In depth
The Payment Card Industry Data Security Standard (PCI DSS) is the mandatory security standard for any organisation that stores, processes or transmits cardholder data. It is maintained by the PCI Security Standards Council (a consortium of Visa, Mastercard, American Express, Discover and JCB) and enforced contractually by acquiring banks and the card brands themselves. The current version is PCI DSS v4.0 (released March 2022, fully mandatory from 31 March 2025); v3.2.1 was retired on the same date.
The standard organises 12 requirements under six high-level goals: build and maintain a secure network and systems, protect account data, maintain a vulnerability management programme, implement strong access-control measures, regularly monitor and test networks, and maintain an information-security policy. v4.0 added the customised approach (an outcome-based alternative to the prescriptive "defined approach" controls), expanded MFA requirements to cover all access into the cardholder data environment, and introduced new requirements around phishing-resistant authentication and targeted risk analysis.
From a pentest perspective, Requirement 11.4 is the load-bearing clause. It mandates external penetration testing at least annually and after any significant change to the cardholder data environment, internal penetration testing at the same cadence, application-layer testing of all bespoke web applications, and segmentation testing at least every six months for service providers (annually for merchants) to validate that the cardholder data environment is properly isolated from the rest of the corporate network. The findings must be remediated and the remediation re-tested to satisfy the requirement.
PCI DSS compliance is validated either by a Qualified Security Assessor (QSA) for Level 1 merchants and service providers, or via a Self-Assessment Questionnaire (SAQ) for lower-volume merchants. The output is a Report on Compliance (RoC) and an Attestation of Compliance (AoC). Non-compliance fines from card brands run from $5,000 to $100,000 per month, plus liability for fraud losses traceable to a breach. See PCI DSS v4.0 changes 2025 and compliance services.
The standard organises 12 requirements under six high-level goals: build and maintain a secure network and systems, protect account data, maintain a vulnerability management programme, implement strong access-control measures, regularly monitor and test networks, and maintain an information-security policy. v4.0 added the customised approach (an outcome-based alternative to the prescriptive "defined approach" controls), expanded MFA requirements to cover all access into the cardholder data environment, and introduced new requirements around phishing-resistant authentication and targeted risk analysis.
From a pentest perspective, Requirement 11.4 is the load-bearing clause. It mandates external penetration testing at least annually and after any significant change to the cardholder data environment, internal penetration testing at the same cadence, application-layer testing of all bespoke web applications, and segmentation testing at least every six months for service providers (annually for merchants) to validate that the cardholder data environment is properly isolated from the rest of the corporate network. The findings must be remediated and the remediation re-tested to satisfy the requirement.
PCI DSS compliance is validated either by a Qualified Security Assessor (QSA) for Level 1 merchants and service providers, or via a Self-Assessment Questionnaire (SAQ) for lower-volume merchants. The output is a Report on Compliance (RoC) and an Attestation of Compliance (AoC). Non-compliance fines from card brands run from $5,000 to $100,000 per month, plus liability for fraud losses traceable to a breach. See PCI DSS v4.0 changes 2025 and compliance services.