PCI DSS v4.0 checklist: all 12 requirements (and the v4 future-dated items)
PCI DSS isn’t a one-time certification — it’s evidence your controls operate continuously. This checklist walks every control an auditor examines, and flags which a platform can automate.
What PCI DSS requires
PCI DSS is assessed against 64 controls across 5 families: Build & maintain security, Protect account data, Access control, Monitor & test, Policy. Each must be both designed and operating — auditors want evidence it worked throughout the period, not just that it existed on paper.
The control checklist
All 12 PCI DSS v4.0 requirements, including the future-dated items that became mandatory March 2025. Use the table below as your working checklist — 12 line items. Controls marked Auto can be monitored continuously by SBCMSP; Manual controls need a documented process and human evidence.
| Control | Requirement | Coverage |
|---|---|---|
| Build & maintain a secure network | ||
| Req 1 | Install & maintain network security controls | Auto |
| Req 2 | Apply secure configurations to all system components | Auto |
| Protect account data | ||
| Req 3 | Protect stored account data | Auto |
| Req 4 | Strong cryptography for transmission over open networks | Auto |
| Vulnerability management | ||
| Req 5 | Protect systems & networks from malicious software | Auto |
| Req 6 | Develop & maintain secure systems & software | Auto |
| Access control | ||
| Req 7 | Restrict access by business need-to-know | Auto |
| Req 8 | Identify users & authenticate access (MFA for all CDE access) | Auto |
| Req 9 | Restrict physical access to cardholder data | Manual |
| Monitor & test | ||
| Req 10 | Log & monitor all access to system components | Auto |
| Req 11 | Test security of systems & networks regularly | Auto |
| Information security policy | ||
| Req 12 | Support security with organizational policies & programs | Manual |
Evidence you must collect
For every control, an auditor expects evidence it operated throughout the review period. Common examples:
- Access reviews with timestamps and approver
- Change tickets linked to deployments
- Encryption and configuration snapshots
- Vendor / supplier risk assessments on file
Automating the checklist
Roughly two-thirds of PCI DSS controls can be monitored automatically. SBCMSP watches those continuously, collects timestamped evidence, and flags drift — so the audit becomes a review of a report you already have, not a month-long scramble.