HomeHomeResourcesGuidesPCI DSS Complete Guide
Pillar Guide · Payment Security

PCI DSS Complete Compliance Guide

Everything your organisation needs to know about PCI DSS — from requirements and scoping to QSA selection, v4.0.1 changes, and country-specific context across Asia-Pacific.

4,000+ words
20 min read
Updated Feb 2026
By EIC QSA Team
Start Reading ↓

In This Guide

What You'll Learn

01

All 12 PCI DSS requirements explained in plain language

02

What changed in PCI DSS v4.0.1 and what it means for your business

03

ROC vs AOC vs SAQ — which validation type your org needs

04

How to scope your cardholder data environment correctly

05

Country-specific PCI DSS context for 7 APAC markets

C H A P T E R 0 1

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to ensure that all organisations that accept, process, store, or transmit credit card information maintain a secure environment.

PCI DSS was created by the Payment Card Industry Security Standards Council (PCI SSC), founded by American Express, Discover, JCB, Mastercard, and Visa. The standard applies to any organisation that handles cardholder data — regardless of size or transaction volume.

Key distinction:PCI DSS is not a law — it's a contractual requirement imposed by card brands through acquiring banks. Non-compliance can result in fines, increased transaction fees, or loss of card processing privileges.

The current version is PCI DSS v4.0.1, released in March 2022. It replaces v3.2.1 and introduced significant changes including the customised approach, targeted risk analysis requirements, and enhanced authentication mandates.

C H A P T E R 0 2

Who Needs PCI DSS Compliance?

Any organisation that stores, processes, or transmits cardholder data must comply with PCI DSS. This includes:

  • Banks and financial institutionsissuing and acquiring banks that process card transactions
  • Payment processorsthird-party processors handling card data on behalf of merchants
  • Merchantsany business that accepts card payments, from e-commerce platforms to retail stores
  • Fintech companiespayment apps, digital wallets, and payment gateway operators
  • Service providershosting companies, managed security providers, and any entity with access to cardholder data

Your compliance validation type (ROC, SAQ, or AOC) depends on your transaction volume, processing method, and role in the payment chain. We cover this in detail in Chapter 5.

C H A P T E R 0 3

PCI DSS Requirements — All 12 Explained

PCI DSS v4.0.1 organises its requirements into six control objectives and twelve requirements:

Req #RequirementControl Objective
1Install and maintain network security controlsBuild & Maintain Secure Network
2Apply secure configurations to all system componentsBuild & Maintain Secure Network
3Protect stored account dataProtect Account Data
4Protect cardholder data with strong cryptography during transmissionProtect Account Data
5Protect all systems and networks from malicious softwareMaintain Vulnerability Mgmt
6Develop and maintain secure systems and softwareMaintain Vulnerability Mgmt
7Restrict access to system components by business need to knowStrong Access Controls
8Identify users and authenticate access to system componentsStrong Access Controls
9Restrict physical access to cardholder dataStrong Access Controls
10Log and monitor all access to system components and cardholder dataMonitor & Test Networks
11Test security of systems and networks regularlyMonitor & Test Networks
12Support information security with organisational policies and programsInformation Security Policy

Each requirement contains multiple sub-requirements and testing procedures. A QSA (Qualified Security Assessor) evaluates your organisation against every applicable sub-requirement during the assessment.

C H A P T E R 0 4

PCI DSS v4.0.1 — What Changed

PCI DSS v4.0.1 introduced several significant changes from v3.2.1:

Customised Approach

Organisations can now meet PCI DSS objectives through custom controls rather than following prescriptive requirements. This flexibility allows mature security organisations to implement controls that fit their specific environment.

Targeted Risk Analysis

Where v3.2.1 required a single annual risk assessment, v4.0.1 introduces targeted risk analysis for specific requirements — allowing organisations to set the frequency of certain activities based on their risk profile.

Enhanced Authentication

Multi-factor authentication (MFA) requirements have been expanded beyond just remote access to include all access to the cardholder data environment.

Deadline: All future-dated requirements in PCI DSS v4.0.1 become mandatory on 31 March 2025. Organisations that haven't transitioned from v3.2.1 are already non-compliant.

C H A P T E R 0 5

ROC vs AOC vs SAQ — Which Do You Need?

The validation type your organisation requires depends on your transaction volume, processing method, and role in the payment ecosystem. There are three primary validation types...

Free Guide · 4,000+ Words

Continue Reading: PCI DSS Complete Compliance Guide

Enter your work email for instant access — including the full guide and PDF download.

  • All 12 requirements mapped to v4.0 changes
  • ROC vs SAQ decision framework
  • Bangladesh Bank & MAS regulatory notes
  • QSA selection criteria & red flags

No spam, ever. Unsubscribe any time. Privacy Policy.

Continue Exploring

Related Resources

Service Page

PCI DSS Compliance Service

Official QSA assessments with 30–40% faster scoping via Complio. 50+ annual ROC/AOC/SAQ delivered.

Learn More
Blog Article

PCI DSS v4.0.1 — What You Need to Do

Practical breakdown of major v4.0.1 changes including customised approach and targeted risk analysis.

Read Article
Related Guide

Penetration Testing Guide

Pen testing is required under PCI DSS Requirement 11. Learn about CREST methodology and scoping.

Read Guide
Technology

Complio — AI-Powered Data Discovery

Discover cardholder data in 48 hours. Reduce PCI DSS scope by 10–30%.

Learn More
Industry

Banking & Financial Services

PCI DSS for banks — card network mandates, SWIFT CSP, central bank directives.

Learn More
Lead Magnet

PCI DSS v4.0.1 Compliance Checklist

All 12 requirements mapped to v4.0.1 changes. SAQ selector tool. 6-page PDF.

Ready for Your PCI DSS Assessment?

Schedule a scoping call with a PCI QSA assessor. We'll review your cardholder data environment and recommend the right validation pathway.