Description
Under PCI DSS 4.0.1 (now mandatory), scope definition must be done annually for merchants (every six months for TPSPs) with thorough documentation. Additionally, disk-level encryption no longer qualifies as encryption at rest (except on removable media), and automated technical solutions are required for public-facing web applications.
Requirements
- Complete annual scope definition and documentation
- Implement non-disk-level encryption at rest solutions
- Deploy automated technical solutions for web applications
- Document roles and responsibilities across all controls
- Complete first full cycle of formerly future-dated requirements
Applicable To
Merchants handling payment card dataThird-party service providers (TPSPs)Payment processorsAcquirers
Penalty Information
âš Non-compliance fines of $5,000-$100,000 per month; potential loss of card processing privileges.