP 800-115, OSSTMM)
Based on current threat landscape and organizational risk profile
Includes both external and internal testing
Documents attack scenarios and exploitation techniques used

Requirement 11.4.3: Network-Layer Penetration Testing

Tests network infrastructure (firewalls, routers, switches, VPN)
Validates segmentation controls effectiveness
Includes wireless network testing (if applicable)
Tests from both outside (internet) and inside (internal network) perspectives

Requirement 11.4.4: Application-Layer Penetration Testing

Tests all web applications processing cardholder data
Covers OWASP Top 10 vulnerabilities and CWE Top 25 weaknesses
Includes injection attacks (SQL injection, XSS, command injection)
Tests authentication, session management, and authorization
API security testing (REST, SOAP, GraphQL)

Requirement 11.4.5: Network Segmentation Validation

Validates segmentation controls successfully isolate CDE from other networks
Tests from out-of-scope systems attempting unauthorized CDE access
Confirms firewall rules are effective and properly configured
Documents any segmentation bypasses discovered

Requirement 11.4.7: Qualified Personnel Required Penetration testing must be performed by:

Qualified internal security resources with recognized certifications
OR external third-party penetration testing firm
Required certifications: OSCP, GPEN, GWAPT, CEH, or equivalent
PCI DSS-specific experience strongly recommended

Penetration Testing Methodology {#penetration-testing-methodology}

Phase 1: Planning and Reconnaissance (1-2 days)

Define detailed scope (CDE systems, IP ranges, applications in scope)
Identify attack scenarios (external attacker, malicious insider, compromised employee account)
Review network diagrams and previous penetration test reports
Establish rules of engagement (testing hours, emergency contacts, out-of-scope systems, data handling)

Phase 2: Network-Layer Penetration Testing (2-4 days)

External network testing:

Port scanning to identify exposed services and open ports
Vulnerability exploitation using Metasploit Framework and custom exploits
SSL/TLS configuration testing (weak ciphers, protocol vulnerabilities, certificate issues)
VPN security testing (authentication bypass attempts, weak encryption)
Firewall rule bypass testing

Internal network testing:

Lateral movement from compromised workstation to CDE systems
Privilege escalation to gain administrator/root access
Credential harvesting (mimikatz, pass-the-hash, pass-the-ticket attacks)
Segmentation bypass testing (VLAN hopping, firewall evasion, tunneling)
Active Directory exploitation (Kerberoasting, Golden Ticket, DCSync)

Phase 3: Application-Layer Penetration Testing (3-5 days)

Web Application Testing (OWASP Top 10 2021):

SQL Injection - Attempt to extract database contents including cardholder data
Cross-Site Scripting (XSS) - Steal session tokens and authentication cookies
Cross-Site Request Forgery (CSRF) - Force authenticated users to perform unintended actions
Broken Authentication - Test password policies, session management, account lockout
Security Misconfiguration - Default credentials, verbose error messages, unnecessary services
Insecure Deserialization - Remote code execution via malicious serialized objects
XML External Entity (XXE) - File disclosure and SSRF via XML parsing vulnerabilities
Server-Side Request Forgery (SSRF) - Access to internal systems via vulnerable application

API Security Testing:

Insecure Direct Object References (IDOR) - Access unauthorized user transactions
Mass assignment vulnerabilities - Modify protected fields
Authentication and authorization bypass
Rate limiting bypass for brute force attempts
API key exposure and privilege escalation

Payment Application Specific:

Parameter tampering (modify transaction amounts, recipient accounts)
Business logic flaws (double-spend, refund manipulation, discount abuse)
PAN leakage in API responses, error messages, or debug output
Insufficient logging of critical payment transactions

Phase 4: Segmentation Validation Testing (1-2 days)

Attempt connections from out-of-scope networks (corporate LAN, guest Wi-Fi, partner extranet)
Try to reach CDE systems via all protocols (HTTP/HTTPS, SSH, RDP, database ports)
Document any successful connections (indicates segmentation failure)
Verify firewall deny-all policies are enforced
Test for tunneling and encapsulation bypass techniques

