PCI DSS 4.0 Deadline: March 31, 2025 Requirements Now in Effect
PCI DSS version 4.0 became effective March 31, 2024, with a one-year transition period. As of March 31, 2025, all future-dated requirements are now mandatory. Organizations still operating under PCI DSS 3.2.1 are non-compliant and face potential fines, increased transaction fees, and loss of payment processing privileges. Immediate action is required.
Executive Summary: Payment Card Security in 2025
The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 represents the most significant update to payment security requirements in over a decade. Whether you're processing $100,000 or $100 million in annual card transactions, PCI DSS compliance is not optional—it's a contractual obligation with your merchant services provider and a critical defense against the $200+ billion annual cost of payment card fraud.
PCI DSS 4.0 introduces enhanced requirements for network segmentation, multi-factor authentication, cryptographic controls, and continuous monitoring. The updated standard recognizes modern threats including cloud environments, mobile payments, and sophisticated attack techniques targeting cardholder data environments (CDE). Organizations must implement these enhanced controls while maintaining operational efficiency and customer experience.
Who Must Comply
PCI DSS compliance is mandatory for any organization that stores, processes, or transmits cardholder data. This includes:
- E-commerce businesses and online retailers of all sizes
- Payment service providers and payment gateways
- Point-of-sale system providers and payment terminals
- Financial institutions processing card transactions
- Merchants with physical retail locations accepting cards
- SaaS platforms processing subscription payments
- Hospitality and restaurant businesses
- Healthcare providers accepting payment cards
Even if you outsource payment processing to a third party, you remain responsible for ensuring PCI DSS compliance across your entire cardholder data environment. Your compliance scope extends to any system, network, or person that can access cardholder data.
What's at Stake
Non-compliance with PCI DSS carries severe business consequences beyond regulatory fines:
- Financial penalties: $5,000-$100,000 per month from card brands for non-compliance
- Increased transaction fees: Payment processors can add $0.05-$0.10 per transaction
- Loss of payment processing: Your merchant account can be terminated immediately
- Breach liability: $100-$500 per compromised card, plus forensic investigation costs ($50K-$500K)
- Reputational damage: Public disclosure of breaches destroys customer trust
- Legal costs: Class action lawsuits and regulatory investigations
For perspective, the average cost of a payment card breach exceeds $3 million when accounting for investigation, notification, remediation, fines, and lost business. Organizations that maintain continuous PCI DSS compliance significantly reduce breach risk and demonstrate security maturity to customers and partners.
Understanding Merchant Levels: Which Requirements Apply to You
Your merchant level determines validation requirements, assessment frequency, and compliance costs. Levels are based on annual Visa transaction volume across all channels, though other card brands use similar thresholds.
Level 1: Enterprise Merchants (6+ Million Transactions/Year)
Transaction Volume: 6 million or more Visa transactions annually across all channels, OR any merchant suffering a data breach compromising account data.
Validation Requirements:
- Annual on-site assessment by Qualified Security Assessor (QSA)
- Quarterly network vulnerability scans by Approved Scanning Vendor (ASV)
- Annual internal and external penetration testing
- Report on Compliance (ROC) submission to acquiring bank
- Attestation of Compliance (AOC) signed by executive
Estimated Annual Cost: $50,000-$100,000 (QSA fees, remediation, scanning, testing)
Level 1 merchants face the most stringent oversight. Many maintain continuous compliance with quarterly internal reviews and dedicated security teams.
Level 2: Mid-Market Merchants (1-6 Million Transactions/Year)
Transaction Volume: 1-6 million Visa transactions annually across all channels.
Validation Requirements:
- Annual Self-Assessment Questionnaire (SAQ) completion
- Quarterly network vulnerability scans by ASV
- Annual Attestation of Compliance (AOC)
- Some acquirers may require QSA validation or penetration testing
Estimated Annual Cost: $25,000-$50,000 (SAQ validation support, quarterly scans, optional QSA, penetration testing)
Many Level 2 merchants engage virtual CISO (vCISO) services for ongoing compliance management rather than hiring full-time security staff. Our compliance advisory packages provide cost-effective expertise for this merchant segment.
Level 3: Small-Medium E-Commerce (20K-1M E-Commerce Transactions/Year)
Transaction Volume: 20,000-1 million Visa e-commerce transactions annually.
