What is PCI-DSS and who must comply?

PCI-DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to protect cardholder data. Any organisation that stores, processes, or transmits payment card data must comply — merchants, payment processors, service providers, and any entity that handles Primary Account Numbers (PAN). Non-compliance can result in fines of $5,000–$100,000 per month, increased transaction fees, and suspension of card processing privileges.

What is the difference between PCI-DSS SAQ and a QSA assessment?

Smaller merchants with lower transaction volumes can self-assess using a Self-Assessment Questionnaire (SAQ) — a simplified checklist of applicable PCI-DSS requirements. Larger merchants (Level 1: >6 million transactions/year) must undergo an annual on-site assessment by a Qualified Security Assessor (QSA). CATAAM supports both paths — SAQ completion workflows and full QSA-ready evidence packages for Level 1 assessments.

How does CATAAM's BAS satisfy PCI-DSS Requirement 11?

PCI-DSS Requirement 11 mandates regular testing of security controls, including annual penetration testing (Req 11.4) and network vulnerability scans every 90 days (Req 11.3.2). CATAAM's BAS runs continuously — testing AWS IAM privilege escalation, network service exposure, encryption weaknesses, and lateral movement paths. Results are stored as timestamped evidence with CVSS scores and remediation steps, satisfying both the testing and documentation requirements of Req 11.

How does PCI-DSS v4.0 differ from v3.2.1?

PCI-DSS v4.0 (mandatory since March 2024) introduces several significant changes: a new customized approach option allowing alternative controls that meet the security objective; expanded multi-factor authentication requirements (Req 8.4.2, 8.4.3); new requirements for phishing-resistant authentication; targeted risk analyses for select requirements; and 64 future-dated requirements active from March 2025. CATAAM supports v4.0 with updated control mappings and the new targeted risk analysis workflows.

Can CATAAM help reduce the scope of our PCI-DSS Cardholder Data Environment?

Scope reduction is the most effective way to reduce PCI-DSS compliance cost and complexity. CATAAM's iASM continuously maps your cloud environment to identify systems unnecessarily in scope — often misconfigured resources with access to cardholder data environments that should be isolated. Network segmentation validation and attack path analysis help demonstrate to your QSA that out-of-scope systems cannot reach CHD systems.

PCI-DSS v4.0 Compliance Automation

Automate PCI-DSS Compliance and Penetration Testing

Continuous BAS-powered penetration testing, automated evidence harvesting from AWS, and QSA-ready compliance packages — for merchants and service providers handling cardholder data.

Start free trial See all features

PCI-DSS Requirements: 12
Sub-requirements: 300+
Pen Testing Frequency: Continuous
Active Since: v4.0

All 12 PCI-DSS v4.0 Requirements Covered

From network controls and cryptography through penetration testing and incident response — every requirement mapped, evidenced, and QSA-ready.

Req 1–2

Network Security Controls

CATAAM's iASM scans network exposure, identifies open ports, and validates firewall rule configurations. CIS Benchmark results feed directly into Requirement 2 evidence.

Req 1 – Install and maintain network security controls
Req 2 – Apply secure configurations to all system components

Req 3–4

Account and Transmission Data Protection

Encryption-at-rest policies (S3, RDS, KMS) and TLS cipher assessments are harvested from AWS automatically. Cipher weaknesses surface as Requirement 4 findings.

Req 3 – Protect stored account data
Req 4 – Protect cardholder data with strong cryptography during transmission

Req 5–6

Vulnerability Management

BAS continuously tests malware defences and patch levels. GitHub code scanning alerts feed into Requirement 6 secure development evidence. CVE findings are auto-linked.

Req 5 – Protect all systems from malicious software
Req 6 – Develop and maintain secure systems and software

Req 7–8

Access Control

AWS IAM least-privilege policies, MFA enforcement, and privileged access reviews are harvested continuously and linked to Requirements 7 and 8 controls.

Req 7 – Restrict access to system components by business need to know
Req 8 – Identify users and authenticate access to system components

Req 9

Physical Access Controls

Physical access control documentation, visitor logs, and media disposal records stored and linked as PCI-DSS evidence in CATAAM.

Req 9 – Restrict physical access to cardholder data

Req 10–11

Logging, Monitoring & Testing

CloudTrail and VPC flow logs are continuously harvested for Requirement 10. BAS provides the continuous penetration testing evidence required by Requirement 11.4.

Req 10 – Log and monitor all access to system components and cardholder data
Req 11 – Test security of systems and networks regularly

Req 12

Information Security Policies

Policy documentation, risk assessments, and incident response procedures stored and maintained in CATAAM with version history and review timestamps.

