Free Tool · 5-Minute Self-Assessment

PCI-DSS v4.0 Readiness Checklist

Twenty practitioner-grade questions to test whether your merchant or service-provider organisation is ready for a PCI-DSS v4.0 SAQ or ROC — covering scope, the 12 requirements, and the v4.0 future-dated controls now in force.

Questions
20
Time
5 min
Output
Score band
Email gate
None
Start the Checklist Read the Full Guide

20 questions · 5 minutes · Score band on completion

Your readiness
0 / 20
The Checklist

Answer Honestly. No One Is Watching.

Five sections, twenty yes/no questions. Click Yes only if you can produce the evidence today.

01

Scope & Cardholder Data Flow

PCI scope determines effort. Get this right and you save weeks; get it wrong and you fail the assessment.

1
We have a current data-flow diagram showing where cardholder data is stored, processed, or transmitted across all channels (e-commerce, in-app, POS).
2
Our merchant level (1-4) and applicable SAQ type (A / A-EP / B / C / D / P2PE) are confirmed in writing with our acquiring bank.
3
Cardholder Data Environment (CDE) is explicitly defined; every connected system is inventoried; segmentation evidence exists.
4
We do NOT store full card numbers post-authorisation unless absolutely required and we never store CVV/CVC/PIN — verified by recent data-flow review.
02

Network, Crypto & Hardening

Requirements 1-4: protect the CDE perimeter, configurations, and data in transit / at rest.

5
Firewall / NSG rules around the CDE deny by default; rule changes go through documented change management with quarterly review.
6
All systems in CDE are hardened to a documented baseline (CIS / vendor benchmark); default credentials are removed; configuration drift is monitored.
7
Stored cardholder data (where any exists) is encrypted using strong cryptography with documented key management and separation of duties.
8
Cardholder data in transit over open networks uses TLS 1.2+ with strong ciphers; legacy protocols disabled; certificates managed and rotated.
03

Access, Logs & v4.0 specifics

Requirements 7-8 (access), 10 (logs), and the v4.0 future-dated controls now in force.

9
MFA is enforced for ALL access into the CDE (not just remote), including local admin and application access — meeting v4.0 expanded scope.
10
Phishing-resistant authentication is implemented for service-provider access and is on the roadmap (or in production) for all administrative access.
11
Audit logs from all CDE systems are centralised, integrity-protected, retained 12 months (3 months hot), with documented review process.
12
Anti-skimming controls are deployed on payment pages (e.g. SRI, integrity monitoring per req 6.4.3 / 11.6.1).
04

Testing, Patching & Vulnerability Mgmt

Requirements 6 and 11 — patch SLAs, scans, and pen-test discipline.

13
Quarterly external ASV scans by a PCI-approved scanning vendor are passing or remediated within timeline; records on file for the last 4 quarters.
14
Quarterly internal vulnerability scans (and after every significant change) are documented; patch SLA Critical 7d / High 30d is tracked.
15
Annual external + internal penetration test was completed; segmentation is tested if claimed; re-test of high/critical findings within 30 days.
16
A formal SDLC with code review, SAST/DAST, and threat modelling is in place for any custom payment-handling code.
05

Service Providers, Policy & Reporting

Requirements 12 — policy, third parties, and the formal compliance reporting chain.

17
A current AOC (Attestation of Compliance) is on file for every PCI-touching service provider, with responsibility matrix per service.
18
Service-provider continued due diligence is performed quarterly with documented evidence (calls, AOC refresh, incident history).
19
A board / executive-approved Information Security Policy is refreshed annually; awareness training is completed; incident response is tested.
20
The current SAQ or ROC was completed by a qualified party (ISA / QSA), submitted to the acquirer, with no open material findings.
What "Ready" Looks Like

Three Bands. Three Plays.

0–7
Will not pass

Your SAQ or ROC will fail. Spend the next 90 days on scope reduction (tokenise, descope), MFA expansion, ASV remediation, and v4.0 future-dated controls.

8–14
At risk

Foundations exist but v4.0-specific requirements (anti-skimming, phishing-resistant MFA, TRAs) are missing. Close in the next 60 days with QSA advisory.

15–20
Audit-defensible

SAQ / ROC should land cleanly. Move to maturity — Customised Approach where appropriate, continuous monitoring, third-party governance excellence.

FAQ

Common Questions

Does using Razorpay / Stripe / Paytm make us out-of-scope? +

Reduces scope dramatically (often to SAQ A) but does not eliminate it. You still need a passing SAQ each year, ASV scans on any internet-facing pages that include the redirect/iframe, and a documented data-flow.

Are the v4.0 future-dated requirements optional? +

No, not anymore. The future-dated requirements were optional through 31 March 2025 and are now in force. Anti-skimming, expanded MFA, and TRAs for Customised Approach are part of standard validation.

Do we need a QSA? +

Mandatory for Level 1 merchants and Level 1 service providers (ROC). For SAQ-eligible merchants, an internal completion is permitted but most large organisations engage a QSA for advisory assistance and to sign the AOC.

How does PCI-DSS interact with RBI rules? +

RBI Master Directions on card storage are stricter on what can be stored than PCI-DSS — Indian merchants are largely prohibited from storing card data and must use tokenisation. PCI-DSS still applies to processing and transmission. Both regimes apply.

What is the difference between this checklist and the buyer's guide? +

The checklist diagnoses readiness in 5 minutes. The full PCI-DSS v4.0 guide walks through scope, the 12 requirements, v4.0 changes, ASV / pen-test discipline, service providers, and a 90-day roadmap.

Need a PCI-DSS roadmap?

Skip the Guesswork. Get a 90-Day Plan.

A 30-minute consultation. Walk away with a prioritised remediation list scoped to your merchant level, SAQ type, and v4.0-specific gaps.

Book Free Consultation Read the Full Guide

No sales pitch. Responds within 24 hours.