PCI DSS v4.0
The Payment Card Industry Data Security Standard (PCI DSS) is published and maintained by the PCI Security Standards Council, a body founded by the major card brands (Visa, Mastercard, American Express, Discover, and JCB). It defines the security requirements that any organization must meet if it processes, stores, or transmits payment card data — regardless of company size, transaction volume, or industry. Version 4.0 is the current release, representing the most significant revision to PCI DSS in over a decade. It introduces a customized approach that allows mature organizations to achieve requirements through alternative controls with documented validation, adds new requirements targeting phishing and e-commerce security, and expands multi-factor authentication requirements across the cardholder data environment. Compliance with PCI DSS v4.0 became mandatory in March 2024. Non-compliance carries significant consequences: fines from acquiring banks, increased transaction fees, mandatory forensic investigations following a breach, and potential loss of card acceptance privileges. Ayliea’s 124-question assessment covers all 12 PCI DSS requirements across the six control objectives, helping you identify gaps before a formal Qualified Security Assessor (QSA) engagement.What Ayliea Assesses
The assessment maps to the six PCI DSS control objectives and 12 requirements within them.Build and Maintain a Secure Network (Requirements 1–2)
Build and Maintain a Secure Network (Requirements 1–2)
Network security controls protecting the cardholder data environment (CDE). Evaluates firewall configuration, network segmentation, documentation of allowed traffic flows, and whether default vendor passwords and security settings have been changed on all system components.
Protect Cardholder Data (Requirements 3–4)
Protect Cardholder Data (Requirements 3–4)
How your organization stores and transmits cardholder data. Covers data retention and disposal policies, encryption of stored primary account numbers (PAN), masking on displays, and encryption of cardholder data transmitted over open, public networks. Includes key management practices.
Maintain a Vulnerability Management Program (Requirements 5–6)
Maintain a Vulnerability Management Program (Requirements 5–6)
Malware protection across system components, vulnerability management processes, and secure software development practices. Evaluates scanning frequency, patch management SLAs, and software security controls including protection against common web application vulnerabilities.
Implement Strong Access Control (Requirements 7–9)
Implement Strong Access Control (Requirements 7–9)
Restricting access to cardholder data on a need-to-know basis. Covers logical access controls, unique user IDs and authentication requirements (including the expanded MFA requirements in v4.0), and physical access controls for facilities and systems in the cardholder data environment.
Regularly Monitor and Test Networks (Requirements 10–11)
Regularly Monitor and Test Networks (Requirements 10–11)
Logging and monitoring of all access to network resources and cardholder data, audit log protection and review procedures, and regular testing of security systems and processes — including internal and external vulnerability scanning, penetration testing, and intrusion detection coverage.
Maintain an Information Security Policy (Requirement 12)
Maintain an Information Security Policy (Requirement 12)
The policy and governance foundation of your PCI DSS program. Evaluates your information security policy coverage and annual review process, risk assessments, security awareness training, incident response plan, and third-party service provider management including contractual requirements and annual acknowledgment of responsibility.
Who Needs This Assessment
- E-commerce companies that accept card payments on their websites or applications
- Retail and hospitality organizations with point-of-sale systems
- Payment processors, payment gateways, and acquiring banks
- SaaS companies that integrate with payment systems on behalf of their customers
- Organizations that store card data for recurring billing or subscription management
- Companies preparing for an annual QSA assessment or Self-Assessment Questionnaire (SAQ)
- Organizations that have experienced a payment card breach and are implementing remediation requirements
PCI DSS applicability and the level of assessment required (QSA audit vs. SAQ) depends on your annual transaction volume and card brand agreements. Consult your acquiring bank or a QSA to determine which compliance path applies to your organization. Ayliea’s assessment is a gap analysis tool and does not replace a formal QSA engagement.