Skip to contentSkip to content
SEO Pillar

PCI DSS v4.0.1 Complete Guide

Everything you need to understand, implement, and automate PCI DSS v4.0.1 compliance — from requirements mapping to QSA audit preparation and industry benchmark data.

Run PCI Benchmark →Cost Calculator
285
Requirements
test procedures
64
New in v4.0
new requirements
March 2024
Retired
PCI DSS v3.2.1
1,600 hrs
Avg Audit (L1)
industry average

The 12 PCI DSS v4.0.1 Requirements

PCI DSS v4.0.1 organises 285 security controls across 12 principal requirements and 6 control objectives.

ReqRequirement TitleControl ObjectiveControls
1Install and maintain network security controlsBuild and Maintain a Secure Network19
2Apply secure configurations to all system componentsBuild and Maintain a Secure Network15
3Protect stored account dataProtect Account Data24
4Protect cardholder data with strong cryptographyProtect Account Data6
5Protect all systems and networks from malwareMaintain a Vulnerability Management Program14
6Develop and maintain secure systems and softwareMaintain a Vulnerability Management Program24
7Restrict access to system components and cardholder dataImplement Strong Access Control Measures16
8Identify users and authenticate accessImplement Strong Access Control Measures27
9Restrict physical access to cardholder dataImplement Strong Access Control Measures14
10Log and monitor all access to system components and cardholder dataRegularly Monitor and Test Networks15
11Test security of systems and networks regularlyRegularly Monitor and Test Networks17
12Support information security with organisational policies and programsMaintain an Information Security Policy23

Deep-Dive Resources

Explore the supporting cluster topics for in-depth guidance on every aspect of PCI DSS compliance.

📋
PCI Audit Process
Step-by-step ROC and SAQ audit guide
💰
PCI Compliance Cost
Cost breakdown by org size and SAQ type
📁
PCI Evidence Collection
Evidence types, retention, and automation
🔧
PCI Remediation Workflows
Finding closure, tracking, and best practices
PCI Automation
Automating compliance for 60% efficiency gains
📊
Run PCI Benchmark
See how your programme compares to 4,700+ orgs

Frequently Asked Questions

What is PCI DSS v4.0.1?

PCI DSS v4.0.1 is the current version of the Payment Card Industry Data Security Standard, released March 2024. It introduces 64 new requirements, customised implementation options, and stronger authentication requirements.

How many requirements does PCI DSS v4.0.1 have?

PCI DSS v4.0.1 has 12 principal requirements and 285 individual test procedures across 6 control objectives, including 64 requirements new to v4.0.

When did PCI DSS v3.2.1 retire?

PCI DSS v3.2.1 was retired on 31 March 2024. All assessments must now use v4.0.1.

What is a QSA?

A Qualified Security Assessor (QSA) is an independent organisation certified by the PCI Security Standards Council to assess compliance with PCI DSS and produce a Report on Compliance (ROC) for Level 1 merchants and service providers.

How long does a PCI audit take?

A PCI DSS audit ranges from 40 hours (SAQ-A) to 2,000+ hours (Level 1 ROC), depending on scope, organisation size, evidence automation maturity, and number of systems in the cardholder data environment.

What is the average cost of PCI compliance?

Average PCI compliance cost ranges from $15,000–$50,000 for small merchants using SAQ-A, to $280,000+ for enterprise Level 1 compliance programmes. Our benchmark tool gives you a personalised estimate.

See How Your Programme Compares

Run the PCI Efficiency Benchmark to get your maturity score, estimated audit hours, and industry percentile in 3 minutes.

Run Free Benchmark →