Record of Processing Activities
Transfer Impact Assessment
Privacy Impact Assessment
Cybersecurity Controls
Cybersecurity Risk Management
Interactive Awareness Program
PCI DSS v4.0.1
The global security standard for organizations that store, process, or transmit payment card data — maintained by the PCI Security Standards Council. Available on the Ultimate plan.
Mandatory security standard
for every card payment business
PCI DSS v4.0.1 (Payment Card Industry Data Security Standard) is a globally mandated security standard maintained by the PCI Security Standards Council (PCI SSC), founded by Visa, Mastercard, American Express, Discover, and JCB. It applies to any organisation that stores, processes, or transmits payment card data.
Version 4.0.1 — the current version since March 2024 — moves from a prescriptive compliance-once approach to a continuous security model. Organisations can now use a Customised Approach to demonstrate security intent rather than following prescriptive technical requirements.
Non-compliance can result in fines from card brands, increased transaction fees, card acceptance restrictions, and — in the event of a breach — financial liability for fraudulent transactions.
All 12 PCI DSS requirements — what you must implement
Install and maintain network security controls
Firewalls, routers, and network segmentation protecting the cardholder data environment (CDE) from untrusted networks.
Apply secure configurations to all system components
Change vendor defaults, eliminate unnecessary functionality, and document system configuration standards for all CDE components.
Protect stored account data
Limit stored cardholder data. Render PAN unreadable (truncation, tokenisation, or encryption). Never store sensitive authentication data post-authorisation.
Protect cardholder data in transit
Use strong cryptography (TLS 1.2+) for all transmissions of cardholder data across open, public networks. No unencrypted PAN in messaging or email.
Protect all systems against malware
Anti-malware solutions on all systems. Regular scans, log generation, and protection from known malware types including ransomware.
Develop and maintain secure systems and software
Secure SDLC, vulnerability management, web application firewall (WAF), protection against OWASP Top 10 vulnerabilities in public-facing applications.
Restrict access to cardholder data by business need to know
Role-based access control. Access limited to the minimum necessary. Documented access policies and procedures.
Identify users and authenticate access to system components
Unique IDs for all users. MFA for all access to the CDE. Password policy and privileged access management requirements.
Restrict physical access to cardholder data
Physical access controls, video surveillance, visitor logs, and secure disposal of media containing cardholder data.
Log and monitor all access to network resources and cardholder data
Automated audit logs for all CDE access. Log protection and retention (minimum 12 months). Log review and alerting.
Test security of systems and networks regularly
Internal and external vulnerability scanning (quarterly). Annual penetration testing. Intrusion detection/prevention systems. File integrity monitoring.
Support information security with organisational policies and programs
Comprehensive information security policy. Risk assessment. Security awareness training. Incident response plan. Third-party risk management programme.
Which PCI DSS validation
level applies to you?
Level 1
>6 million card transactions/yearValidation: Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) + quarterly network scan by ASV
Large merchants and payment processors
Level 2
1–6 million card transactions/yearValidation: Annual Self-Assessment Questionnaire (SAQ) + quarterly network scan by ASV
Mid-size merchants
Level 3
20,000–1 million e-commerce transactions/yearValidation: Annual SAQ + quarterly network scan by ASV
E-commerce merchants
Level 4
<20,000 e-commerce or up to 1 million other card transactions/yearValidation: Annual SAQ (recommended) + quarterly network scan (recommended)
Small merchants
Reduce your PCI DSS scope
before you start compliance work
The most effective PCI DSS strategy is reducing the number of systems in scope. These techniques can eliminate most of your compliance burden.
Tokenisation
Replace PANs with tokens so card data never touches your systems. Dramatically reduces CDE scope.
Redirect to payment page
Redirect checkout to a PCI DSS-compliant payment gateway. Your servers never see raw card data.
Network segmentation
Isolate CDE systems from the rest of your network. Limits the number of systems in scope.
Point-to-point encryption (P2PE)
Encrypt card data from capture device to processor. Reduces merchant-side scope significantly.
How Unicis supports PCI DSS compliance
Unicis Atlassian Apps
Unicis Platform Modules
Who needs PCI DSS compliance?
Any organisation that stores, processes, or transmits cardholder data — including e-commerce platforms, financial institutions, payment processors, SaaS companies accepting card payments, retail, hospitality, and healthcare billing systems.
Multi-Framework Support
11 Compliance Frameworks Supported
From the minimum viable security baseline to enterprise-grade standards — coverage for every compliance requirement.
Start managing PCI DSS compliance with Unicis
Track all 12 PCI DSS v4.0.1 requirements with automated GAP analysis and evidence collection. Available on the Ultimate plan.