← All frameworks
International INTERNATIONAL · 8 Policy & Process · International (card industry)

PCI DSS 4.0.1

PCI DSS 4.0.1 (Payment Card Industry Data Security Standard)

4.0.1

66 controls · 14 domains
Mandatory for: Contractual (card brands / acquirers)
Start assessment in platform →

About this framework

PCI DSS is the security standard for any business that handles payment card data. Set by the major card brands, it lays out requirements for protecting cardholder information across networks, systems, and processes.

Who needs this

Mandatory for any business that stores, processes, or transmits payment card data.

Cross-framework coverage

Controls in PCI DSS 4.0.1 also cover:

NCA ECC-2 21 shared
Qatar NIA 21 shared
ADHICS 20 shared
ISO 27001 20 shared
NCA OTCC 20 shared

See how PCI DSS 4.0.1 connects to the rest → the Security Universe

Control domains

1 · Install and Maintain Network Security Controls 5
1.1
Processes and mechanisms for installing and maintaining network security controls are defined and understood.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIAUAE IAISO 27001
1.2
Network security controls (NSCs) are configured and maintained.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIAUAE IAISO 27001
1.3
Network access to and from the cardholder data environment is restricted.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIAUAE IAISO 27001
1.4
Network connections between trusted and untrusted networks are controlled.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIAUAE IAISO 27001
1.5
Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIAUAE IAISO 27001
2 · Apply Secure Configurations to All System Components 3
2.1
Processes and mechanisms for applying secure configurations to all system components are defined and understood.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
2.2
System components are configured and managed securely.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
2.3
Wireless environments are configured and managed securely.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
3 · Protect Stored Account Data 7
3.1
Processes and mechanisms for performing activities in Requirement 3 are defined and understood.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
3.2
Storage of account data is kept to a minimum.
CJISADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCC
3.3
Sensitive authentication data is not stored after authorization.
CJISADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCC
3.4
Access to displays of full PAN and ability to copy PAN are restricted.
CJISADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCCCyber EssentialsCyber Essentials PlusHIPAA Security RuleNIS2SAMA CSF
3.5
PAN is secured wherever it is stored.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
3.6
Cryptographic keys used to protect stored account data are secured.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
3.7
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
4 · Protect Cardholder Data with Strong Cryptography During Transmission 2
4.1
Processes and mechanisms for performing activities in Requirement 4 are defined and understood.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
4.2
PAN is protected with strong cryptography during transmission.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
5 · Protect All Systems and Networks from Malicious Software 4
5.1
Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIAUAE IA
5.2
Malicious software (malware) is prevented, or detected and addressed.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIAUAE IA
5.3
Anti-malware mechanisms and processes are active, maintained, and monitored.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIAUAE IADORAGDPR (EU)HIPAA Security RuleNIS2PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021SAMA CSFUK GDPR
5.4
Anti-phishing mechanisms protect users against phishing attacks.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIAUAE IAISO 27001
6 · Develop and Maintain Secure Systems and Software 5
6.1
Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.
CJISCIS ControlsNCA ECC-2UAE IAADHICSISO 27001NCA CCCQatar NIASAMA CSF
6.2
Bespoke and custom software is developed securely.
CJISCIS ControlsNCA ECC-2UAE IAADHICSISO 27001NCA CCCQatar NIASAMA CSF
6.3
Security vulnerabilities are identified and addressed.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFQatar NIASAMA CSFUAE IA
6.4
Public-facing web applications are protected against attacks.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIAUAE IAISO 27001
6.5
Changes to all system components are managed securely.
NCA OTCCQatar NIAUAE IAISO 27001NCA CCCNCA ECC-2
7 · Restrict Access to System Components and Cardholder Data by Business Need to Know 3
7.1
Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
7.3
Logical access to system components and data is managed via an access control system(s).
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
7.2
Access to system components and data is appropriately defined and assigned.
8 · Identify Users and Authenticate Access to System Components 6
8.2
User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
CJISADHICSCIS ControlsHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIASAMA CSFUAE IA
8.3
Strong authentication for users and administrators is established and managed.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
8.4
Multi-factor authentication (MFA) systems are configured to prevent misuse.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
8.5
Multi-factor authentication is implemented to secure access to the CDE.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
8.6
Use of application and system accounts and associated authentication factors are strictly managed.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
8.1
Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.
9 · Restrict Physical Access to Cardholder Data 5
9.1
Processes and mechanisms for performing activities in Requirement 9 are defined and understood.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
9.2
Physical access controls manage entry into the cardholder data environment.
ADHICSHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIASAMA CSFUAE IA
9.3
Physical access to the cardholder data environment for personnel and visitors is authorized and managed.
ADHICSHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIASAMA CSFUAE IA
9.4
Media with cardholder data is securely stored, accessed, distributed, and destroyed.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
9.5
Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
ADHICSHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIASAMA CSFUAE IA
10 · Log and Monitor All Access to System Components and Cardholder Data 7
10.1
Processes and mechanisms for performing activities in Requirement 10 are defined and understood.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
10.2
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
10.3
Audit logs are protected from destruction and unauthorized modifications.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRDORANCA CCC
10.4
Audit logs are reviewed to identify anomalies or suspicious activity.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
10.5
Audit log history is retained and available for analysis.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
10.6
Time-synchronization mechanisms support consistent time settings across all systems.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
10.7
Failures of critical security control systems are detected, reported, and responded to promptly.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
11 · Test Security of Systems and Networks Regularly 6
11.1
Processes and mechanisms for performing activities in Requirement 11 are defined and understood.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
11.2
Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
11.3
External and internal vulnerabilities are regularly identified, prioritized, and addressed.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFQatar NIASAMA CSFUAE IA
11.4
External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFQatar NIASAMA CSFUAE IA
11.5
Network intrusions and unexpected file changes are detected and responded to.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
11.6
Unauthorized changes on payment pages are detected and responded to.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
12 · Support information security with organizational policies and programs 10
12.1
A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
12.2
Acceptable use policies for end-user technologies are defined and implemented.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
12.3
Targeted risks to the cardholder data environment are formally identified, evaluated, and managed.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
12.4
PCI DSS compliance is managed.
CJISCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRADHICS
12.5
PCI DSS scope is documented and validated.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
12.6
Security awareness education is an ongoing activity
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFQatar NIASAMA CSFUAE IAUK GDPR
12.7
Personnel are screened to reduce risks from insider threats.
NCA ECC-2NCA OTCCNIS2Qatar NIAUAE IAADHICSISO 27001NCA CCCSAMA CSF
12.8
Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
12.9
Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
12.10
Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
A1 · Additional PCI DSS Requirements for Multi-Tenant Service Providers 2
A1.1
Multi-tenant service providers protect and segregate all customer environments and data.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
A1.2
Multi-tenant service providers facilitate logging and incident response for all customers.
CJISADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
A2 · Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections 1
A2.1
POI terminals using SSL and/or early TLS are confirmed as not susceptible to known SSL/TLS exploits.

Ready to assess against PCI DSS 4.0.1?

Start free trial →