Payment Card Industry / Global Mandatory
PCI DSS v4.0 Compliance Guide
The Payment Card Industry Data Security Standard — 12 requirements, 250+ sub-requirements, and a global mandate for every organisation that stores, processes, or transmits Primary Account Numbers. Version 4.0 became fully mandatory in March 2025.
6 goals · 12 requirements
Goal 1
Build & Maintain Secure Networks
Req 1–2
Goal 2
Protect Account Data
Req 3–4
Goal 3
Vulnerability Management
Req 5–6
Goal 4
Strong Access Control
Req 7–9
Goal 5
Monitor & Test Networks
Req 10–11
Goal 6
Information Security Policy
Req 12
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security controls developed by the PCI Security Standards Council — a body formed by Visa, Mastercard, American Express, Discover, and JCB — to protect payment card data globally. Any organisation that stores, processes, or transmits Primary Account Numbers (PANs) must comply, regardless of size or geography. The standard covers network security, data protection, access control, monitoring, vulnerability management, and information security policy across 12 requirements and more than 250 sub-requirements.
PCI DSS v4.0, published in March 2022, is the most significant update since v3.0. It introduces a new Customised Approach allowing organisations to meet the intent of a requirement through alternative controls rather than prescriptive ones, expands mandatory multi-factor authentication to all cardholder data environment (CDE) access, adds anti-phishing and payment-page script protections, and introduces 64 new requirements. All new requirements became mandatory from March 2025, replacing v3.2.1 entirely.
In Saudi Arabia, PCI DSS compliance is both a card-brand contractual obligation and a regulatory requirement. The Saudi Central Bank (SAMA) mandates PCI DSS for payment service providers it licenses. Saudi banks, PSPs, payment gateways, e-commerce merchants, and Saudi Payments (mada) affiliated entities all fall within scope. Compliance level is determined by annual transaction volume: Level 1 (over 6 million transactions) requires a full Report on Compliance by a Qualified Security Assessor; Levels 2–4 may self-assess using a Self-Assessment Questionnaire.
The 12 Requirements
Goal 1 — Build and Maintain a Secure Network and Systems
Req 1
Install and maintain network security controls
Define and document network security controls (firewalls, routers) that restrict inbound and outbound traffic to what is necessary for the CDE. Includes rule reviews at least every six months.
Req 2
Apply secure configurations to all system components
Establish configuration standards for all CDE system components, removing default vendor credentials, disabling unnecessary services, and maintaining a configuration baseline inventory.
Goal 2 — Protect Account Data
Req 3
Protect stored account data
Minimise stored cardholder data, protect stored PANs via truncation, masking, or strong cryptography, and prohibit storage of sensitive authentication data (SAD) after authorisation.
Req 4
Protect cardholder data with strong cryptography during transmission
Use strong cryptographic protocols (TLS 1.2+) for all PAN transmission over open, public networks. Prohibit transmission of unprotected PANs.
Goal 3 — Maintain a Vulnerability Management Program
Req 5
Protect all systems and networks from malicious software
Deploy anti-malware on all system components susceptible to malware, keep solutions current, perform periodic evaluations for components not commonly affected, and prevent disabling by users.
Req 6
Develop and maintain secure systems and software
Apply security patches within defined timeframes, follow a secure development lifecycle, address OWASP Top 10, conduct code reviews, and protect public-facing web applications.
Goal 4 — Implement Strong Access Control Measures
Req 7
Restrict access to system components and cardholder data by business need to know
Implement access control systems that deny all unless explicitly permitted. Maintain documented access-control policies with role-based access rights reviewed at least every six months.
Req 8
Identify users and authenticate access to system components
Assign unique IDs, require MFA for all access into the CDE, enforce strong password policies, and manage the full user lifecycle including immediate revocation for terminated personnel.
Req 9
Restrict physical access to cardholder data
Control physical entry to facilities and data centres, maintain visitor logs, protect on-site media containing cardholder data, and implement controls for point-of-interaction (POI) devices.
Goal 5 — Regularly Monitor and Test Networks
Req 10
Log and monitor all access to system components and cardholder data
Implement audit logging for all CDE access, protect log integrity, retain logs for at least 12 months (3 months immediately available), and review logs daily using automated mechanisms.
Req 11
Test security of systems and networks regularly
Conduct quarterly internal and external vulnerability scans (external via ASV), annual penetration testing, quarterly wireless scans, and file integrity monitoring on critical system files.
Goal 6 — Maintain an Information Security Policy
Req 12
Support information security with organisational policies and programs
Maintain an information security policy reviewed annually, conduct risk assessments at least once a year, manage third-party service provider relationships, and operate a security awareness program.
