How to Comply with PCI DSS v4.0

The Payment Card Industry Data Security Standard (PCI DSS) v4.0 is a set of security requirements for organizations that handle cardholder data. It covers network security, data protection, vulnerability management, access control, monitoring, and security policies across 12 requirement groups.

100%

Coverage

Controls Required

Not Applicable

Why PCI DSS Compliance Matters

PCI DSS v4.0 compliance is mandatory for any organization that stores, processes, or transmits payment card data. Non-compliance can result in fines, increased transaction fees, or loss of the ability to process card payments. The standard includes both prescriptive technical requirements and process-oriented controls.

Compliance Checklist by Domain

The 49 controls below are mapped to PCI DSS requirements. Work through each domain to build your compliance program.

Govern (6 controls)

Control	PCI DSS References	Also In
Governance Policy	12.1.1 12.1.2	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Risk Management	12.3.1 12.3.2	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Supply Chain Risk	12.8.1 12.8.2 12.8.4	NIST CSF 2.0, ISO 27001, SOC 2, 800-53, HIPAA, GDPR
Roles & Responsibilities	12.1.3 12.4.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Compliance	12.1.1 12.4.2 12.8.5	NIST CSF 2.0, ISO 27001, SOC 2, CMMC, 800-53, HIPAA, GDPR
Vendor Risk Mgmt	12.8.1 12.8.2 12.8.3 12.8.4 12.8.5	NIST CSF 2.0, ISO 27001, SOC 2, 800-53, HIPAA, GDPR

Identify (6 controls)

Control	PCI DSS References	Also In
Asset Management	2.4 9.9.1 12.5.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Risk Assessment	6.3.1 11.3.1 12.3.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Business Environment	12.1.1	NIST CSF 2.0, ISO 27001, SOC 2, 800-53, HIPAA, GDPR
Data Classification	3.2.1 3.3.1 3.4.1 9.4.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Vulnerability Mgmt	6.3.1 6.3.3 11.3.1 11.3.2	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Threat Intelligence	6.3.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53

Protect (21 controls)

Control	PCI DSS References	Also In
Awareness & Training	12.6.1 12.6.2 12.6.3	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Access Control	7.2.1 7.2.2 7.2.4 8.2.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Multi-Factor Auth	8.4.1 8.4.2 8.4.3	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Encryption	3.5.1 4.2.1 4.2.2	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Data Protection	3.4.1 3.5.1 4.2.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Backup & Recovery	9.4.5.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Privileged Access	7.2.1 7.2.2 8.6.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Firewall / Net Seg	1.2.1 1.3.1 1.3.2 1.4.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Endpoint Protection	5.2.1 5.2.2 5.3.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Patch Management	6.3.1 6.3.3	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Secure Config	2.2.1 2.2.2 2.2.4	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Secure Development	6.2.1 6.2.2 6.2.3 6.2.4	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, GDPR
Email Security	5.2.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Web Security	6.4.1 6.4.2 6.4.3	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Zero Trust	1.3.1 7.2.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Mobile Security	2.2.4 6.2.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Cloud Security	2.2.1 12.8.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
DNS Security	1.2.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53
WAF	6.4.1 6.4.2	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
DLP	3.4.1 9.4.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
API Security	6.2.1 6.2.3 6.5.4	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR

Detect (6 controls)

Control	PCI DSS References	Also In
Cont. Monitoring	10.4.1 10.4.2 11.5.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Logging & Audit	10.2.1 10.2.2 10.3.1 10.5.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Intrusion Detection	11.4.1 11.4.2 11.4.3	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Anomaly Detection	10.4.1 11.5.1.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
SIEM / SOC	10.4.1 10.4.3 11.5.2	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Insider Threat	7.2.1 10.2.1 10.6.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR

Respond (5 controls)

Control	PCI DSS References	Also In
Incident Response	12.10.1 12.10.2 12.10.3	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Forensics	12.10.5	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Communication	12.10.1 12.10.6	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Mitigation	12.10.4	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Reporting	12.10.1 12.10.6	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR

Recover (5 controls)

Control	PCI DSS References	Also In
Recovery Planning	12.10.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Business Continuity	12.10.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Lessons Learned	12.10.2	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR
Comms & Restore	12.10.6	NIST CSF 2.0, ISO 27001, SOC 2, CMMC, 800-53, HIPAA, GDPR
Disaster Recovery	12.10.1	NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, CMMC, 800-53, HIPAA, GDPR

How PCI DSS Compares

See how PCI DSS coverage overlaps with other frameworks:

View PCI DSS Framework Page Explore in Dashboard