What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the PCI Security Standards Council (PCI SSC) — founded by American Express, Discover, JCB, Mastercard, and Visa. PCI DSS v4.0, released in March 2022, is now the active standard (v3.2.1 retired March 2024).
Compliance is mandatory for any organisation that stores, processes, or transmits cardholder data — regardless of transaction volume. Non-compliance can result in fines, increased transaction fees, and loss of card acceptance rights.
PCI DSS Compliance Levels
- Level 1 — Merchants processing over 6 million transactions/year; requires annual ROC by QSA and quarterly network scan.
- Level 2 — 1–6 million transactions/year; annual SAQ and quarterly scan.
- Level 3 — 20,000–1 million e-commerce transactions; annual SAQ and quarterly scan.
- Level 4 — Under 20,000 e-commerce or up to 1 million other transactions; annual SAQ recommended.
PCI DSS v4.0 Key Changes
- Customised approach option for organisations with mature controls
- New requirements for phishing-resistant MFA
- Expanded requirements for e-commerce and payment page security (Requirement 6.4)
- New targeted risk analysis requirements
- 64 new future-dated requirements (mandatory from March 2025)
BALTUM PCI DSS Engagement
- Scope definition and cardholder data environment (CDE) mapping
- Gap analysis against PCI DSS v4.0 requirements
- Remediation roadmap and control implementation support
- SAQ completion support (SAQ A, A-EP, B, C, D as applicable)
- ROC preparation and QSA coordination for Level 1 merchants
- Quarterly ASV vulnerability scanning coordination
Integration with ISO 27001
PCI DSS and ISO 27001 share significant control overlap across access control, vulnerability management, logging and monitoring, and incident response. BALTUM's integrated programme maps both sets of requirements to a unified control framework — minimising duplication and reducing total compliance cost.