Req 12.1 – Comprehensive information security policy
Req 12.3 – Risk assessment
Req 12.6 – Security awareness program
Req 12.10 – Incident response plan

From CDE Scoping to QSA Package in Weeks

Replace annual pen tests and manual evidence collection with continuous automated compliance coverage year-round.

Define your Cardholder Data Environment

Identify all systems in scope for PCI-DSS — servers, cloud instances, and services that store, process, or transmit cardholder data. CATAAM auto-discovers AWS resources in scope.

Auto-harvest network and access evidence

iASM scans your network perimeter for exposed services. AWS IAM, CloudTrail, and VPC flow logs feed into Requirements 7, 8, and 10 continuously.

Run penetration testing via BAS

PCI-DSS Requirement 11.4 mandates penetration testing at least annually and after significant changes. CATAAM's BAS provides continuous, automated pen testing evidence year-round.

Generate QSA-ready evidence packages

Export complete PCI-DSS evidence packages for your Qualified Security Assessor — control mappings, evidence attachments, and gap analysis — in a single export.

Continuous Penetration Testing for Requirement 11

PCI-DSS Requirement 11 demands annual penetration testing and quarterly vulnerability scans. CATAAM replaces one-time engagements with continuous BAS — running real attack simulations against your Cardholder Data Environment 365 days a year, producing timestamped evidence that satisfies QSA requirements.

Req 11.3.1 – Internal pen testing: AWS IAM escalation, EC2 lateral movement
Req 11.3.2 – External pen testing: network exposure, cipher weaknesses
Req 11.4.2 – Segmentation testing: CDE isolation validation
Req 11.5.1 – Intrusion detection: CloudTrail evasion simulation

# BAS → PCI-DSS Req 11 evidence

PASS IAM escalation blocked → Req 11.3.1 ✓

PASS CDE segmentation validated → Req 11.4.2 ✓

WARN Port 8080 exposed → Req 11.3.2 ⚠

PASS TLS 1.3 enforced → Req 4.2.1 ✓

FAIL Legacy cipher detected → Req 4.2.1 ✗

Continuous scan: last run 4 min ago

QSA evidence package ready →

PCI-DSS Frequently Asked Questions

What is PCI-DSS and who must comply?: PCI-DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to protect cardholder data. Any organisation that stores, processes, or transmits payment card data must comply — merchants, payment processors, service providers, and any entity that handles Primary Account Numbers (PAN). Non-compliance can result in fines of $5,000–$100,000 per month, increased transaction fees, and suspension of card processing privileges.
What is the difference between PCI-DSS SAQ and a QSA assessment?: Smaller merchants with lower transaction volumes can self-assess using a Self-Assessment Questionnaire (SAQ) — a simplified checklist of applicable PCI-DSS requirements. Larger merchants (Level 1: >6 million transactions/year) must undergo an annual on-site assessment by a Qualified Security Assessor (QSA). CATAAM supports both paths — SAQ completion workflows and full QSA-ready evidence packages for Level 1 assessments.
How does CATAAM's BAS satisfy PCI-DSS Requirement 11?: PCI-DSS Requirement 11 mandates regular testing of security controls, including annual penetration testing (Req 11.4) and network vulnerability scans every 90 days (Req 11.3.2). CATAAM's BAS runs continuously — testing AWS IAM privilege escalation, network service exposure, encryption weaknesses, and lateral movement paths. Results are stored as timestamped evidence with CVSS scores and remediation steps, satisfying both the testing and documentation requirements of Req 11.
How does PCI-DSS v4.0 differ from v3.2.1?: PCI-DSS v4.0 (mandatory since March 2024) introduces several significant changes: a new customized approach option allowing alternative controls that meet the security objective; expanded multi-factor authentication requirements (Req 8.4.2, 8.4.3); new requirements for phishing-resistant authentication; targeted risk analyses for select requirements; and 64 future-dated requirements active from March 2025. CATAAM supports v4.0 with updated control mappings and the new targeted risk analysis workflows.
Can CATAAM help reduce the scope of our PCI-DSS Cardholder Data Environment?: Scope reduction is the most effective way to reduce PCI-DSS compliance cost and complexity. CATAAM's iASM continuously maps your cloud environment to identify systems unnecessarily in scope — often misconfigured resources with access to cardholder data environments that should be isolated. Network segmentation validation and attack path analysis help demonstrate to your QSA that out-of-scope systems cannot reach CHD systems.

Ready to Automate Your PCI-DSS Compliance?

14-day free trial. No credit card. QSA-ready evidence in weeks.

Start free trial View pricing