Quick Reference

PCI DSS 4.0.1 Quick Reference Card

Everything you need at a glance — the 12 requirements, 6 goals, SAQ types, merchant levels, key dates, and useful links in one condensed reference.

A print-friendly compliance cheat sheet for PCI DSS professionals, auditors, and compliance teams.

Start Your PCI DSS Assessment Take Readiness Assessment

The 12 PCI DSS Requirements

Install and maintain network security controls

Apply secure configurations to all system components

Protect stored account data

Protect cardholder data with strong cryptography during transmission

Protect all systems and networks from malicious software

Develop and maintain secure systems and software

Restrict access to system components and cardholder data by business need to know

Identify users and authenticate access to system components

Restrict physical access to cardholder data

Log and monitor all access to system components and cardholder data

Test security of systems and networks regularly

Support information security with organisational policies and programmes

The 6 PCI DSS Goals

Goal	Requirements
Build and Maintain a Secure Network and Systems	1, 2
Protect Account Data	3, 4
Maintain a Vulnerability Management Programme	5, 6
Implement Strong Access Control Measures	7, 8, 9
Regularly Monitor and Test Networks	10, 11
Maintain an Information Security Policy	12

SAQ Types Quick Matrix

SAQ Type	Who It's For	Approx. Controls
SAQ A	Card-not-present merchants that fully outsource all payment processing	~26
SAQ A-EP	E-commerce merchants that partially outsource payment processing but control website	~191
SAQ B	Merchants using standalone dial-out terminals only (no electronic storage)	~41
SAQ B-IP	Merchants using standalone IP-connected PTS POI terminals only	~82
SAQ C	Merchants with payment application systems connected to the internet	~160
SAQ C-VT	Merchants using virtual terminals on isolated computers only	~79
SAQ P2PE	Merchants using validated P2PE solution with no electronic cardholder data storage	~33
SAQ D (Merchant)	All merchants not qualifying for any other SAQ type	~322
SAQ D (SP)	All service providers eligible for SAQ-based reporting	~322

Merchant Levels Summary

Level 1

Over 6 million annually

Annual ROC by QSA + quarterly ASV scan

Level 2

1 to 6 million annually

Annual SAQ + quarterly ASV scan

Level 3

20,000 to 1 million e-commerce annually

Annual SAQ + quarterly ASV scan

Level 4

Fewer than 20,000 e-commerce or up to 1 million other annually

Annual SAQ + quarterly ASV scan (as required by acquirer)

Key Dates

March 2022PCI DSS v4.0 released by PCI SSC

March 31, 2024PCI DSS v3.2.1 officially retired

June 2024PCI DSS v4.0.1 released (corrections and clarifications)

March 31, 2025All future-dated requirements became mandatory

CurrentPCI DSS v4.0.1 is the active standard — full compliance required

Useful Links

PCI Security Standards Council

Official PCI SSC website with the standard, guidance documents, and council news.

SAQ Document Downloads

Download all SAQ forms, the ROC template, and supporting information supplements.

PTS Device Listing

Verify that your POS terminals are on the approved PTS device list.

QSA and ASV Listings

Find qualified security assessors and approved scanning vendors in your region.

PCI DSS Quick Reference FAQ

How many requirements does PCI DSS 4.0.1 have?

PCI DSS 4.0.1 has 12 top-level requirements organised under 6 goals. These 12 requirements expand into approximately 322 individual sub-requirements (testing procedures) that must be validated during an assessment. The exact number of applicable requirements depends on your SAQ type and environment. Level 1 merchants and service providers undergoing a full ROC must address all 322 sub-requirements.

What is the difference between SAQ A and SAQ D?

SAQ A is the simplest self-assessment questionnaire, designed for e-commerce or mail/telephone-order merchants that fully outsource all payment processing and have no electronic storage, processing, or transmission of cardholder data. It contains approximately 26 requirements. SAQ D is the most comprehensive, covering all 322 requirements and is used by merchants and service providers that do not qualify for any other SAQ type. The key difference is scope: SAQ A applies to minimal-footprint environments while SAQ D covers the full standard.

How do I determine my merchant level?

Merchant levels are determined by your annual volume of card transactions across all channels and are set by each card brand independently. Generally, Level 1 applies to merchants processing over 6 million transactions annually, Level 2 covers 1 to 6 million, Level 3 covers 20,000 to 1 million e-commerce transactions, and Level 4 applies to merchants below the Level 3 thresholds. Your acquiring bank will confirm your merchant level and the corresponding validation requirements.

Where can I download the official PCI DSS v4.0.1 standard?

The official PCI DSS v4.0.1 standard is available for free download from the PCI Security Standards Council website at pcisecuritystandards.org. You must create a free account to access the document library. The library includes the standard itself, the SAQ forms, the ROC template, and supporting guidance documents such as the Information Supplement for each major topic area.

Related PCI DSS Resources

PCI DSS 4.0.1 Guide SAQ Types v4.0.1 Changes Implementation Guide PCI Glossary

Start Your PCI DSS Assessment

Turn this reference into action. GRCTrack guides you through every requirement with AI-powered compliance automation.

Start Free Trial Contact Sales