Validation Requirements:
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network vulnerability scans by ASV
- Annual Attestation of Compliance (AOC)
Estimated Annual Cost: $15,000-$35,000 (SAQ completion, quarterly ASV scans, limited remediation)
Level 3 merchants benefit most from payment tokenization and hosted payment solutions to minimize CDE scope. Our compliance readiness assessment helps identify the most cost-effective compliance approach.
Level 4: Small Merchants (Under 20K E-Commerce or Under 1M Total)
Transaction Volume: Fewer than 20,000 Visa e-commerce transactions annually, OR up to 1 million total Visa transactions annually across all channels.
Validation Requirements:
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network vulnerability scans (if applicable based on SAQ type)
- Annual Attestation of Compliance (depending on acquirer)
Estimated Annual Cost: $5,000-$15,000 (SAQ completion, basic scanning if required)
Level 4 merchants should prioritize fully outsourcing payment processing (qualifying for SAQ A) to minimize compliance burden. Contact our advisory team to discuss hosted payment page solutions.
Important: Card brands and acquiring banks may impose additional requirements beyond these baseline levels. Always verify specific validation requirements with your acquirer and payment processor.
Self-Assessment Questionnaire (SAQ) Types: Choosing Your Validation Path
Most Level 2-4 merchants complete annual compliance validation using a Self-Assessment Questionnaire (SAQ). Choosing the correct SAQ type is critical—using the wrong type can result in non-compliance even if you answer all questions correctly.
SAQ A: Card-Not-Present, Fully Outsourced (22 Questions)
Who Qualifies: E-commerce merchants who have fully outsourced all cardholder data functions to PCI DSS compliant third parties. No electronic storage, processing, or transmission of cardholder data on merchant systems.
Requirements Validated: Limited subset focusing on policy management, vendor oversight, and security awareness.
Common Solutions: Stripe, Square, PayPal, Authorize.net (when using hosted payment pages)
SAQ A is the least burdensome validation option. Most small e-commerce merchants should structure their payment processing to qualify for SAQ A by using hosted payment pages or payment iframes that prevent cardholder data from touching their servers.
SAQ A-EP: E-Commerce with Partial Outsourcing (181 Questions)
Who Qualifies: E-commerce merchants with website that includes payment page where customer data is entered, but payment processing is outsourced to PCI DSS compliant service provider. Website doesn't store, process, or transmit cardholder data but does receive it momentarily.
Requirements Validated: Network security, access controls, monitoring, encryption, physical security.
Common Scenarios: Custom checkout pages using JavaScript payment libraries (Stripe.js, Braintree JS SDK)
SAQ A-EP requires significantly more controls than SAQ A, including network segmentation, firewall configuration, and vulnerability management. Many merchants mistakenly believe they qualify for SAQ A when A-EP is required.
SAQ C: Payment Terminals Only (160 Questions)
Who Qualifies: Merchants using payment application systems/terminals with Internet connections, no electronic cardholder data storage.
Requirements Validated: Terminal security, network controls, key management, physical security.
Common Scenarios: Retail stores, restaurants with Internet-connected POS terminals
SAQ D: All Other Merchants & Service Providers (329 Questions)
Who Qualifies: All merchants and service providers not qualifying for SAQ A, A-EP, or C. Any merchant storing, processing, or transmitting cardholder data on internal systems.
Requirements Validated: All 12 PCI DSS requirements (full standard compliance)
Common Scenarios: Custom payment applications, legacy systems storing card data, payment gateways, payment service providers
SAQ D is equivalent to the full Report on Compliance (ROC) that Level 1 merchants complete with QSAs. Organizations required to complete SAQ D should strongly consider engaging a QSA or compliance advisory firm given the complexity.
SAQ Type Misclassification is Common
Many merchants incorrectly self-assess using SAQ A when their payment integration actually requires SAQ A-EP or D. This creates false compliance that won't withstand breach investigation or acquirer audit. Our PCI DSS scoping assessment ensures you're using the correct validation method.
The 12 PCI DSS Requirements: What You Must Implement
PCI DSS 4.0 organizes security requirements into 12 high-level mandates across 6 control objectives. Every requirement includes specific sub-requirements that define implementation details, testing procedures, and validation evidence.