Phase 5: Reporting and Remediation (2-3 days)

Compile detailed findings report (typically 100-200 pages)
Executive summary for leadership (1-2 pages, business impact focus)
Technical findings with severity ratings (Critical/High/Medium/Low)
Proof-of-concept screenshots and command output demonstrating exploits
Remediation recommendations with specific implementation guidance
Remediation timeline based on risk severity

Penetration Testing Costs {#penetration-testing-costs}

Engagement Type	Duration	Typical Cost Range
Network penetration test only	5-10 days	$15,000 - $30,000
Application penetration test (1-2 apps)	5-10 days	$12,000 - $25,000
Comprehensive (network + application + segmentation)	10-20 days	$25,000 - $60,000
Level 1 merchant full assessment	15-30 days	$40,000 - $100,000
Ongoing annual retainer (quarterly testing)	12 months	$50,000 - $150,000/year

Cost factors:

Scope complexity (number of IPs, applications, network zones)
Infrastructure type (on-premises, cloud, hybrid, multi-cloud)
Compliance requirements (PCI DSS, HIPAA, SOC 2 combined)
Tester qualifications (OSCP, GPEN command premium rates)
Geography (on-site testing increases costs)

Common Penetration Testing Failures {#penetration-testing-failures}

1. Insufficient Scope:

Only testing public-facing website, ignoring internal CDE infrastructure
Skipping API testing when many payment operations use APIs
Not validating network segmentation controls
Excluding cloud infrastructure from scope

2. Automated Scans Misrepresented as Penetration Tests:

Running Nessus or Qualys vulnerability scan and calling it "penetration testing"
No manual exploitation attempts or validation
No business logic testing or application workflow analysis
This does NOT meet PCI requirements for penetration testing

3. Findings Ignored or Not Remediated:

Penetration test report filed away without action
Critical vulnerabilities not fixed before next annual test
Same findings appearing year after year
No tracking system for remediation progress

4. Unqualified Penetration Testers:

Hiring low-cost testers without PCI DSS experience
Using internal IT staff without penetration testing training or certifications
No recognized industry certifications (OSCP, GPEN, GWAPT, CEH)
Testers unfamiliar with payment card processing flows

Deliverables {#stage-7-deliverables}

Penetration testing methodology document approved before testing begins
Comprehensive penetration test report (executive summary + detailed technical findings)
Network segmentation validation results with test evidence
Application vulnerability findings mapped to OWASP Top 10 and CWE Top 25
Prioritized remediation plan with timelines based on severity
Re-test report after critical and high findings remediated (confirming fixes)

Stage 8: Policy, Procedure & Security Awareness Training (2-4 days) {#stage-8-policy-and-training}

Policy and Procedure Requirements {#policy-requirements}

PCI Requirement 12: Maintain Information Security Policy

Requirement 12.1: Information Security Policy Must:

Address all PCI DSS requirements comprehensively
Be reviewed at least annually and updated as needed
Be approved by executive management or board of directors
Be disseminated to all personnel (employees, contractors, third parties)

Required Policy Documents:

1. Information Security Policy (Master Document)

Overarching security strategy and governance
Roles and responsibilities for security program
Security control framework and standards
Risk management approach
Incident response and business continuity
Policy review and update process

2. Acceptable Use Policy (Requirement 12.2.1)

Defines acceptable use of end-user technologies (laptops, mobile devices, email, internet)
Prohibits storing cardholder data on personal devices or unauthorized systems
Remote access requirements (MFA mandatory, VPN usage, acceptable locations)
Consequences for policy violations

3. Access Control Policy (Requirement 7)

Role-based access control (RBAC) framework
Least privilege principle implementation
Access request and approval process
User access review procedures (semi-annual)
Account provisioning and deprovisioning workflows

4. Network Security Policy (Requirement 1)

Firewall configuration standards (deny-all, permit-by-exception)
Network segmentation architecture and requirements
Wireless network security requirements
Remote access and VPN standards
Firewall rule review process (every 6 months)