Assessment Paths
PCI DSS compliance is validated through one of three assessment paths depending on transaction volume, CDE complexity, and card-brand requirements.
| Path | Who it applies to | Who performs it | Output |
|---|---|---|---|
| SAQ-A | Card-not-present merchants that fully outsource card processing; no electronic cardholder data on merchant systems | Self-assessed by the merchant | Completed SAQ-A + AOC |
| SAQ-B | Merchants using imprint machines or standalone dial-out terminals; no electronic PAN storage | Self-assessed by the merchant | Completed SAQ-B + AOC |
| SAQ-C | Merchants with payment applications connected to the internet; no electronic PAN storage | Self-assessed by the merchant | Completed SAQ-C + AOC |
| SAQ-D (Merchants) | All merchants not covered by SAQ-A through SAQ-C — the most comprehensive SAQ | Self-assessed; QSA guidance common | Completed SAQ-D + AOC |
| SAQ-D (Service Providers) | Service providers that are not required to complete a full ROC but are eligible for self-assessment | Self-assessed; QSA guidance common | Completed SAQ-D SP + AOC |
| ROC (Report on Compliance) | Level 1 merchants (6M+ transactions/year), most service providers, entities required by acquiring bank | Qualified Security Assessor (QSA) — on-site assessment | Full ROC + AOC signed by QSA and entity |
AOC = Attestation of Compliance — the signed document confirming compliance status issued at the end of any assessment path.
Who Must Comply
Level 1 Merchants
More than 6 million Visa or Mastercard transactions per year. Requires annual ROC by QSA and quarterly ASV scans.
Level 2 Merchants
1–6 million transactions per year. Annual SAQ or ROC, quarterly ASV scans, and attestation of compliance.
Level 3 Merchants
20,000–1 million e-commerce transactions per year. Annual SAQ and quarterly ASV scans.
Level 4 Merchants
Fewer than 20,000 e-commerce transactions or up to 1 million total transactions. Annual SAQ recommended.
Service Providers — Level 1
More than 300,000 transactions annually. Requires annual ROC by QSA and quarterly ASV scans.
Service Providers — Level 2
Fewer than 300,000 transactions annually. Annual SAQ-D and quarterly ASV scans.
Saudi Arabia specifics
All Saudi banks, PSPs, payment gateways, and merchants processing Visa, Mastercard, or American Express transactions must comply based on their transaction volume level above. The Saudi Central Bank (SAMA) has made PCI DSS compliance a condition of licensing for payment service providers.
Saudi Payments (mada) and entities within the mada scheme are in scope. Acquirers in Saudi Arabia are responsible for ensuring their merchant portfolios are PCI DSS compliant and for reporting non-compliant merchants to the card brands.
Saudi merchants operating e-commerce platforms, hospitality point-of-sale systems, and any other card-accepting channel are subject to the same global PCI DSS requirements and must demonstrate compliance to their acquiring bank.
PCI DSS v4.0 vs ISO 27001
| Dimension | PCI DSS v4.0 | ISO 27001:2022 |
|---|---|---|
| Issuer | PCI Security Standards Council (Visa, Mastercard, Amex, Discover, JCB) | International Organization for Standardization (ISO) / IEC |
| Focus | Protection of cardholder data and the cardholder data environment (CDE) | Holistic information security management system (ISMS) covering all information assets |
| Scope | Mandatory for any entity that stores, processes, or transmits Primary Account Numbers | Voluntary certification applicable to any organisation regardless of sector |
| Assessment | ROC (by QSA) for Level 1; SAQ (self-assessment) for lower levels; quarterly ASV scans | Third-party certification audit by accredited certification body; surveillance audits annually |
| Output | Report on Compliance (ROC) or completed SAQ + Attestation of Compliance (AOC) | ISO 27001 Certificate of Registration (3-year cycle with annual surveillance) |
| Renewal | Annual — continuous compliance; quarterly scans; no grace period | 3-year certification cycle with annual surveillance audits and triennial recertification |
| Saudi recognition | Required by SAMA for payment service providers; card-brand contractual obligation for all acquirers and merchants | Recognised by NCA, SAMA, and CITC; widely used as baseline for government and enterprise |
| Primary audience | Banks, PSPs, payment gateways, merchants, processors, service providers in the payment ecosystem | Any organisation seeking to demonstrate information security governance across all information assets |
GRC Vantage for PCI DSS
Audit-ready PCI DSS compliance, without the manual overhead
GRC Vantage ships with everything a Saudi bank, PSP, or merchant needs to scope, evidence, and sustain PCI DSS v4.0 compliance — and cross-map it to SAMA CSF and NCA ECC in the same platform.