Control Objective 1: Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain network security controls
Network security controls (firewalls, routers, network segmentation) must protect the cardholder data environment from untrusted networks. This includes proper rule-set configuration, change management, and quarterly reviews.
PCI DSS 4.0 enhancement: Explicit requirements for network segmentation testing and documentation of all connections to CDE. Organizations must implement network segmentation to reduce compliance scope.
Requirement 2: Apply secure configurations to all system components
Default passwords, unnecessary services, and insecure configurations create vulnerabilities. All systems must be hardened using industry standards (CIS Benchmarks, NIST guidelines) before deployment and maintain secure configuration throughout lifecycle.
Common pitfalls: Default credentials on payment terminals, unnecessary services running on web servers, weak SSH configurations on Linux systems.
Control Objective 2: Protect Account Data
Requirement 3: Protect stored account data
Storage of cardholder data must be minimized. When storage is necessary, Primary Account Number (PAN) must be encrypted or tokenized, and sensitive authentication data (CVV2, PIN) must NEVER be stored after authorization.
Best practice: Most merchants should not store cardholder data at all. Use payment tokenization services where tokens replace actual card numbers for recurring billing and payment processing.
Requirement 4: Protect cardholder data with strong cryptography during transmission
All transmission of cardholder data across open, public networks must use strong cryptography (TLS 1.2 or higher). This includes e-commerce checkout, payment terminal to processor communications, and internal network transmission across untrusted networks.
PCI DSS 4.0 enhancement: TLS 1.0 and 1.1 are no longer acceptable. Certificate management procedures must include inventory, monitoring for expiration, and prompt renewal.
Control Objective 3: Maintain a Vulnerability Management Program
Requirement 5: Protect all systems and networks from malicious software
Anti-malware solutions must be deployed on all systems commonly affected by malware (primarily Windows servers and workstations). Solutions must receive regular updates, perform automatic scans, and generate audit logs.
PCI DSS 4.0 enhancement: Recognition of modern endpoint detection and response (EDR) solutions as acceptable anti-malware technologies beyond traditional antivirus.
Requirement 6: Develop and maintain secure systems and software
All system components and software must be protected from known vulnerabilities through timely security patches. Custom payment applications must be developed using secure coding practices and undergo security testing before deployment.
Implementation: Critical patches must be installed within 30 days of release. Web applications must be protected by web application firewalls (WAF) or undergo annual code reviews and testing.
Control Objective 4: Implement Strong Access Control Measures
Requirement 7: Restrict access to system components and cardholder data by business need to know
Access to cardholder data must be limited to individuals whose job requires such access. Implement role-based access control (RBAC), least privilege principles, and regular access reviews.
Requirement 8: Identify users and authenticate access to system components
All users must have unique IDs, and authentication must use multi-factor authentication (MFA) for all access to CDE. Password policies must enforce strong passwords with regular rotation.
PCI DSS 4.0 enhancement: MFA is now required for ALL access into the CDE, not just remote access. This significantly expands MFA requirements for most organizations.
Requirement 9: Restrict physical access to cardholder data
Physical access to systems storing or processing cardholder data must be controlled and monitored. This includes data centers, server rooms, and areas with payment terminals.
Control Objective 5: Regularly Monitor and Test Networks
Requirement 10: Log and monitor all access to system components and cardholder data
Comprehensive logging and log monitoring must detect and alert on suspicious activities. Logs must be centralized, protected from tampering, and retained for at least 12 months.
PCI DSS 4.0 enhancement: Automated log review mechanisms and detection of security events across all system components in CDE.
Requirement 11: Test security of systems and networks regularly
Organizations must conduct quarterly vulnerability scans by Approved Scanning Vendor (ASV) and annual penetration testing of CDE. Internal vulnerability scanning must occur quarterly and after significant changes.
Our penetration testing services meet PCI DSS requirements for annual internal and external testing, including network segmentation validation and application security assessments. See our testing packages for PCI-specific engagements.
Control Objective 6: Maintain an Information Security Policy
Requirement 12: Support information security with organizational policies and programs
Comprehensive information security policy must address all PCI DSS requirements. Annual security awareness training for all personnel, vendor management program, and incident response procedures are mandatory.
