Payment card data remains one of the most targeted assets by attackers. To reduce the risk of fraud and data breaches, organizations that store, process, or transmit payment card information are required to follow the Payment Card Industry Data Security Standard (PCI DSS).
Merchants, payment facilitators, and any other business that handles cardholder data should be aware of PCI DSS v4.0.1 requirements.
This PCI DSS 4.0 compliance checklist breaks PCI DSS down, helps explain the standard, who must comply, and how Varonis can support compliance efforts.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is an industry-driven security standard created by the PCI Security Standards Council (PCI SSC), a consortium founded by major card brands including Visa, Mastercard, American Express, Discover, and JCB. Unlike government regulations, PCI DSS is a contractual requirement enforced by payment brands and acquiring banks. Any organization that stores, processes, or transmits cardholder data—or can impact the security of the cardholder data environment (CDE)—must comply.
The most current release, PCI DSS v4.0.1, is a limited revision of PCI DSS v4.0 that corrects minor issues without introducing new requirements. All PCI DSS v4.0 requirements became mandatory on March 31, 2025.
At its core, PCI DSS establishes a minimum baseline of technical and operational controls designed to protect cardholder data, reduce fraud, and improve the overall security posture of payment environments.
The 12 PCI DSS requirements step-by-step
PCI DSS is structured around 12 core requirements, which are organized into six control objectives. Together, these objectives define how organizations should secure systems, protect data, manage access, and continuously monitor their environments.
-
Install and maintain network security controls
Organizations must use firewalls and other network security controls to protect the cardholder data environment and restrict traffic to only what is necessary. -
Apply secure configurations to all system components
Default system settings and passwords must be changed, and systems must be hardened according to secure configuration standards. -
Protect stored account data
Stored cardholder data must be minimized, encrypted, and retained only for legitimate business needs. - Protect cardholder data during transmission over open, public networks
Strong cryptography must be used whenever cardholder data is transmitted over public or untrusted networks. - Protect all systems and networks from malicious software
Organizations must deploy anti-malware controls and keep them updated to defend against evolving threats. - Develop and maintain secure systems and software
Systems and applications must be patched regularly, and secure development practices must be followed. - Restrict access to system components and cardholder data
Access must be limited to individuals with a legitimate business need, following the principle of least privilege. - Identify users and authenticate access
Each user must have a unique ID, and strong authentication controls must be in place. - Restrict physical access to cardholder data
Physical safeguards must be used to prevent unauthorized access to systems and media containing cardholder data. - Log and monitor all access to system components and cardholder data
Organizations must track and review access to systems and data to detect suspicious activity. - Test security of systems and networks regularly
Regular vulnerability scans, penetration testing, and control testing are required to validate security effectiveness. - Support information security with organizational policies and programs
Organizations must maintain documented security policies, assign responsibilities, and ensure personnel are trained on security practices.
How do organizations comply with PCI DSS?
In practice, successful compliance efforts should focus on a few core outcomes that span the 12 requirements.
Secure networks and systems
Organizations begin by securing the infrastructure that supports the cardholder data environment. This includes deploying firewalls, defining traffic rules, and hardening systems by removing vendor defaults and applying secure configurations.
In PCI DSS 4.0, organizations must also demonstrate that these controls are documented, reviewed, and maintained over time, not just implemented once.
Protect cardholder data
Organizations must know where cardholder data exists, minimize how long it is retained, encrypt sensitive fields such as PAN, and ensure secure transmission across networks.
PCI DSS 4.0 reinforces the importance of data discovery, scope reduction, encryption, and proper key management. Organizations that cannot reliably locate cardholder data across structured and unstructured systems often struggle to prove compliance and reduce audit scope.
Maintain a vulnerability management program
Organizations must protect systems against malware, apply patches in a timely manner, and manage vulnerabilities across applications, databases, and operating systems.
PCI DSS 4.0 expands flexibility in how organizations meet these requirements but increases expectations around risk-based remediation and continuous validation as environments change.
Implement strong access control measures
Access to cardholder data must be limited to individuals with a legitimate business need. PCI DSS 4.0 places increased emphasis on leastprivilege access, ongoing access reviews, and multifactor authentication (MFA)—particularly for administrative access and access to the CDE.
