Cybersecurity Solutions for Compliance with PCI DSS

What Is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a globally recognized framework of security requirements developed to help organizations that process, store, or transmit credit card information maintain a secure environment. Version 4.0 of the standard emphasizes a more flexible, customized approach to achieving and validating security outcomes while continuing to reduce payment data breaches and combat card fraud.

PCI DSS 4.0 covers both technical controls and operational practices, providing a baseline for securing cardholder data environments (CDEs). The standard promotes continuous security, supports evolving technologies, and addresses emerging threats.

The PCI Security Standards Council (PCI SSC) — an independent organization founded by major payment card brands including Visa, MasterCard, American Express, Discover, and JCB — administers and manages the standard. Enforcement and compliance responsibilities remain with each individual payment brand.

PCI DSS 4.0 encourages organizations to integrate security as a continuous process, with a focus on risk-based approaches, including the use of targeted risk analysis to support customized implementation of security controls. The standard provides detailed guidance and resources to help organizations prevent, detect, and respond to security incidents, ultimately supporting the protection of sensitive cardholder information in an ever-changing threat landscape.

What Does PCI DSS 4.0 Cover?

PCI DSS compliance is built on 12 core requirements—each a critical safeguard to protect cardholder data. Meeting these standards within your IT environment demands more than a checklist; it requires a strategic, layered approach to security. Organizations often achieve this through a suite of integrated data protection solutions that work together to defend against evolving threats and ensure continuous compliance.

The 12 PCI DSS 4.0 requirements are bucketed into six categories:

Build and Maintain a Secure Network and Systems

1. Install and maintain network security controls

2. Apply secure configurations to all system components

Protect Account Data

3. Protect stored account data

4. Protect cardholder data with strong cryptography during transmission over open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems and networks from malicious software

6. Develop and maintain secure systems and software

Implement Strong Access Control Measures

7. Restrict access to system components and cardholder data by business need to know

8. Identify users and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Log and monitor all access to system components and cardholder data

11. Test security of systems and networks regularly

Maintain an Information Security Policy

12. Support information security with organizational policies and programs

Does PCI DSS Compliance Apply to You?

Any organization – from the mom-and-pop coffee shop to enterprises that span the globe – that accepts, transmits, processes, or stores payment cards or cardholder data needs to adhere to the PCI DSS. There are differences in the level of PCI compliance that is required, depending on an organization’s transaction volume in a given year.

What Are the Different Levels of PCI DSS Compliance?

While ALL organizations that accept, transmit, process, or store cardholder data, are subject to the requirements of PCI DSS, there are four distinct levels of compliance required by individual organizations. These levels are based on transaction volume over a 12-month period:

Level 1:

Merchants processing over 6 million card transactions annually

Level 2:

Merchants processing 1 to 6 million transactions annually

Level 3:

Merchants processing 20,000 to 1 million transactions annually

Level 4:

Merchants processing fewer than 20,000 transactions annually

At the highest compliance level (Level 1), organizations must undergo an external audit conducted by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). This assessment validates the scope of the assessment, reviews documentation, determines whether PCI DSS requirements are being met, and provides guidance for achieving compliance. Upon completion, a Report on Compliance (RoC) is submitted to demonstrate adherence to PCI DSS standards.

Lower compliance level organizations (levels 2 through 4) do not need the external audit but can instead complete a self-assessment questionnaire (SAQ). Level 2 organization also need to complete a RoC.

View Resources from the PCI Security Standards Council

PCI DSS Compliance Checklist

Build and maintain a secure network and systems

Do you have a web application firewall in place to safeguard cardholder data in any system(s) used to store, process, or transmit that data?
Is it regularly updated and maintained?
Have you replaced any default passwords with unique, strong alternatives?
Are passwords protected and stored securely to minimize exposure risks?

Protect your cardholders’ data

Are security controls in place to protect data stored within your internal systems?
Are you securing cardholder data when it is in transit?
Are you using encryption to protect cardholder data? 
Is data protected when traveling across open networks or at rest?

Maintain a vulnerability management program

Do you have antivirus software or programs in place throughout your organization?
Are the programs or software up to date with the most recent version?
Do you regularly review your software?

Implement strong access control

Are systems and applications secured at your organization and are they being maintained?
Do you need to develop your systems and applications for PCI DSS compliance?
Have you restricted access to cardholder data within your internal systems?
Is access restricted based on a need-to-know or need-to-handle basis for daily task completion?
Does the task completion need outweigh the risk of providing access to the data?
Have you provided everyone in your organization with a unique user ID for computer access?
Does your systems administrator manage permissions/access control for these unique IDs?
Are your access and permissions controls granted on a business-need-to-know basis?
Do you restrict physical access to servers, computers, data centers, etc., where cardholder data may reside, be processed, or be sent?
Do you log and monitor all visitors to areas in your organization where access to cardholder data may be found?
Is all physical media securely stored to prevent inappropriate access?

Monitor and test networks regularly

Do you regularly review your organization’s networks to prevent exploitation?
Are your review processes logged for regulatory audit trails?
Do you test your systems frequently to discover any vulnerabilities and are any found appropriately addressed and maintained?
Do you test for vulnerabilities when new software is installed, or configuration changes are made?
Do your tests include internal and external network vulnerability scans and penetration testing?
Do you monitor critical system files to ensure they are not modified or accessed without authorization?