Our ongoing compliance management includes policy development, employee training programs, and quarterly compliance reviews to maintain continuous PCI DSS compliance. Review our management packages for subscription-based support.
Cardholder Data Environment (CDE) Scoping: Reducing Compliance Burden
The scope of your PCI DSS assessment is determined by your Cardholder Data Environment (CDE)—all system components that store, process, or transmit cardholder data, plus any system that can impact the security of the CDE. Reducing CDE scope is the single most effective way to lower compliance costs and complexity.
What's In Scope
- System components: Servers, network devices, applications, databases storing or processing cardholder data
- Connected systems: Any system on the same network segment as CDE components
- Security systems: Firewalls, IDS/IPS, authentication servers, logging systems protecting CDE
- People: Employees, contractors, third parties with access to CDE
- Processes: Procedures, policies, and controls related to cardholder data handling
Network Segmentation Strategies
Network segmentation isolates the CDE from other networks using firewalls, VLANs, and access controls. Proper segmentation dramatically reduces the number of systems subject to PCI DSS requirements.
Effective Segmentation Example: E-Commerce Platform
In Scope (CDE):
- Payment processing server (receives encrypted card data)
- Firewall protecting payment server
- Database storing encrypted PANs for recurring billing
- Payment gateway API integration
Out of Scope (Segmented):
- Product catalog and inventory systems
- Customer relationship management (CRM)
- Marketing automation and analytics
- Employee workstations and internal systems
- Order management system (stores order IDs and tokens, not PANs)
Result: 5 in-scope systems instead of 50+, reducing annual compliance costs by $30,000-$60,000.
Outsourcing to Reduce Scope
The most effective scope reduction strategy is outsourcing payment processing to PCI DSS Level 1 Service Providers. Options include:
- Hosted payment pages: Customer redirected to payment provider site for card entry (qualifies for SAQ A)
- Payment iframes: Payment form embedded in your site but hosted by provider (may qualify for SAQ A)
- Point-to-point encryption (P2PE): Card data encrypted at payment terminal, decrypted only at processor
- Tokenization: Replace stored PANs with tokens that have no value outside your environment
Scope Reduction ROI
Network segmentation and payment tokenization can significantly reduce in-scope systems. For example, reducing in-scope systems from 40 to 6 could decrease annual compliance costs by $20,000-$30,000 depending on your environment. Our scoping assessment identifies similar opportunities in your environment.
PCI DSS 4.0 Implementation Timeline: Your Roadmap to Compliance
Achieving initial PCI DSS compliance typically requires 6-12 months depending on your starting point, organization size, and CDE complexity. Here's a proven implementation roadmap:
Phase 1: Assessment & Planning (Weeks 1-4)
- Determine merchant level and applicable SAQ type
- Document CDE scope (systems, networks, people, processes)
- Conduct gap assessment against all applicable PCI DSS requirements
- Prioritize remediation activities based on risk and compliance deadline
- Develop project plan with resource allocation and budget
- Assign security coordinator and assemble implementation team
Our PCI DSS readiness assessment provides comprehensive gap analysis and remediation roadmap. Typical engagement: 2-3 weeks, $15,000-$25,000 depending on complexity.
Phase 2: Remediation & Implementation (Months 2-6)
- Implement network segmentation to isolate CDE
- Deploy and configure firewalls, IDS/IPS, web application firewalls
- Implement multi-factor authentication for all CDE access
- Harden system configurations according to CIS Benchmarks
- Deploy encryption for cardholder data at rest and in transit
- Implement centralized logging and security monitoring
- Develop and document all required policies and procedures
- Conduct security awareness training for all personnel
- Establish vendor management program for third-party service providers
This phase typically consumes 60-80% of total project time and budget. Organizations often engage vCISO services to provide expert guidance without full-time security staff costs.
Phase 3: Testing & Validation (Months 5-7)
- Conduct internal vulnerability scans of all CDE systems
- Engage Approved Scanning Vendor (ASV) for external quarterly scans
- Perform or procure annual penetration testing (internal and external)
- Test network segmentation controls to verify isolation
- Review and test incident response procedures
- Validate all security controls are operating effectively
- Remediate any findings from scans or penetration tests
- Re-scan and re-test until all requirements pass
Our PCI DSS penetration testing services meet all requirements for annual network and application testing. See testing pricing.
