// PCI DSS

How ready are you for a PCI DSS v4.0.1 assessment?

If you take card payments, a bank, processor, or customer will eventually ask you to prove PCI DSS compliance. Answer six questions about how you handle cardholder data and get an honest readiness tier, plus the moves that cut your scope and your effort the fastest.

PCI DSS readiness assessment

What's bringing you to PCI DSS right now?

What is PCI DSS?

PCI DSS is the Payment Card Industry Data Security Standard, 12 requirements maintained by the PCI Security Standards Council to protect card data. Any business that stores, processes, or transmits cardholder data has to meet it. The current version is v4.0.1, published 11 June 2024.

Who has to comply with PCI DSS?

Any organisation that handles payment card data, from a one-person shop to a large processor. Your merchant level follows annual transaction volume (Level 1 is over 6 million; Levels 2 to 4 are smaller bands), and your SAQ type follows how you accept cards. Both decide how much you have to prove.

What changed in PCI DSS v4.0?

Version 4.0 kept the same 12 requirements but raised the bar. MFA now applies to all CDE access. It adds payment-page script controls, anti-phishing measures, and stronger passwords, plus the customised approach. Most future-dated items became mandatory on 31 March 2025.

Common questions

It depends on your starting scope. A small merchant on SAQ A who already uses a processor redirect can attest in days. A business storing card data across many systems can take months to map flows, segment, and gather evidence. Cutting scope first shortens the timeline.

Yes. PCI DSS applies to any business that accepts card payments, regardless of size. Smaller merchants usually validate with a Self-Assessment Questionnaire rather than a full audit, but the obligation is the same. Your acquiring bank can require proof and apply penalties.

Your merchant level is set by transaction volume and decides how you validate. Your SAQ type is set by how you accept cards and decides which controls apply. Two merchants at the same level can fill out very different SAQs.

No. A compliant processor handles the controls for the part of the flow they manage, but you stay responsible for your own scope, your integration, and any data you touch. PCI expects a written record of which requirements your providers cover and which you cover.

LET'S CONNECT

A senior engineer replies within an hour, 24/7.