Maintain a Data Security Policy

Establishing a strong security culture within your organization can enhance PCI DSS 4.0 compliance and overall data security. Organizations should implement regular training programs and ongoing education focused on data security, with particular emphasis on PCI DSS compliance.

Internal data security policy

Do you have a current an internal data security policy in place?

PCI DSS requirements

Does your policy comprehensively address all PCI DSS requirements?

Changes to internal systems

Is your policy reviewed regularly or when changes to internal systems occur?

PCI compliance responsibilities

Does your policy outline how to identify and monitor the PCI compliance responsibilities of your service providers?

Data breaches

Do you have an actionable incident response plan that can be immediately deployed in the event of a data breach?

The Role of Vulnerability Management

To comply with PCI DSS 4.0, organizations must establish a proactive vulnerability management (VM) program that promptly identifies and addresses security weaknesses as they arise. VM plays a critical role in meeting several core PCI DSS requirements, including protecting stored cardholder data and monitoring system access.

The PCI SSC defines a vulnerability as a “flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.” Organizations can mitigate these risks by deploying automated tools that scan for common vulnerabilities and exposures (CVEs). Advanced VM solutions offer continuous scanning and risk-based prioritization, enabling teams to focus on the most critical threats first. A well-documented VM program also streamlines the PCI audit process, making compliance faster and easier.

Discover Fortra VM

Key PCI DSS 4.0 Compliance Solutions

Complying with PCI DSS requirements is easier with layers of security solutions that can be put in place across your organization to protect sensitive cardholder data. Fortra's security suite offers a range of solutions designed to help you meet your PCI DSS obligations and protect the data of your cardholders.

Data Loss Prevention

Fortra Data Loss Prevention (DLP) offers comprehensive data protection and monitoring capabilities. It secures cardholder data by providing real-time visibility into data access and movement across endpoints, networks, and cloud environments. The solution enforces data protection policies to ensure sensitive information is encrypted, masked, or blocked from unauthorized access or transfer.

Data Classification

Fortra’s data classification solutions reduce breach risks by labeling PCI-related documents and emails with visual and metadata tags. This supports proper handling, triggers encryption when needed, and enhances DLP enforcement. Classification also improves enterprise search for audits and compliance.

Vulnerability Management

Proving PCI DSS compliance is easier with our security solutions. Organizations handling cardholder data can identify and quantify any system security vulnerabilities as well as harden these systems to intrusion. In addition, there is visibility to any database access of PCI DSS to help meet PCI DSS audit requirements.

Integrity and Compliance Monitoring

Streamline PCI compliance and protect cardholder data with Fortra Integrity and Compliance Monitoring. The solution supports PCI DSS 4.0 requirements for file integrity, logging, and vulnerability assessments. Continuous monitoring keeps you audit ready, with on-demand reporting to demonstrate configuration compliance at any point in time.

Extended Detection and Response

Fortra Extended Detection and Response (XDR) enables continuous monitoring to support PCI DSS compliance, including event log analysis, incident detection, alerting, and audit trail generation. As a PCI Approved Scanning Vendor (ASV), Fortra also provides expert review and assistance with ASV report disputes, ensuring accurate and timely compliance reporting.

Offensive Security

Offensive security plays a critical role in PCI DSS by requiring regular testing of systems and processes. Vulnerability management and pen testing solutions help meet this mandate by identifying, prioritizing, and validating the remediation of internal and external threats. We also support compliance with detailed reporting that simplifies audit documentation.

Managed Web Application Firewall

PCI DSS 4.0 requirement 6.4.2 mandates a web application firewall to "continuously detect and prevent web-based attacks" made against your applications and APIs. Fortra Managed WAF not only has leading PCI security controls, but it also comes with a team of web security experts who continuously optimize your security profiles.

Secured File Manage Transfer

MFT solutions support PCI DSS compliance by securing data at rest and in transit with encryption, verifying the integrity of transfers, and maintaining detailed audit trails and transfer reports. Additionally, a compliance module can monitor for PCI DSS non-compliance.

Fortra and PCI DSS

Fortra’s portfolio of cybersecurity and compliance offerings provide a wide range of solutions and services to help businesses comply with the PCI DSS 4.0 requirements and fulfill the daily demands of protecting the company from risks and threats. The following table maps PCI DSS 4.0 requirements to Fortra’s solutions.

Requirement 1: Install and maintain network security controls

Requirement 2: Apply secure configurations

Requirement 3: Protect stored account data

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

Requirement 5: Protect systems and networks from malicious software

Requirement 6: Develop and maintain secure systems and software

Requirement 7: Restrict access to system components and cardholder data

Fortra Integrity and Compliance Monitoring

Requirement 8: Identify users and authenticate access

Fortra Integrity and Compliance Monitoring

Requirement 9: Restrict physical access

Requirement 10: Log and monitor all access

Requirement 11: Test security of systems and networks regularly

Requirement 12: Support information security with policies and programs

If you don’t have the capacity to manage all these activities, our Fortra managed security services can act as an extension of your team to reduce your security risks and simplify PCI DSS 4.0 compliance.

We Can Help with PCI DSS 4.0 Compliance. Let’s Talk.

Contact the experts at Fortra for a free 30-minute consultation to explore the best solutions for securing cardholder data in your organization. We’ll work with you to identify the right layers of protection to ensure PCI DSS compliance.

Schedule Your PCI DSS 4.0 Consultation