5. Encryption and Key Management Policy (Requirements 3 & 4)

Data-at-rest encryption requirements (algorithms, key lengths)
Data-in-transit encryption standards (TLS 1.2+ mandatory)
Key generation, distribution, storage, rotation, and destruction procedures
Key custodian roles and responsibilities
Key access logging and monitoring

6. Vulnerability Management Policy (Requirement 11)

Quarterly external ASV scanning requirements
Quarterly internal authenticated scanning requirements
Annual penetration testing requirements
Vulnerability remediation timelines (7 days critical, 30 days high)
Patch management procedures and testing requirements

7. Change Management Policy (Requirement 6)

Change request and approval process
Testing requirements before production deployment
Rollback procedures for failed changes
Documentation standards for all changes
Emergency change procedures with post-implementation review

8. Incident Response Plan (Requirement 12.10)

Incident classification and severity levels
Response team roles and contact information (24/7 availability)
Incident detection and reporting procedures
Containment, eradication, and recovery steps
Forensic investigation and evidence preservation
Communication plan (internal, customers, acquiring bank, card brands, regulatory authorities, media)
Post-incident review and lessons learned process
Annual testing requirements

9. Vendor Management Policy (Requirement 12.8)

Third-party service provider (TPSP) identification and inventory
Due diligence and risk assessment before engagement
Contractual requirements (security responsibilities, PCI DSS compliance, breach notification)
Annual PCI DSS compliance validation from vendors (AOC, SAQ, or ROC)
Ongoing monitoring of vendor security posture
Vendor termination procedures and data return/destruction

10. Physical Security Policy (Requirement 9 - Card-Present Environments)

Facility access controls and badge systems
Visitor management and escort procedures
CCTV surveillance requirements
Media storage and destruction procedures
Secure disposal of documents containing cardholder data (shredding)

11. Data Retention and Destruction Policy (Requirement 3.2)

Business justification for data retention
Maximum retention periods for cardholder data
Secure deletion and destruction methods (cryptographic erasure, physical destruction)
Quarterly data retention reviews and purging
Documentation of destruction activities

Security Awareness Training Requirements {#security-awareness-training}

Requirement 12.6.1: Formal Security Awareness Program

All personnel receive training upon hire (within 30 days)
Annual refresher training mandatory (at least once every 12 months)
Training acknowledgment documented (signed or electronic confirmation)
Personnel understand and accept security responsibilities

Required Training Topics:

1. Cardholder Data Protection (Requirement 12.6.3)

What constitutes cardholder data (PAN, name, expiration, service code)
What is sensitive authentication data (CVV, magnetic stripe, PIN - NEVER store)
Proper handling procedures (encryption, access controls, secure disposal)
Data retention requirements and destruction procedures
Recognizing and reporting data handling violations

2. Phishing and Social Engineering Awareness (Requirement 12.6.3.1)

Recognizing phishing emails (suspicious senders, urgent language, unexpected attachments)
Vishing (voice phishing) - fraudulent phone calls requesting credentials or data
Pretexting - attackers impersonating authority figures (IT support, executives)
Reporting suspicious emails and phone calls to security team
Real-world examples and recent attack trends

3. Acceptable Use of Technology (Requirement 12.6.3.2)

Approved devices for CDE access (company-issued only, not personal BYOD)
Remote access requirements (MFA mandatory, VPN required, no public Wi-Fi)
Email and web browsing best practices (don't click suspicious links)
USB drives and removable media (encrypted only, malware scanning)
Mobile device security (encryption, screen lock, remote wipe capability)

4. Password Security Best Practices

Creating strong passwords (12+ characters, passphrases recommended)
Using password managers (1Password, LastPass, Bitwarden, Keeper)
Never sharing passwords or writing them down
Multi-factor authentication setup and proper usage
Recognizing credential harvesting attempts

5. Incident Recognition and Reporting

How to report security incidents (email, hotline, incident portal)
What constitutes a security incident (unauthorized access, malware, lost device, suspected breach, policy violation)
Importance of rapid reporting (every minute counts)
No retaliation policy for good-faith reporting
Confidentiality requirements during investigations

Training Delivery Methods:

