PCI DSS v4.0. Scoped, segmented, attested.
Self-Assessment Questionnaires for smaller merchants. Reports on Compliance via QSA partner for Level 1. Tokenization, segmentation, and the v4.0 requirements that go enforceable in 2025.
Payment Card Industry Data Security Standard governing storage, processing, and transmission of cardholder data.
PCI DSS is the security standard for any organization that stores, processes, or transmits cardholder data. The current version is v4.0, released March 2022, with enforcement dates phased through 2025. Compliance level depends on transaction volume: Levels 2, 3, and 4 attest via Self-Assessment Questionnaire (SAQ); Level 1 (over six million transactions per year for most card brands) requires an annual Report on Compliance (ROC) signed by a Qualified Security Assessor (QSA).
Who needs it
Any merchant accepting cards or any service provider in the cardholder data flow. SaaS that processes payments via Stripe, Adyen, or similar processors typically reduces scope through tokenization and SAQ A or SAQ A-EP. Companies with on-premise card data or unusual flows face larger SAQ D scope or Level 1 ROC requirements.
The HSD playbook for PCI DSS
HSD begins with cardholder data flow mapping and scope determination. For most SaaS, the goal is reducing scope to SAQ A or SAQ A-EP through tokenization. We harden the cardholder data environment if there is one, implement segmentation, run quarterly ASV scans through an Approved Scanning Vendor partner, conduct annual penetration tests, and produce the SAQ. For Level 1 customers, we coordinate with a QSA partner who issues the ROC and the AOC.
Timeline
Weeks 1 to 2
Scoping and CDE definition
Cardholder data flow diagrams, scope determination, segmentation review
Weeks 2 to 6
Control implementation
v4.0 requirements: targeted risk analysis, multi-factor for all access into the CDE, network security controls, secure software development
Weeks 4 onward
ASV scans
Quarterly external scans by Approved Scanning Vendor partner; remediate failed checks
Weeks 6 to 8
Penetration test
Annual external and internal penetration test against the CDE and segmentation controls
Weeks 8 to 10
SAQ or ROC
SAQ A through D for self-assessment, or QSA fieldwork and Report on Compliance for Level 1
After report
Attestation and ongoing
AOC submission, continuous monitoring of in-scope controls
Cost reality
| Line item | Range | Note |
|---|---|---|
| Software platforms covering PCI DSS | USD 10,000 to 30,000 per year | PCI DSS support varies; deeper than SOC 2-only platforms |
| Remediation and SAQ preparation | USD 20,000 to 60,000 | Lower for SAQ A through tokenization; higher for SAQ D or on-premise CDE |
| Approved Scanning Vendor (quarterly) | USD 1,000 to 5,000 per year | Required regardless of merchant level |
| QSA fieldwork (Level 1 ROC) | USD 30,000 to 80,000 | Significant variability based on CDE complexity and geographic scope |
| HSD bundled program | Scoped per program | Engineers, ASV partner, QSA partner coordination in one engagement |
What auditors check
Cardholder data flow diagram
Auditor wants to see exactly where card data enters, traverses, and leaves the environment. Wrong or stale diagram is a frequent finding.
Segmentation that actually segments
If segmentation is claimed to reduce scope, the auditor tests that the segmentation controls function as documented.
Multi-factor for all access into the CDE
v4.0 made MFA mandatory for all access into the CDE, not only administrative. Enforceable from March 31, 2025.
Quarterly ASV scans, all passing
Failed scans have to be remediated and rescanned until passing within ninety days of the failure.
Annual external and internal penetration tests
Required by Requirement 11.4. Reports must be retained and findings remediated; segmentation testing is separate.
Targeted risk analysis (v4.0 new)
Customized approach in v4.0 requires per-control targeted risk analysis. Generic risk assessments do not satisfy the requirement.
Common pitfalls
Wrong SAQ
Choosing SAQ A when SAQ A-EP applies (or D when A applies) creates either gaps or unnecessary work. Scope determination is the first thing to get right.
Segmentation claimed but not enforced
Logical segmentation that does not actually prevent traffic between zones fails segmentation testing.
Missing v4.0 enforcement dates
Several v4.0 requirements became enforceable in March 2025. Operating against v3.2.1 controls without v4.0 readiness is a finding.
Stale cardholder data flow
Flow diagrams not updated after architecture changes. Real flows diverge from documented flows; auditors notice.
Penetration test scope errors
Penetration test scoped to the wrong assets, or conducted by an unqualified tester, leads to ROC delays and rework.
FAQ
What changed in PCI DSS v4.0?+
Do I need a QSA?+
Can tokenization reduce scope?+
Does HSD perform the QSA work?+
What is the difference between an SAQ and a ROC?+
How often is PCI DSS validated?+
Want PCI DSS scoped for your stack?
Thirty-minute call. Fixed-scope quote inside a week. We tell you honestly when PCI DSS should wait or when it should lead.