PCI DSS v4.0 affects more than payment gateways. Merchants, service providers, banks, processors, and payment technology platforms all need controls that protect cardholder data and stand up to formal validation.
Payment Card Industry Data Security Standard (PCI DSS) was launched by major payment brands to unify card security requirements and reduce fraud in environments that store, process, or transmit cardholder data. Governance is handled by the PCI Security Standards Council (PCI SSC), which maintains and updates the standard and supporting guidance.
PCI DSS is not a statute. It is a contractual obligation enforced through card brand and acquiring bank agreements. Organisations that fail to comply can face fines, increased transaction fees, mandatory remediation, or loss of card processing privileges.
Merchant level assignment is typically determined by annual card transaction volume and may vary by card brand or acquiring bank. Validation obligations also vary by brand/acquirer policy.
Typical threshold: over 6 million card transactions annually (brand-specific criteria can vary).
Validation: annual on-site assessment (ROC) by a QSA or qualified internal assessor, plus quarterly ASV scans and ongoing testing evidence.
Typical threshold: 1 million to 6 million annual transactions.
Validation: annual SAQ or ROC as required by acquirer, attestation of compliance, and quarterly ASV scanning where applicable.
Typical threshold: 20,000 to 1 million annual e-commerce transactions.
Validation: annual SAQ, attestation, and quarterly external vulnerability scanning.
Typical threshold: fewer than 20,000 annual e-commerce transactions and up to 1 million total transactions.
Validation: SAQ and scan requirements directed by the acquirer, with baseline control evidence maintained year-round.
Managed service providers, hosting providers, call centers, and payment processors that can impact card data security must meet service provider PCI DSS obligations and provide evidence to customers.
Acquirers, issuers, and payment institutions are central to enforcement, risk management, and validation oversight across their merchant and partner portfolios.
Payment applications, e-commerce platforms, cloud services, and security product vendors may be required to support PCI DSS controls, integration security, and shared responsibility documentation.
Primelo Cyber supports organisations from initial scoping through final validation with a pragmatic, evidence-focused approach aligned to PCI DSS v4.0 and business realities.
Define cardholder data environments, connected systems, and shared responsibilities to prevent costly under-scoping or over-scoping.
Assess current controls against v4.0 requirements and build a remediation roadmap based on risk, effort, and audit impact.
Help implement technical and procedural controls across access, logging, vulnerability management, secure development, and third-party governance.
Prepare SAQ, ROC, and evidence packs, perform mock assessments, and close gaps before your formal validation window.