Online training modules (30-60 minutes for initial, 15-30 minutes for annual)
In-person workshops and seminars
Video-based training with knowledge checks
Phishing simulation exercises (monthly or quarterly)
Lunch-and-learn sessions covering current threats
Posters and awareness campaigns
New hire orientation security briefing

Training Completion Tracking:

Employee	Role	Hire Date	Initial Training Completed	2024 Refresher	2025 Refresher	Phishing Simulation Click Rate
Jane Doe	Payment Admin	2020-01-15	2020-02-01	2024-01-10	2025-01-08	2% (1/50 simulations)
John Smith	Developer	2023-05-10	2023-06-01	2024-05-15	Due 2025-05-15	8% (4/50 - needs remediation)
Sarah Lee	Customer Service	2025-01-02	Due 2025-02-01	N/A	N/A	N/A (new hire)

Non-Compliance Remediation:

Employees overdue for training: Escalate to manager, restrict CDE access until training complete
High phishing simulation click rates: Additional targeted training, manager notification
Repeat training failures: Formal corrective action, potential role change

Vendor PCI Compliance Validation {#vendor-pci-compliance}

Requirement 12.8.5: Maintain TPSP List and Monitor Compliance

Third-Party Service Provider Inventory:

Vendor	Service Provided	PCI Assessment Type	Compliance Status	Last Validated	Next Review Due
Stripe	Payment Gateway	SAQ D Service Provider	Compliant (AOC on file)	2024-12-01	2025-12-01
AWS	Cloud Hosting (EC2, RDS)	Level 1 ROC	Compliant (PCI DSS certified)	2024-11-15	2025-11-15
SendGrid	Email (marketing)	SAQ C	Compliant (AOC on file)	2024-10-01	2025-10-01
Zendesk	Customer Support	No CHD processed	N/A - Out of scope	Annual review	2025-09-01

Annual TPSP Review Process:

Request updated AOC (Attestation of Compliance) or ROC summary
Verify current compliance status (compliant/non-compliant/in-progress)
Review any noted exceptions or compensating controls
Confirm written agreement addresses security responsibilities
Update contracts if needed (Data Processing Addendum, security terms, breach notification)
Document review date, reviewer name, and approval

If TPSP Becomes Non-Compliant:

Contact vendor immediately to understand timeline for remediation
Implement additional monitoring or compensating controls
Consider alternative vendors if prolonged non-compliance
Document risk acceptance and mitigation plan if continuing relationship
Escalate to executive management for high-risk vendors

Deliverables {#stage-8-deliverables}

Complete policy library (12+ policies covering all PCI DSS requirements)
Executive approval documentation (board meeting minutes, signature pages)
Security awareness training program materials (course content, slides, videos, quizzes)
Training completion reports (100% new hire training, 95%+ annual refresher target)
Phishing simulation results and trends (click rate tracking, remediation actions)
Third-party service provider inventory with current compliance status
Annual policy review schedule with assigned owners and due dates

Stage 9: Self-Assessment Questionnaire (SAQ) Completion & Attestation (3-7 days) {#stage-9-saq-completion}

SAQ Completion Process {#saq-completion-process}

The Self-Assessment Questionnaire is the final validation step, documenting that all PCI DSS requirements have been met.

Step 1: SAQ Type Confirmation Verify you're using the correct SAQ type based on your payment environment (refer back to Stage 1 classification). Using the wrong SAQ invalidates your entire compliance attestation.

Step 2: Systematic Question-by-Question Assessment

For each requirement in your SAQ:

Answer Yes (requirement met), No (not met), or N/A (not applicable)
Provide detailed evidence for all "Yes" responses
Document remediation plan with timeline for all "No" responses

Example SAQ D Questions with Evidence:

Requirement 1.2.1: Configuration standards for network security controls (NSCs) defined and implemented

Answer: Yes
Evidence:
- Document: Firewall Configuration Standard v2.0, approved 2025-01-15 by CISO
- Screenshot: Firewall rules documentation showing deny-all policy
- Review history: Last reviewed 2024-07-01 (semi-annual review requirement met)
- Location: SharePoint > Compliance > Policies > Network Security

