PCI DSS v4.0.1 applies to any organization that stores, processes, or transmits payment card data. ThreeShield delivers scoping analysis, SAQ type determination, and continuous Lavawall® CDE monitoring for merchants and service providers across all SAQ types.
The SAQ your organization must complete depends entirely on how you accept and process card payments. Incorrect SAQ selection is a common compliance gap - and a source of liability.
Card-not-present merchants using fully outsourced payment pages. No electronic storage, processing, or transmission of cardholder data. 22 requirements.
E-commerce merchants using a third-party processor but with scripts on their own page that could affect payment security. 191 requirements.
Merchants using standalone dial-up or IP-connected terminals. Not electronic storage of cardholder data on any computer system. 41-83 requirements.
Merchants with payment application systems connected to internet, or virtual terminals via internet browser. 160-249 requirements.
All merchants not meeting criteria for other SAQ types, and all service providers. 329 requirements. Includes all 12 PCI DSS requirement domains.
Continuous monitoring of cardholder data environment systems against PCI DSS Requirements 6 (patch management), 10 (logging and monitoring), and 11 (testing). Automated evidence for quarterly scan requirements.
Card brands (Visa, Mastercard) can impose fines of $5,000-$100,000 per month for non-compliance. Following a breach, non-compliant merchants face forensic investigation costs, chargeback liability, and potential loss of the ability to accept card payments. Healthcare organizations that process card payments are subject to both PCI DSS and their healthcare privacy obligations simultaneously.
v4.0 introduces a "Customized Approach" option allowing organizations to meet the intent of requirements through alternative controls with documented risk analysis.
Organizations must perform targeted risk analyses for any requirements where frequency is left to the entity's discretion. Documented risk analysis is now formally required.
MFA is now required for all access into the CDE - not just remote access. This is a significant scope expansion for many organizations.
Minimum password length increased to 12 characters. Password complexity requirements updated. Password management solutions now formally recognized.
Using Stripe, Square, or similar processors reduces your PCI scope significantly - but doesn't eliminate it. You're still responsible for your own systems, the security of your website (for card-not-present), and ensuring your payment page integration doesn't introduce vulnerabilities. Most merchants using hosted payment pages qualify for SAQ A or SAQ A-EP, which have significantly fewer requirements than SAQ D.
Yes. A clinic or hospital that accepts Visa or Mastercard is a PCI merchant regardless of its primary regulatory framework. PCI DSS requirements apply to your payment processing environment; Alberta HIA or HIPAA apply to your health information environment. These are separate compliance obligations that must both be met.
Annual validation is required for most merchants. Additionally, quarterly internal vulnerability scans and (for SAQ D and higher) quarterly external ASV scans are required. Lavawall® monitors continuously so quarterly compliance evidence is automatically accumulated rather than scrambled for at scan time.
ThreeShield meets you at your current security maturity. Every level includes Lavawall®.
For lean IT teams and cost-conscious organizations with internal security capacity
Expert guidance alongside your team - ideal for MSPs and organizations with some internal IT capacity
Full compliance delivery - ThreeShield manages the entire program end to end
Choose your engagement model: DIY via Lavawall®, supported by ThreeShield's CISSP/CISA team, or fully done-for-you. Every model includes continuous monitoring so you stay compliant year-round.
Book a Scoping CallDIY · Supported · Done-for-You · Available globally