PCI DSS Compliance: Protect Cardholder Data and Avoid Costly Penalties

It depends on how your payment environment is configured. If you use an iFrame or redirect that takes customers to a hosted payment page where all card data entry and processing occurs on the payment processor's systems, and your systems never receive or transmit cardholder data, you may qualify for SAQ A — the simplest validation path with the fewest requirements. However, if your checkout page contains any scripts, your website infrastructure is still in scope under PCI DSS 4.0 because malicious scripts could intercept data entry before it reaches the processor. The SAQ A-EP applies in that scenario. Vigil Cyber conducts a scoping analysis to determine the correct SAQ type and whether your current architecture qualifies.

Non-compliance penalties are assessed by the card brands (Visa, Mastercard, etc.) through the acquiring bank — not by a government agency. Fines typically range from $5,000 to $100,000 per month for merchants that fail to comply. In the event of a confirmed breach, additional fines, mandatory forensic investigations, and potential termination of card processing privileges can follow. Merchants that experience a breach while non-compliant can also face liability for fraudulent transactions on compromised cards. The acquiring bank bears initial liability and will pass costs to the merchant. Cyber insurance policies often exclude or limit coverage for PCI DSS-related liabilities when the organization was non-compliant at the time of breach.

PCI DSS 4.0 introduced 64 new requirements, the most significant of which became mandatory on March 31, 2025. Key additions include: multi-factor authentication is now required for all access into the CDE (expanded from administrative access only); targeted risk analysis is required to justify control implementation decisions; e-commerce and payment page scripts must be managed, with inventory maintained and integrity verified; anti-phishing technology must be deployed; password complexity requirements are enhanced; and encrypted cardholder data in transit must use only TLS 1.2 or higher. Organizations that passed their last assessment under PCI DSS 3.2.1 and have not reviewed the 4.0 additions are now out of compliance.

Network segmentation is the practice of isolating the cardholder data environment (CDE) — the systems that store, process, or transmit cardholder data — from other network segments and systems. PCI DSS does not require segmentation, but without it, every system in your environment is in scope for the assessment. This means every laptop, server, printer, and IoT device must meet PCI DSS requirements. With proper segmentation, only the systems within the isolated CDE are in scope. This dramatically reduces assessment scope, audit cost, and complexity — and limits the blast radius if a breach occurs. Segmentation must be verified through penetration testing to confirm that out-of-scope systems cannot access the CDE.

PCI DSS requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) and quarterly internal vulnerability scans. External scans must achieve a passing result — meaning no vulnerabilities scored 4.0 or higher on the CVSS scale in the CDE. If a scan fails, you must remediate the failing vulnerabilities and rescan until a passing result is achieved. Annual penetration testing is also required, and PCI DSS 4.0 added a requirement for internal penetration testing at least annually or after significant changes. Vigil Cyber manages the scanning program, provides remediation guidance, and coordinates rescans — ensuring passing results without the deadline pressure of a failed scan discovered immediately before assessment.