Phase 4: Validation & Attestation (Months 7-8)
- Complete applicable SAQ or engage QSA for on-site assessment (Level 1)
- Compile all required evidence and documentation
- Conduct internal compliance review to verify readiness
- Submit SAQ or ROC to acquiring bank
- Executive signs Attestation of Compliance (AOC)
- Submit quarterly ASV scan reports to acquirer
- Receive compliance validation from acquirer
Many organizations engage compliance consultants to complete SAQ validation and compile evidence, ensuring accuracy and completeness.
Ongoing: Continuous Compliance (Year-Round)
- Quarterly ASV vulnerability scans
- Quarterly internal vulnerability scans
- Annual penetration testing
- Annual policy reviews and updates
- Annual SAQ or QSA assessment renewal
- Continuous monitoring of security controls and logs
- Regular security awareness training
- Vendor compliance reviews and attestation collection
Maintaining PCI DSS compliance requires dedicated ongoing effort. Our managed compliance services provide year-round support including quarterly reviews, testing coordination, and policy management. Review our annual management packages.
PCI DSS Compliance Cost Breakdown: Budgeting for Success
PCI DSS compliance costs vary significantly based on merchant level, CDE complexity, and starting security posture. Here's a comprehensive breakdown to support budget planning:
Annual Cost Components (All Merchant Levels)
Assessment & Validation
- Level 1: QSA on-site assessment: $25,000-$50,000
- Level 2-4: SAQ completion support: $5,000-$15,000 (if using consultant)
- Internal compliance management: $10,000-$30,000 (vCISO or staff time)
Quarterly Vulnerability Scanning
- ASV external scans: $2,000-$8,000 annually (4 quarters)
- Internal vulnerability scanning: $3,000-$10,000 (tools + labor)
Annual Penetration Testing
- External penetration test: $10,000-$25,000
- Internal penetration test: $8,000-$20,000
- Web application testing: $8,000-$20,000 (if applicable)
- Network segmentation testing: $5,000-$15,000
View our PCI DSS penetration testing services and pricing packages for comprehensive testing solutions.
Technology & Tools
- Web Application Firewall (WAF): $3,000-$15,000
- Security Information and Event Management (SIEM): $5,000-$30,000
- Multi-factor authentication (MFA): $2,000-$10,000
- Encryption solutions: $2,000-$10,000
- Vulnerability management platform: $3,000-$12,000
- Payment tokenization service: $5,000-$20,000
Initial Implementation (First Year Only)
- Gap assessment and scoping: $10,000-$25,000
- Network segmentation design and implementation: $15,000-$50,000
- Security control remediation: $20,000-$100,000
- Policy and procedure development: $5,000-$15,000
First-year costs typically run 50-100% higher than ongoing annual compliance due to initial remediation work. Our compliance readiness assessment provides accurate cost estimates for your specific environment.
Level 1 Merchant
First Year: $150,000-$250,000
Ongoing Annual: $50,000-$100,000
Includes QSA assessment, comprehensive testing, advanced security tools, and dedicated security staff or vCISO.
Level 2 Merchant
First Year: $75,000-$125,000
Ongoing Annual: $25,000-$50,000
Includes SAQ validation, penetration testing, quarterly scans, and part-time vCISO or compliance consultant.
Level 3 Merchant
First Year: $40,000-$75,000
Ongoing Annual: $15,000-$35,000
Includes SAQ completion, quarterly ASV scans, limited penetration testing, and basic security tools.
Level 4 Merchant
First Year: $15,000-$35,000
Ongoing Annual: $5,000-$15,000
Includes SAQ A completion, minimal scanning, and focus on outsourcing payment processing to minimize scope.
Cost Optimization Strategies
Smart merchants reduce PCI DSS compliance costs by 40-60% through strategic decisions:
- Implement network segmentation to minimize in-scope systems
- Use payment tokenization and hosted payment pages (qualify for SAQ A)
- Deploy point-to-point encryption (P2PE) for payment terminals
- Leverage vCISO services instead of full-time security executives
- Bundle penetration testing with annual compliance assessment
- Use cloud-based security tools (WAF, SIEM) to reduce infrastructure costs
Contact our advisory team for a customized cost analysis and optimization roadmap based on your specific merchant level and environment.