Compliance requires more than policy documentation. Organizations must be able to show that excessive, unused, or inappropriate access is continuously identified and removed.
Restrict and monitor access
PCI DSS requires both physical and logical access to cardholder data to be controlled and monitored. Organizations must maintain logs that record access to systems and data, synchronize time sources, and retain logs for investigation and audit purposes.
In PCI DSS 4.0, logging and monitoring are no longer treated as passive recordkeeping. Organizations are expected to actively review activity and detect suspicious behavior that could indicate misuse or compromise.
Test controls and maintain governance
Organizations must validate their security posture through vulnerability scans, penetration testing, and other assessment activities. They must also maintain formal security policies, training programs, and governance structures.
PCI DSS 4.0 emphasizes that compliance evidence should be continuously available, not assembled retroactively before an audit.
Why data-centric controls matter for PCI DSS 4.0
Noncompliance with PCI DSS can carry serious consequences. If an organization experiences a data breach and subsequent investigations determine it was noncompliant, fines can range from $5,000 to $10,000 per month until compliance is achieved.
Many of these failures trace back to the same underlying issue: limited visibility into where cardholder data exists, who can access it, and how it is being used. Across the 12 PCI DSS requirements, these gaps make it difficult to consistently enforce controls or prove their effectiveness. PCI DSS 4.0 makes clear that protecting cardholder data requires continuous insight into data location, access risk, and activity—not just perimeter or infrastructure controls. This is why a datacentric approach to security is critical for modern PCI DSS compliance.
How Varonis helps organizations meet PCI DSS requirements
Varonis helps organizations support and operationalize many PCI DSS requirements by giving security and compliance teams continuous visibility into where cardholder data lives, how it is accessed, and how exposure changes over time. This visibility turns high-level requirements into enforceable, auditable data security practices.
Continuously discover and classify sensitive cardholder data
PCI DSS compliance depends on knowing where cardholder data exists—including Primary Account Numbers (PANs) stored outside of traditional payment systems. Varonis continuously discovers and classifies sensitive cardholder data across cloud, SaaS, and on-prem environments, including unstructured data such as file shares and collaboration platforms.
Enforce least privilege access to cardholder data at scale
Varonis limits access to cardholder data by continuously validating who needs access and automatically removing permissions and stale access that introduce unnecessary risk. Behavioral context strengthens access decisions and supports PCI requirements for strong user identification and access restriction.
Monitor and detect suspicious activity around cardholder data
Varonis uses data-centric behavioral analytics to detect abnormal and malicious activity, including unusual access patterns, potential misuse, and insider threats that affect cardholder data. This enables earlier detection and response to compromised identities, while still retaining detailed activity records to support investigations and compliance needs.
Reduce risk with automated remediation
Varonis goes beyond visibility by automatically fixing risk, such as overexposed data, misconfigurations, stale users, and excessive permissions. Varonis uses policy-driven automations to shrink the blast radius and continuously enforce least privilege, removing risk before it can be exploited to access cardholder data.
Provide audit-ready evidence of control effectiveness
Varonis maintains a detailed, searchable audit trail showing data access, permission changes, risk remediation, and security events tied directly to sensitive cardholder data. This creates a searchable audit trail that can be used to demonstrate that PCI DSS controls are operating effectively over time.
Maintain consistent controls across cloud and hybrid environments
Varonis provides unified visibility and control across cloud, SaaS applications, and hybrid environments, ensuring cardholder data remains protected even as it spreads beyond traditional payment systems. This helps organizations maintain consistent PCI controls as their data environment evolves.
Turning PCI DSS requirements into sustainable Data Security
PCI DSS v4.0.1 raises the bar for how organizations protect payment card data—not just through point-in-time controls, but through continuous visibility, enforcement, and monitoring. As cardholder data spreads across cloud services, SaaS platforms, databases, and collaboration tools, compliance becomes less about checking boxes and more about maintaining control over data risk as it changes.
Ultimately, PCI DSS compliance management is about protecting what matters most: sensitive customer data and organizational trust. With the right data-centric controls in place, organizations can strengthen their security posture, reduce the risk of costly breaches, and stay aligned with evolving PCI requirements—today and as standards continue to mature.
-1.png)