Requirement 3.5.1: Disk encryption implemented with additional mechanism to protect stored PAN

Answer: Yes
Evidence:
- Primary control: PostgreSQL column-level encryption using AES-256
- Secondary control: BitLocker full-disk encryption on database server
- Key management: AWS KMS for encryption key storage (separate from encrypted data)
- Configuration screenshots: Database encryption settings, KMS key policy
- Alternative if no PAN storage: "N/A - We use tokenization only; no PAN stored (Stripe tokenization AOC attached)"

Requirement 8.3.1: Multi-factor authentication implemented for all CDE access

Answer: Yes
Evidence:
- MFA system: Duo Security deployed across all CDE access points
- Coverage: VPN (required), SSH (required), payment application login (required), database access (required)
- Enrollment: 100% of CDE users enrolled (Duo enrollment report attached)
- Configuration: TOTP with 30-second validity, replay protection enabled
- Logs: MFA authentication events logged to SIEM (sample log extract attached)

Step 3: Gap Remediation for "No" Responses

For every requirement answered "No":

Document the gap: Specifically identify what's missing
- Example: "MFA not configured for payment application web interface"
Create remediation project plan:
- Specific action: Integrate Okta MFA with payment application
- Implementation steps: Configure SAML SSO, test with pilot users, deploy to all users
- Resource requirements: 40 hours developer time, Okta licensing
- Budget: $2,000 setup + $5/user/month
Assign ownership:
- Responsible party: IT Director
- Accountable executive: CIO
- Support resources: Application development team
Establish timeline:
- Start date: February 1, 2025
- Milestones: SAML config (Feb 15), pilot testing (Feb 22), full rollout (March 1)
- Completion target: March 1, 2025 (within 30-day requirement)
Track progress:
- Weekly project status updates
- Blocker escalation to steering committee
- Change management approval before production deployment
Validate remediation:
- Test MFA functionality across all user roles
- Verify logging and monitoring operational
- Document configuration and update procedures
Update SAQ:
- Change "No" to "Yes" after successful implementation
- Attach new evidence (configuration screenshots, test results)
- Document completion date and validator

Common Remediation Examples:

Gap	Typical Timeline	Estimated Cost	Complexity
MFA deployment across CDE	2-4 weeks	$5-$15/user/month	Medium
TLS 1.2+ upgrade on legacy systems	1-2 weeks	Minimal (config change)	Low
File Integrity Monitoring (FIM) implementation	2-3 weeks	$2,000-$10,000	Medium
Web Application Firewall (WAF) deployment	3-6 weeks	$5,000-$50,000/year	High
Annual penetration test engagement	4-8 weeks to schedule	$15,000-$60,000	High
Network segmentation project	6-12 weeks	$20,000-$100,000	Very High

Step 4: Evidence Organization and Repository

Create systematic evidence repository:

Requirement	Control Description	Evidence Type	Evidence Location	Last Updated
1.2.1	Firewall configuration standards	Policy document	SharePoint > Policies > Network	2025-01-15
2.2.1	Server hardening standards	CIS benchmark reports	Tenable.sc dashboard	2025-01-10
3.4.1	PAN rendered unreadable	Database encryption screenshots	Confluence > PCI Docs	2025-01-05
6.3.3	Patch management	Quarterly vulnerability scans	Qualys VMDR > Reports	2024-12-15
8.3.1	Multi-factor authentication	MFA enrollment report	Duo Admin Portal > Users	2025-01-08
10.2.1	Audit log configuration	SIEM retention settings	Splunk > Settings > Indexes	2025-01-12
11.3.1	Quarterly vulnerability scans	ASV attestations	Trustwave Portal > Attestations	2024-12-30
11.4.1	Annual penetration test	Executive summary report	SharePoint > Compliance > PenTests	2024-11-20
12.6.1	Security awareness training	Training completion report	KnowBe4 > Reporting Dashboard	2025-01-06

Evidence Retention: PCI DSS requires maintaining all compliance documentation for at least 3 years. Some acquiring banks require 5-7 years.