Common PCI DSS Compliance Failures: What Auditors Find Most Often
Based on thousands of PCI DSS assessments, certain requirements consistently trip up merchants. Understanding these common pitfalls helps you avoid costly remediation cycles and compliance delays.
1. Incomplete or Inaccurate CDE Scope Documentation
The Issue: Organizations fail to identify all systems, networks, and people with access to cardholder data. Missing even one system creates a compliance gap and potential breach vector.
The Fix: Conduct comprehensive data flow analysis documenting every touch point for cardholder data. Include: where data enters, how it's transmitted, where it's stored, who accesses it, and how it exits your environment. Update quarterly as environment changes.
2. Network Segmentation Not Tested or Validated
The Issue: Merchants implement firewalls but never test whether segmentation actually works. Penetration testers routinely break through "segmented" networks during assessments.
The Fix: Annual penetration testing must specifically validate network segmentation controls. Test from both internal and external perspectives to confirm CDE isolation. Document all network flows and test firewall rules quarterly. See our segmentation testing services.
3. Multi-Factor Authentication Not Fully Deployed
The Issue: PCI DSS 4.0 requires MFA for ALL access into CDE, not just remote access. Many organizations miss service accounts, API access, and internal administrative access.
The Fix: Implement MFA for: VPN access, administrative access to CDE systems, application access to cardholder data, API authentication, jump boxes and privileged access workstations. No exceptions.
4. Inadequate Vendor Management and Third-Party Oversight
The Issue: Organizations don't maintain list of service providers with access to cardholder data, don't collect PCI DSS attestations, and don't include security requirements in contracts.
The Fix: Maintain vendor inventory with PCI DSS compliance status. Collect annual AOCs or SAQs from all service providers. Include PCI DSS compliance requirements in all contracts. Conduct annual vendor risk reviews. Our vendor risk management guide provides detailed procedures.
5. Log Monitoring Not Implemented or Ineffective
The Issue: Logs are collected but never reviewed. No alerting on suspicious activities. No documented evidence of daily log review as required by PCI DSS.
The Fix: Implement SIEM or log management tool with automated alerting. Define specific events requiring immediate investigation (failed login attempts, privilege escalation, unauthorized access). Document daily log review process and retain evidence. Assign responsibility for log monitoring.
6. Quarterly Vulnerability Scans Fail—Then Ignored
The Issue: ASV scans identify high or critical vulnerabilities, but organizations don't remediate before next quarter. Compliance requires four consecutive quarterly passing scans.
The Fix: Treat scan failures as P0 incidents requiring immediate remediation. Re-scan after patching until clean results achieved. Track vulnerability remediation in ticketing system with SLAs: critical (immediately), high (30 days), medium (90 days).
7. Security Policies Exist But Nobody Follows Them
The Issue: Organizations create beautiful policy documents to check compliance boxes, but employees have never read them and don't follow documented procedures.
The Fix: Make policies operational, not just documentation. Integrate policy requirements into workflows and systems (enforce technical controls). Conduct meaningful annual security awareness training, not just checkbox exercises. Test employee knowledge quarterly. Hold managers accountable for team compliance.
8. Using Wrong SAQ Type for Payment Integration
The Issue: Merchants complete SAQ A (22 questions) when their payment integration actually requires SAQ A-EP (181 questions) or SAQ D (329 questions). This is false compliance.
The Fix: Engage qualified assessor or consultant to determine correct SAQ type based on your actual payment processing method, not what you hope qualifies. Document SAQ selection rationale. If using custom payment integration or storing any cardholder data, you likely need SAQ D.
Don't Let Common Failures Derail Your Compliance
These compliance failures are preventable with proper planning, expert guidance, and commitment to security operations. Organizations that treat PCI DSS as an operational security program—not just an annual checkbox—maintain continuous compliance with minimal disruption.
Our PCI DSS readiness assessment identifies these issues before your official validation, giving you time to remediate properly. We also provide ongoing compliance management to prevent compliance drift throughout the year.
How NonaSec Accelerates Your PCI DSS Compliance Journey
Assess
Comprehensive PCI DSS readiness assessment including CDE scoping, gap analysis, SAQ type determination, and prioritized remediation roadmap.