Pre-mapped PCI DSS control library
All 12 requirements and 250+ sub-requirements pre-mapped to control activities, evidence templates, and reviewer routing — ready on day one.
CDE scoping workshop tools
Guided data-flow discovery, network segmentation mapping, and scope reduction analysis to minimise your cardholder data environment.
Evidence collection per requirement
Automated evidence collection on schedule with quarterly ASV scan tracking, configuration snapshots, and remediation workflows linked to individual requirements.
SAQ completion assistance
Structured SAQ-A through SAQ-D workflows with pre-populated answers from your control and evidence data — reducing QSA review time.
QSA-ready report generation
Generate structured ROC-support packs and AOC evidence packs that your QSA can review directly — no last-minute document hunts.
Multi-framework cross-mapping
Single controls and evidence items cross-mapped across PCI DSS v4.0, NCA ECC, and SAMA CSF — satisfy three frameworks with one compliance programme.
Frequently Asked Questions
- What is PCI DSS v4.0?
- PCI DSS v4.0 is the current Payment Card Industry Data Security Standard issued by the PCI Security Standards Council (PCI SSC) — a body founded by Visa, Mastercard, American Express, Discover, and JCB. Published in March 2022, it defines 12 requirements and over 250 sub-requirements that any organisation storing, processing, or transmitting Primary Account Numbers (PANs) must satisfy. Version 4.0 introduces a new Customised Approach allowing organisations to meet security objectives through alternative controls, expands multi-factor authentication, strengthens phishing and script protections, and adds 64 new requirements, all of which became mandatory from March 2025.
- Who must comply with PCI DSS in Saudi Arabia?
- All Saudi banks, payment service providers (PSPs), payment gateways, and merchants that store, process, or transmit Visa, Mastercard, or American Express cardholder data must comply with PCI DSS. The Saudi Central Bank (SAMA) explicitly requires PCI DSS compliance for payment service providers it licenses. Saudi Payments (mada) and affiliated entities are in scope. Merchant compliance level (Level 1–4) is determined by annual transaction volume, with Level 1 merchants (over 6 million transactions per year) requiring a full Report on Compliance from a Qualified Security Assessor.
- What is new in PCI DSS v4.0 versus v3.2.1?
- PCI DSS v4.0 introduces several significant changes over v3.2.1: (1) a new Customised Approach that allows organisations to meet the intent of each requirement through alternative controls rather than prescriptive ones; (2) expanded mandatory multi-factor authentication for all access into the cardholder data environment, not just remote access; (3) new requirements for anti-phishing mechanisms and the securing of payment page scripts; (4) stronger authentication requirements; (5) 64 entirely new sub-requirements; and (6) a revised, more flexible assessment process. All new requirements became mandatory in March 2025.
- What is a Qualified Security Assessor (QSA)?
- A Qualified Security Assessor (QSA) is an individual or company certified by the PCI Security Standards Council to assess an organisation's compliance with PCI DSS and produce a Report on Compliance (ROC). QSAs must pass PCI SSC training and re-qualify annually. For Level 1 merchants and most service providers, a ROC conducted by a QSA is mandatory. QSAs may also assist smaller organisations in completing Self-Assessment Questionnaires, though that is not strictly required.
- What is the difference between a SAQ and a ROC?
- A Self-Assessment Questionnaire (SAQ) is a self-validation tool for merchants and service providers that do not require a full on-site assessment. There are multiple SAQ types (SAQ-A through SAQ-D) depending on how cardholder data is handled — for example, SAQ-A is for card-not-present merchants that have fully outsourced card processing, while SAQ-D is the most comprehensive. A Report on Compliance (ROC) is a full on-site assessment conducted by a QSA and is required for Level 1 merchants and many service providers. Both paths produce an Attestation of Compliance (AOC) — the signed document confirming the entity's compliance status.
- How does PCI DSS relate to the SAMA CSF?
- The SAMA Cyber Security Framework (SAMA CSF) governs the overall cyber security posture of Saudi financial institutions regulated by the Saudi Central Bank; PCI DSS specifically governs the cardholder data environment (CDE) within those entities. Most Saudi banks and payment service providers must satisfy both. The two frameworks share significant overlap in areas such as access control, encryption, vulnerability management, logging, and incident response — meaning a single control or piece of evidence can satisfy requirements in both frameworks when cross-mapped properly.
Get started
Ready to put PCI DSS v4.0 on auditable rails?
Talk to our Riyadh and Dammam teams about CDE scoping, gap analysis, and a year-round PCI DSS programme that satisfies SAMA, card brands, and your QSA simultaneously.