Attestation of Compliance (AOC) {#attestation-of-compliance}

The AOC is a formal executive attestation certifying PCI DSS compliance.

AOC Form Sections:

Part 1: Merchant/Service Provider Information

Legal business name and DBA (Doing Business As)
Merchant ID or service provider ID (provided by acquiring bank)
Contact information (compliance officer name, email, phone)
Business address

Part 2: Executive Summary

Merchant level (1, 2, 3, or 4) or service provider level (1 or 2)
SAQ type completed (A, A-EP, B, B-IP, C, C-VT, P2PE-HW, D Merchant, or D Service Provider)
Assessment date range
Compliance status:
- Compliant: All applicable requirements met
- Non-Compliant: Gaps exist with remediation in progress
- Compliant with Legal Exception: Rare, requires legal justification

Part 3: Validation and Attestation Details

Confirmation of SAQ completion (all applicable requirements assessed)
Number of requirements: Applicable vs. Not Applicable
Compensating controls (if any) - list and justify each
Acknowledgment of responsibility for security of cardholder data
Understanding of consequences of non-compliance
Executive signature with authority (CEO, CFO, CISO, or designee)
Signature date (must be current)

Part 4: Action Plan for Non-Compliant Status If attestation status is "Non-Compliant":

List each non-compliant requirement by number
Describe current state and gap
Remediation action plan for each requirement
Assigned responsible party
Target completion date
Interim compensating controls (if applicable)
Overall target compliance date (typically 30-180 days)

Example Non-Compliance Action Plan Item:

Requirement 11.4.1 - Annual Penetration Test

Current State: Last penetration test completed 18 months ago (overdue)
Gap: No penetration test conducted in past 12 months
Remediation: Engage penetration testing firm; test scheduled February 15-26, 2025
Responsible Party: CISO (Jane Doe)
Budget: $35,000 approved
Target Completion: March 1, 2025
Interim Controls: Enhanced IDS/IPS monitoring, daily vulnerability scanning

AOC Submission Process {#aoc-submission-process}

Submit completed AOC and supporting documents to:

Acquiring Bank (Merchant Account Provider) - Primary recipient
- Annual submission required
- Include: AOC form, SAQ responses, ASV quarterly attestations, penetration test executive summary
- Submission method: Secure portal, encrypted email, or certified mail
Payment Brands (If Required by Merchant Level)
- Level 1 merchants: Submit to Visa, Mastercard, Amex, Discover compliance portals
- Level 2-4: Usually only acquiring bank submission required
Payment Processor/Gateway (May request copy)
- Stripe, Square, PayPal, Authorize.net may request AOC annually
- Maintains vendor compliance records

Submission Format and Timeline:

PDF format (scanned signatures acceptable)
Secure transmission required (encrypted email, HTTPS portal)
Include supporting documentation (ASV attestations mandatory, penetration test summary recommended)
Level 1 merchants: Continuous compliance with annual ROC submission plus quarterly attestations
Level 2-4 merchants: Annual AOC submission

Post-Submission:

Retain submission confirmation (email receipt, portal confirmation screenshot)
Calendar next year's assessment (12-month cycle)
Schedule quarterly ASV scans (90-day intervals)
Plan annual penetration test (book testing firm 3-6 months in advance)

Deliverables {#stage-9-deliverables}

Completed SAQ with all questions answered (Yes/No/N/A with evidence)
Attestation of Compliance (AOC) form signed by authorized executive
Comprehensive supporting documentation package:
- Quarterly ASV scan attestations (all four quarters)
- Annual penetration test executive summary
- Network diagram with CDE boundaries clearly marked
- Complete policy library (12+ policies)
- Security awareness training completion reports
- Access control review documentation
- Encryption validation evidence (TLS and data-at-rest)
Remediation action plan (if any non-compliant requirements)
Submission confirmation from acquiring bank (email or portal confirmation)
Calendar reminders for ongoing compliance activities (quarterly scans, annual test, annual SAQ)

Ongoing Maintenance and Continuous Compliance {#ongoing-maintenance}

PCI DSS compliance is not a one-time achievement but an ongoing operational requirement.

