The security standard for cardholder data environments.
The Payment Card Industry Data Security Standard (PCI DSS) is the security standard mandated for all organizations that handle branded payment cards. Version 4.0, released in March 2022, introduced significant new requirements including customized implementation approaches, expanded multi-factor authentication requirements, and enhanced phishing controls.
PCI DSS documentation requirements cover all 12 requirements and their sub-requirements: network documentation, access control records, logging policies, security testing documentation, and the Attestation of Compliance (AOC) or Report on Compliance (ROC) submitted to acquiring banks. Merchants and service providers must maintain evidence that all applicable requirements are satisfied and operating effectively.
Firewall configuration documentation, network architecture diagrams, and network security control documentation.
System configuration standards, hardening documentation, and vendor default change records.
Data retention and disposal documentation, cardholder data inventory, and encryption documentation.
Cryptographic protocol documentation and certificate management records.
Vulnerability management program documentation, patch management records, and secure coding documentation.
Access control policy, need-to-know documentation, and user access review records.
Audit log policy, log management procedures, and review records.
Information security policy, risk assessment records, and incident response plan.
Templates and implementation resources for PCI DSS v4.0 are available through the ELDR Institute Knowledge Hub and via direct request.