Back

PCI DSS Cybersecurity Requirements Explained

Lior Vaisman
Lior Vaisman
Apr 30, 2026 | 9 Minutes
Container hardeneing
Base Images
Cryptographic
PCI DSS Cybersecurity Requirements Explained

Key Takeaways

  • PCI DSS v4.0.1 is fully enforceable as of March 31, 2025 - the largest update in over a decade, with materially higher expectations for vulnerability management, authenticated scanning, and segmentation testing.
  • Requirements 6 and 11 carry most of the cybersecurity engineering load. Req 6 governs patch SLAs and secure SDLC; Req 11 mandates quarterly vulnerability scans (ASV-performed for external), annual pen tests, and - for service providers - segmentation testing every six months.
  • v4.0 raises the floor in three specific ways: authenticated internal scans are now explicit, targeted risk analysis must be documented and reviewed annually, and MFA is mandatory for all access into the cardholder data environment.
  • Most PCI DSS programs fail on operational tempo, not understanding. The rules are clear; sustaining monthly patching SLAs, quarterly ASV scans, continuous IDS/IPS, and change-driven re-testing at scale is what burns out security teams.
  • The fastest path to compliance is starting with images that are already secure. Pre-hardened, FIPS-validated, CVE-free container images with auto-generated SBOMs and signed provenance turn Requirements 6 and 11 from a quarterly scramble into a checkbox.

The cost of getting PCI DSS wrong is no longer theoretical. Average breach fines for cardholder data exposure now run into the millions, and contractual penalties from card brands compound on top of regulatory action. The cost of getting it right, however, is mostly measured in engineering hours - the patches, scans, pen tests, and audit-ready reports that vulnerability management demands. For most security teams, that imbalance is the real story of PCI DSS: it is not a hard standard to understand, it is a hard operation to sustain.

This post is for CISOs and security teams who already know PCI DSS exists and want a precise, current read on the cybersecurity expectations under v4.0 - especially the vulnerability management and testing requirements that absorb the most engineering time.

What is PCI DSS and who must comply?

The Payment Card Industry Data Security Standard (PCI DSS) is the security standard that governs any organization handling cardholder data on behalf of the major card brands (Visa, Mastercard, American Express, Discover, JCB). It is maintained by the PCI Security Standards Council and currently sits at version 4.0.1, with full enforcement of v4.0 requirements that took effect on March 31, 2025. PCI DSS applies to merchants, service providers, and any third party that stores, processes, or transmits cardholder data - or that can affect the security of the cardholder data environment (CDE). Compliance level (1 through 4) is driven by transaction volume, with Level 1 merchants and most service providers requiring an annual on-site assessment by a Qualified Security Assessor (QSA). If your team is reading this, you almost certainly already know whether you are in scope. The question is what specifically you have to do.

The other requirements that touch security

The remaining PCI DSS requirements are not "less important" - they are simply less engineering-intensive on a day-to-day basis once they are stood up:

  • Requirement 1 - install and maintain network security controls (firewalls, segmentation of the CDE)
  • Requirement 2 - apply secure configurations to all system components (no default passwords, hardened baselines)
  • Requirement 5 - protect against malicious software
  • Requirement 8 - identify users and authenticate access (MFA is now mandatory for all access into the CDE under v4.0)
  • Requirement 10 - log and monitor all access to system components and cardholder data
  • Requirement 12 - maintain an information security policy that supports the technical controls

Taken together, the 12 requirements add up to a full security posture, not just a vulnerability scanning exercise. But Requirements 6 and 11 are where the audit findings, the remediation work, and the engineering hours live.

What changed in PCI DSS v4.0 for vulnerability management?

Version 4.0 was the largest update to PCI DSS in over a decade, and three changes matter most for vulnerability management:

1. Targeted risk analysis. Several requirements now allow organizations to define their own frequency for certain controls based on a documented risk analysis, rather than following a fixed schedule. This is more flexibility, but it also means more documentation: you must justify your cadence and review it annually.

2. Authenticated internal vulnerability scans. v4.0 explicitly requires authenticated scanning for internal vulnerability scans, where supported. Authenticated scans surface significantly more findings than unauthenticated ones - which is the point - but they also raise the operational bar for credential management and remediation throughput.