Weekly Activities:

Monitor SIEM for security events in CDE
Review failed login attempts and access violations
Check firewall logs for unauthorized access attempts
Validate backup success for CDE systems

Monthly Activities:

Review privileged account usage logs
Validate MFA enrollment remains at 100%
Check for new systems added to CDE (update inventory)
Review and approve firewall rule change requests
Security awareness phishing simulations

Quarterly Activities (Every 90 Days - Critical):

Execute external ASV vulnerability scans (mandatory)
Execute internal authenticated vulnerability scans (mandatory)
Remediate all CVSS 4.0+ vulnerabilities within 30 days
Obtain ASV attestation (submit to acquiring bank)
Review access controls and user permissions
Update network diagrams for any infrastructure changes

Semi-Annual Activities (Every 6 Months):

Formal user access review (all CDE users)
Firewall rule review and approval (all rules re-justified)
Policy review and updates (incorporate lessons learned)
Service provider compliance validation (verify TPSPs remain compliant)

Annual Activities (Every 12 Months - Mandatory):

Comprehensive penetration test (network + application + segmentation)
Complete SAQ and AOC submission to acquiring bank
Annual scoping exercise (validate CDE boundaries)
Security awareness training refresher (all personnel)
Policy comprehensive review and executive approval
DKIM key rotation (if using DKIM for email authentication)
Encryption key rotation assessment

As-Needed Activities:

Immediate: Respond to security incidents (follow incident response plan)
Infrastructure changes: Re-assess scope, update documentation, potentially re-scan
Personnel changes: Provision/deprovision access same day, update documentation
Vendor changes: Validate new vendor PCI compliance before go-live
Application updates: Regression testing, vulnerability assessment before deployment

PCI DSS Compliance Cost Summary {#pci-dss-cost-summary}

Understanding total cost of ownership helps with budget planning:

Initial Implementation Costs (Level 2-3 Merchant, SAQ D example):

Gap assessment and planning: $5,000-$15,000
Network segmentation project: $20,000-$50,000 (if required)
Firewall upgrades and configuration: $10,000-$30,000
Encryption implementation: $5,000-$20,000
MFA deployment: $5-$15/user (100 users = $500-$1,500)
Security awareness training platform: $2,000-$5,000
Penetration testing (initial): $25,000-$60,000
Consultant/QSA advisory: $15,000-$50,000
Total Initial: $50,000-$150,000

Annual Ongoing Costs:

ASV quarterly scanning: $1,500-$3,000/year
Internal vulnerability scanning tools: $2,500-$5,000/year
Annual penetration testing: $25,000-$60,000
MFA licensing: $5-$15/user/year ($500-$1,500 for 100 users)
SIEM or log management: $5,000-$20,000/year
Security awareness training: $20-$40/user/year ($2,000-$4,000 for 100 users)
Consultant/QSA advisory (if used): $10,000-$30,000/year
Staff time (compliance officer, IT security): $40,000-$80,000/year
Total Annual: $86,500-$203,500

ROI Justification:

Average data breach cost: $4.88 million (2025 Verizon DBIR)
PCI non-compliance fines: $5,000-$100,000/month
Compliance cost: $86,500-$203,500/year ($7,208-$16,958/month)
Breach prevention ROI: 2,388% to 5,640% (single breach avoided pays for 24-57 years of compliance)

Key Takeaways and Next Steps {#key-takeaways}

Critical Success Factors:

Executive Sponsorship is Mandatory
- PCI compliance requires budget, personnel, and priority
- Executive champion (CIO, CISO, or CFO) must drive program
- Board-level awareness and support for large organizations
Scope Reduction First, Compliance Second
- Tokenization or P2PE can reduce compliance burden by 70-90%
- Evaluate scope reduction before investing in full compliance program
- Smaller CDE = lower costs and simpler maintenance
Phased Implementation Over Time
- Don't attempt everything simultaneously
- Quick wins first (MFA, TLS upgrades, policy documentation)
- Complex projects later (network segmentation, penetration testing)
- Timeline: 3-18 months depending on merchant level and starting point
Documentation is Evidence
- If it's not documented, it didn't happen (auditor perspective)
- Maintain comprehensive evidence repository
- Retain documentation for 3+ years minimum
Continuous Compliance, Not Annual Checkbox
- Quarterly vulnerability scanning non-negotiable
- Ongoing monitoring and incident response required
- Infrastructure changes trigger re-assessment and potentially re-scoping

