The Payment Card Industry Data Security Standard (PCI DSS) is mandatory for organisations that process, store, or transmit cardholder data. Version 4.0, released in 2024 with updates through 2025, introduces new requirements and more flexibility in how controls are implemented.
Requirement 1 focuses on installing and maintaining network security controls, such as firewalls and segmentation, to protect the cardholder data environment (CDE). It emphasises controlling network connections between trusted and untrusted networks and mitigating the risk of devices connecting to both untrusted networks and the CDE.
Other requirements include protecting stored cardholder data through strong encryption, implementing strong access control measures, and regularly monitoring and testing networks. Version 4.0 introduces targeted risk analyses, allowing entities to tailor controls based on their environment while demonstrating that security objectives are met.
The standard also expands multi‑factor authentication requirements to all access into the CDE, aligning with NIST’s MFA guidance. Compliance requires collaboration between IT, finance, and legal teams. Organisations should segment the CDE, maintain an inventory of system components, configure firewalls according to PCI guidelines, and monitor for unauthorized traffic.
Using a platform like Scrut Automation can simplify evidence collection and track compliance across controls. Remember that PCI compliance is not a one‑time project but an ongoing program requiring continuous assessment and improvement