3. Tighter pen testing and segmentation testing. Service providers now must perform segmentation testing every six months (up from annually), and pen testing scope must explicitly cover the entire CDE perimeter and any segmentation controls.

The practical consequence of v4.0 is that the floor for PCI DSS vulnerability management rose meaningfully. Programs that were just barely passing under v3.2.1 are likely to find new gaps under v4.0 - most often around authenticated scanning coverage, software inventory completeness, and the documentation supporting risk-based frequencies.

How Echo helps teams meet PCI DSS requirements without the overhead

PCI DSS demands continuous CVE remediation, patch SLAs, and audit-ready evidence - exactly where engineering teams lose the most time. Echo removes that burden by shipping pre-hardened, vulnerability-free container images that are FIPS-validated and STIG-compliant out of the box.

For security teams chasing PCI DSS Requirement 6 and 11 compliance, this means CVEs are eliminated before code ships, patch cycles shrink from months to days (average 3-day remediation), and audit evidence - SBOMs in SPDX and CycloneDX, signed provenance, per-image vulnerability reports - is generated automatically.

The proof points stack up quickly: 10,000 CVEs eliminated, 4,000 engineering hours saved per year, audit reports auto-forwarded to assessors in real time, and support for the cryptographic modules teams actually use (OpenSSL, BoringCrypto, Bouncy Castle).

"With Echo, zero vulnerabilities showed up, everything was compliant, and the auditor was super satisfied. Just a smooth ride." - Lior Chen, Deputy CTO

The reframe for CISOs is simple: PCI DSS Requirement 6 and 11 are not really compliance problems. They are engineering efficiency problems wearing a compliance label. The fastest path to passing the audit is the same path as shipping faster - start with images that are already secure, already hardened, and already evidenced.

Start with secure, compliant images

PCI DSS v4.0 has raised the floor on what "good" looks like for vulnerability management, and the cost of meeting it the hard way - manual patching, hand-built scan reports, last-minute pen-test prep - is no longer sustainable for most security teams.

The faster path is to start with a software supply chain that is already PCI-aligned: validated crypto, hardened configs, eliminated CVEs, signed evidence. See how Echo cuts time-to-compliance - and turns the audit into the easy part of the year.

FAQ

What is PCI DSS and which version is currently enforced? PCI DSS is the security standard governing any organization that stores, processes, or transmits cardholder data on behalf of major card brands. Version 4.0.1 is the current standard, with full enforcement of v4.0 requirements effective March 31, 2025 - the largest update to the standard in over a decade.

What are the most demanding requirements for security engineering teams? Requirements 6 and 11 carry the heaviest engineering load. Requirement 6 governs patch SLAs and secure SDLC practices; Requirement 11 mandates quarterly vulnerability scans, annual penetration tests, and, for service providers, segmentation testing every six months. These two requirements are where most audit findings and remediation hours are concentrated.

What changed in PCI DSS v4.0 for vulnerability management? Three changes raised the floor meaningfully: authenticated internal scans are now explicitly required, targeted risk analysis must be documented and reviewed annually, and segmentation testing for service providers increased from annual to every six months. Programs that were just passing under v3.2.1 are likely to find new gaps - most often around authenticated scanning coverage and software inventory completeness.

Is MFA now mandatory under PCI DSS v4.0? Yes. Multi-factor authentication is now required for all access into the cardholder data environment, not just remote access as it was under v3.2.1. This applies broadly to any user or administrator accessing CDE systems, making identity and access management a higher-priority remediation item for teams upgrading their compliance posture.

How does Echo help teams meet PCI DSS Requirements 6 and 11? Echo ships pre-hardened, FIPS-validated container images with CVEs eliminated before code ships, reducing average patch remediation to three days. Audit evidence - SBOMs in SPDX and CycloneDX, signed provenance, per-image vulnerability reports - is generated automatically and can be forwarded to assessors in real time, turning Requirements 6 and 11 from a quarterly scramble into a largely automated process.

What are the 7 blind spots in your vulnerability scans?

Discover when "0 vulnerabilities" doesn't actually mean you're clean.

Read now →

Ready to eliminate vulnerabilities at the source?

Container hardeneing
Base Images
Cryptographic