Your Implementation Roadmap:

Week 1-2: Assessment and Planning

Determine merchant level and SAQ type using Compliance Readiness Checklist
Budget planning with Cybersecurity Budget Calculator
Secure executive sponsorship and project approval

Week 3-5: Quick Wins

Enable MFA on all CDE access (Requirement 8.3.1)
Upgrade TLS to 1.2+ on all payment endpoints (use X.509 Decoder)
Implement deny-all firewall policies with explicit permits
Begin quarterly vulnerability scanning (engage ASV)

Week 6-12: Core Requirements

Complete CDE mapping and network segmentation design
Implement encryption for data at rest and in transit
Deploy SIEM or centralized logging
Develop policy library (12+ required policies)
Launch security awareness training program

Week 13-20: Advanced Controls

Execute network segmentation penetration testing
Configure file integrity monitoring (FIM) on CDE systems
Implement automated patch management
Complete user access reviews
Validate vendor PCI compliance

Week 21-26: Validation and Attestation

Execute comprehensive annual penetration test
Remediate all critical and high vulnerabilities
Complete SAQ with full evidence package
Obtain executive sign-off on AOC
Submit to acquiring bank

Ongoing: Continuous Compliance

Quarterly ASV scans (every 90 days)
Semi-annual access reviews and policy reviews
Annual penetration testing and SAQ updates
Real-time security monitoring and incident response

Where to Start Today:

Assess Current State: Use our Compliance Readiness Checklist to identify your merchant level, appropriate SAQ type, and initial gap analysis
Network Planning: Use Subnet Calculator to design network segmentation and VLAN architecture
Encryption Validation: Test all payment endpoints with X.509 Decoder to identify weak TLS configurations
Budget Planning: Calculate total program cost with Cybersecurity Budget Calculator
Continuous Monitoring: Bookmark CVE Vulnerability Search and Risk Matrix Calculator for ongoing vulnerability management

Need Expert Guidance?

PCI DSS compliance is complex and high-stakes. If you're feeling overwhelmed, consider:

Engaging a Qualified Security Assessor (QSA) for gap assessment and guidance
Hiring a PCI compliance consultant for program management
Partnering with managed security service provider (MSSP) for continuous monitoring
Joining PCI DSS community forums and attending compliance workshops

The investment in PCI DSS compliance protects your business from catastrophic data breaches, regulatory penalties, and loss of payment processing ability. The cost of compliance is a fraction of the cost of a breach.

Official PCI SSC Resources:

PCI DSS v4.0.1 Standard (March 2024): https://www.pcisecuritystandards.org/document_library/
Self-Assessment Questionnaires (SAQs): All 8 SAQ types with instructions
Prioritized Approach Tool: Step-by-step implementation guidance
PCI DSS Glossary: Definitions of technical terms

InventiveHQ Compliance Tools:

Compliance Readiness Checklist: PCI DSS framework assessment and gap analysis
Cybersecurity Budget Calculator: Estimate compliance program costs
Subnet Calculator: Network segmentation and VLAN design
X.509 Decoder: TLS configuration validation
Password Strength Checker: Validate 12+ character passwords
CVE Vulnerability Search: Research scan findings and CVSS scores
Risk Matrix Calculator: Prioritize vulnerability remediation

Industry Best Practices:

NIST Cybersecurity Framework 2.0 (2024): Complementary security framework
CIS Critical Security Controls v8: Foundational cybersecurity controls
OWASP Top 10 (2021): Web application security risks
SANS Critical Security Controls: Implementation guide

The journey to PCI DSS compliance is significant but achievable with proper planning, executive support, and systematic execution. Start with Stage 1 today and progress methodically through each stage. Your organization's payment security depends on it.