PCI DSS v4.0

Protect cardholder data with PCI DSS compliance

PCI DSS is the global standard for any company touching payment card data. Normado generates your security policies, maps all 12 PCI DSS requirement categories to your environment, and tracks evidence continuously — so your SAQ or ROC lands with the bank without months of remediation.

First 100 customers get all Enterprise features at €49/mo for year one.

You're on the list! We'll be in touch soon.

Example PCI DSS dashboard

app.normado.io/gap-analysis

PCI DSS · Live Compliance

PCI requirement categories covered10 / 12

Security policies approved13 / 14

Scope segmentation controls28

Quarterly ASV scans tracked4

What PCI DSS actually requires

Three pillars, plain language

PCI DSS v4.0 replaced v3.2.1 on 31 March 2024. It applies to any entity that stores, processes, or transmits cardholder data — or could impact the security of that data. Most EU SaaS companies that touch card numbers are in scope even if they think they aren't.

Build and maintain a secure network

Firewalls, network segmentation, secure configurations. Your Cardholder Data Environment (CDE) must be demonstrably isolated from the rest of your infrastructure — this alone drops most companies' scope dramatically.

Protect cardholder data

Encryption at rest and in transit, strong key management, and data retention minimization. If you don't store it, you don't have to protect it — tokenization is your friend.

Monitor, test, maintain

Quarterly ASV scans, annual penetration tests, logging and monitoring, a documented information security policy, and evidence that your program actually operates day-to-day.

Want the full breakdown? Read our PCI DSS deep-dive.

How Normado covers it

Built end-to-end for PCI DSS

✓
AI-generated policies mapped to all 12 requirementsInformation security, access control, encryption, vulnerability management, network security, incident response — all aligned to PCI DSS v4.0 requirement structure.
✓
All 12 PCI DSS requirement categories pre-loadedFrom Requirement 1 (network security controls) through Requirement 12 (information security program), with plain-language guidance for SMBs.
✓
SAQ type identificationDetermine whether you need SAQ A, A-EP, D, or full ROC based on how you handle card data — before you start the wrong paperwork.
✓
Scope reduction workflowsDocument your Cardholder Data Environment and prove segmentation. The less you're in scope, the cheaper and faster compliance gets.
✓
Evidence management for ASV scans and pen testsQuarterly ASV scan reports, annual penetration test reports, and segmentation tests — organized by requirement with expiry alerts.

Example org compliance

83%PCI DSS

Policies23 / 25

Controls21 / 25

Risks20 / 25

Evidence19 / 25

A living platform, not a one-off project

What ongoing compliance looks like

Consultants deliver a snapshot in time — then you maintain it yourself, re-engage every year, and answer auditor questions from static Word docs. Normado is the living system underneath: always current, always auditable, owned by your team.

Consultant engagement

€15,000 – €50,000

6 – 12 months per cycle

Tailored through months of interviews and workshops
Static deliverables you maintain yourself afterward
Evidence collection, version control, audit prep on you
Re-engage every year for refreshes and new frameworks
Expertise leaves when the engagement ends

Normado platform

€49 – €299 / month

Audit-ready in weeks

AI-generated policies tailored to your org in minutes
Gap analysis, risk register, and controls all in one place
Evidence management with expiry tracking built in
Always current — new frameworks and requirements rolled out automatically
Your team owns the system, always audit-ready

Frequently asked

PCI DSS questions we hear most

Does PCI DSS apply to my company?

PCI DSS applies to any entity that stores, processes, or transmits cardholder data — or that could impact the security of such data. If you take card payments (even through Stripe, Adyen, Mollie), you are in scope. The question is not whether you comply, but which SAQ (Self-Assessment Questionnaire) type applies. SAQ A applies if payments are fully outsourced to a validated third party; SAQ A-EP applies if your site loads the payment page but doesn't handle card data directly; SAQ D applies to merchants storing card data; a full ROC (Report on Compliance) applies above certain transaction volumes.

Is PCI DSS a law?

No. PCI DSS is a contractual standard managed by the PCI Security Standards Council, enforced by card networks (Visa, Mastercard, Amex, Discover, JCB) through acquiring banks. Non-compliance does not draw government fines — it draws fees from your acquirer, potentially higher processing rates, and in severe cases loss of card processing ability. That said, the fees compound quickly: $5,000–$100,000 per month is typical for non-compliant merchants.

What changed in PCI DSS v4.0?

v4.0 (effective 31 March 2024) introduced over 60 new requirements, including mandatory anti-phishing controls, stronger password requirements (12+ characters), targeted risk analyses for customized approaches, automated log review, and continuous script monitoring on payment pages. The most significant change is a shift toward outcome-based requirements with flexibility in how you meet them — but with more evidence expected.

How does PCI DSS relate to ISO 27001?

Significant overlap. ISO 27001 Annex A covers most PCI DSS technical controls (access control, encryption, change management, incident response). One control implemented once typically satisfies both. The difference: PCI DSS is narrower (scoped to cardholder data environment) but more prescriptive; ISO 27001 is broader but more flexible. If you have ISO 27001, you are typically 2-3 months from PCI DSS compliance. Normado auto-maps shared controls across both.

Do I need a QSA?

A Qualified Security Assessor (QSA) is required only for full ROC audits (typically Level 1 merchants processing 6M+ Visa/Mastercard transactions per year). Most SMBs and mid-market companies qualify for a Self-Assessment Questionnaire (SAQ), which you can complete in-house. If you do need a QSA, engagement costs range from €15,000–€60,000 depending on scope.

Does Normado also cover other frameworks?

Yes — all Normado-supported frameworks are available in Professional and Enterprise tiers. One control implemented once often satisfies multiple frameworks simultaneously.