Readiness Assessment →Test
Annual penetration testing (internal, external, application), network segmentation validation, and quarterly vulnerability scanning—all meeting PCI DSS requirements.
Penetration Testing →Manage
Ongoing compliance management including quarterly reviews, SAQ completion support, policy updates, employee training, and continuous monitoring.
Compliance Management →Why Payment Processors Choose NonaSec
Payment Industry Expertise: Deep experience with e-commerce platforms, payment gateways, and financial services compliance
Fixed, Transparent Pricing: No hourly billing surprises—clear packages for every merchant level
Faster Time to Compliance: Proven methodologies accelerate implementation by 30-40%
Continuous Support: Virtual CISO services provide ongoing expertise without full-time costs
Free 30-minute scoping call to discuss your merchant level, current gaps, and compliance timeline
Frequently Asked Questions
How do I determine my PCI DSS merchant level?
Merchant levels are determined by annual transaction volume. Level 1: 6+ million transactions/year (most stringent requirements, on-site QSA audits). Level 2: 1-6 million transactions/year (annual SAQ, quarterly network scans). Level 3: 20,000-1 million e-commerce transactions/year (annual SAQ, quarterly scans). Level 4: Under 20,000 e-commerce or under 1 million total transactions/year (annual SAQ). Each card brand (Visa, Mastercard, etc.) may have slightly different thresholds.
What is the difference between SAQ A, A-EP, C, and D?
SAQ (Self-Assessment Questionnaire) types determine which PCI DSS requirements you must validate. SAQ A (22 questions): Fully outsourced e-commerce with no cardholder data storage. SAQ A-EP (181 questions): E-commerce with partial outsourcing. SAQ C (160 questions): Payment terminals only, no e-commerce. SAQ D (329 questions): All other merchants and service providers, covers all 12 PCI DSS requirements. Most e-commerce businesses use SAQ A or A-EP.
How long does PCI DSS 4.0 compliance take to achieve?
Expect 6-12 months for initial PCI DSS 4.0 compliance. Timeline includes: gap assessment and scoping (2-4 weeks), remediation of control gaps (3-6 months), documentation and policy development (4-8 weeks), quarterly vulnerability scans (3 months minimum), annual penetration testing (2-4 weeks), and final validation with QSA or completion of SAQ (2-4 weeks). Organizations with strong existing security programs may achieve compliance faster, while those starting from scratch need 12+ months.
What does PCI DSS compliance cost for e-commerce businesses?
PCI DSS costs vary significantly by merchant level. Level 1 merchants: $50,000-$100,000 annually (QSA on-site audits, quarterly scans, annual penetration tests, remediation). Level 2 merchants: $25,000-$50,000 annually (SAQ validation, quarterly ASV scans, penetration testing). Level 3 merchants: $15,000-$35,000 annually (SAQ completion, scanning, limited testing). Level 4 merchants: $5,000-$15,000 annually (SAQ and basic scanning). Initial year costs are typically 50-100% higher due to remediation and implementation work.
Do I need a QSA or can I use an ISA for PCI DSS validation?
QSA (Qualified Security Assessor) requirements depend on your merchant level and card brand. Level 1 merchants: QSA required for on-site annual assessments. Level 2-4 merchants: Can typically self-assess using SAQs, though some acquirers may require QSA validation. ISA (Internal Security Assessor): Company employee trained and certified to conduct internal PCI assessments, can reduce QSA costs but cannot replace QSA for Level 1 validation. Many Level 2 merchants use ISAs for quarterly reviews and QSAs for annual validation.
Related Security & Compliance Resources
SOC 2 Type II Certification Guide
Comprehensive SOC 2 compliance roadmap for SaaS companies, covering Trust Services Criteria and audit preparation.
Read guide →Zero Trust Implementation Guide
Network segmentation and Zero Trust architecture strategies for securing cardholder data environments.
Read guide →Vendor Risk Management Automation
Streamline third-party payment processor oversight and PCI DSS attestation collection.
Read guide →Incident Response Planning
Payment card breach response procedures and notification requirements for merchants.
Read guide →Ready to Achieve PCI DSS 4.0 Compliance?
Whether you're starting your compliance journey or maintaining continuous validation, NonaSec provides expert guidance and proven methodologies to protect your payment processing operations.