PCI DSS 4.0 Compliance Documents
Complete documentation for PCI DSS 4.0.1 compliance. SAQ guides, security policies, CDE documentation, and the new 12.3.1 Targeted Risk Analysis requirement.
Important: PCI DSS v4.0.1 future-dated requirements became mandatory on March 31, 2025. Our templates include all updated requirements.
Who Needs PCI DSS Compliance?
PCI DSS applies to any organization that stores, processes, or transmits cardholder data. This includes merchants of all sizes and service providers.
Merchants
- E-commerce stores
- Retail/POS businesses
- Subscription services
Service Providers
- Payment processors
- Hosting providers handling CHD
- Payment gateways
SAQ Types (Which Applies to You?)
SAQ A
Card-not-present, fully outsourced payment processing
SAQ A-EP
E-commerce with website controls affecting transaction security
SAQ B / B-IP
Imprint machines, standalone dial-out terminals, IP-connected terminals
SAQ C / C-VT
Payment applications, web-based virtual terminals
SAQ D (Merchant/SP)
Full scope - doesn't qualify for other SAQs
PCI DSS 4.0 Document Library
Documents mapped to PCI DSS v4.0.1 requirements.
PCI DSS Specific Documents
SAQ Selection Guide
Pre-Assessment
Determine which Self-Assessment Questionnaire applies to your business
12.3.1 Targeted Risk Analysis
NEW in v4.0 (Mandatory)
Required targeted risk analysis template for flexible requirements
CDE Network Diagram Template
Req 1.2.3
Cardholder Data Environment documentation and data flow
PCI DSS Policy Suite
Req 12
Information security policies per PCI DSS Requirement 12
Incident Response Plan
Req 12.10
Security incident response procedure for payment breaches
Security Awareness Training
Req 12.6
Annual training program for personnel handling CHD
SAQ Assessment Checklists
SAQ A Checklist
~22 Requirements
For fully outsourced card-not-present merchants
SAQ A-EP Checklist
~139 Requirements
E-commerce with partial outsourcing
SAQ C Checklist
~160 Requirements
Payment application connected to internet
SAQ D Merchant Checklist
~329 Requirements
Full scope merchant validation
SAQ D Service Provider Checklist
~347 Requirements
Full scope service provider validation
Supporting Security Policies
Access Control Policy
Req 7, 8
Network Security Policy
Req 1
Encryption Policy
Req 3, 4
Change Management Policy
Req 6.5
Vulnerability Management
Req 6, 11
Physical Security Policy
Req 9
Logging & Monitoring
Req 10
Vendor Management Policy
Req 12.8
PCI DSS Document Packages
SAQ A Pack
Minimal Requirements
- SAQ A Checklist
- Basic Security Policies
- 12.3.1 Risk Analysis
Full PCI Pack
All 15 Documents
- All SAQ checklists
- Full policy suite
- CDE documentation
- 12.3.1 Risk Analysis
Add: Risk Analysis Only
v4.0 Requirement
- 12.3.1 TRA Template
- Documentation Guide
Ready for PCI DSS 4.0 compliance?
Get documentation aligned to the latest requirements, including the new targeted risk analysis.