Do I need to be PCI compliant if I just process card payments?

Yes. Any organisation that stores, processes, or transmits cardholder data is in scope. The compliance approach (SAQ vs QSA-led assessment) depends on transaction volume.

What is the customised approach in 4.0?

Version 4.0 allows organisations to design alternative controls that meet the security objective even when they don't literally implement the prescribed control. Documentation and assessor review are required.

MSPs that handle cardholder data on behalf of merchant clients are typically service providers under PCI and have specific obligations including annual assessment for Level 1 service providers.

Does Lavawall® replace my QSA?

No. PCI DSS Level 1 assessments are performed by accredited QSA firms. Lavawall® produces evidence; the QSA samples and attests. ThreeShield offers PCI readiness work; the QSA assessment of record is a separate engagement.

What is PCI DSS (Payment Card Industry Data Security Standard)? Definition, components, and why it matters

Definition

PCI DSS applies to any organisation that stores, processes, or transmits cardholder data — merchants, payment processors, service providers. Compliance level depends on transaction volume; the largest merchants and service providers undergo annual on-site assessment by a Qualified Security Assessor (QSA), while smaller merchants complete a Self-Assessment Questionnaire (SAQ).

Version 4.0 (introduced in 2022; 3.2.1 retired 31 March 2024) introduced the customised approach (allowing organisations to design alternative controls subject to documentation), strengthened MFA requirements, expanded scoping, and added controls around encryption and secure software development. The 4.0.1 revision in 2024 clarified several requirements.

For MSPs, PCI DSS often arises through service-provider classification (the MSP processes / stores / transmits cardholder data on behalf of merchant clients) or supports merchant clients in their PCI compliance work.

Core components

Twelve requirements. Six control objectives split across twelve requirements covering network security, secure configurations, encryption, vulnerability management, access control, monitoring, and security policy.
Cardholder Data Environment (CDE). The systems, processes, and people that store, process, or transmit cardholder data — plus connected systems. Scoping the CDE accurately is foundational.
Self-Assessment Questionnaire (SAQ). Multiple SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE) for different merchant scenarios.
Qualified Security Assessor (QSA). PCI Council-accredited assessors who conduct on-site assessments for Level 1 merchants and service providers.
Approved Scanning Vendor (ASV). External vulnerability scanners approved by PCI to perform required external scans.
Customised Approach (4.0+). Allows organisations to implement alternative controls subject to documentation and assessor review.

Why it matters

Non-compliance penalties are enforced by the card brands and acquiring banks: monthly fines from US$5,000 to US$100,000+, increased per-transaction fees, and termination of the merchant's ability to accept card payments. After a breach, fines and forensic-investigation costs often add up to multiples of the original compliance cost.

Beyond the direct penalties, PCI DSS sets a security baseline that the card brands' Card Schemes (Visa, Mastercard, Amex, Discover, JCB) operationalise into their own programmes. Service providers (including many MSPs) appear on Visa and Mastercard registries and are subject to specific service-provider requirements.

How Lavawall® helps with PCI DSS (Payment Card Industry Data Security Standard)

Lavawall® treats PCI DSS 4.0 as a first-class framework. The 12 requirements map to live evidence Lavawall® collects: network segmentation indicators, encryption posture, system component inventory, patching state, access controls, MFA enforcement, audit logging, file-integrity monitoring, vulnerability management, and incident response.

ThreeShield, the audit firm that built Lavawall®, has CISSP- and CISA-credentialled staff who have led PCI DSS readiness work. The control mappings reflect what assessors actually examine, not the literal text of a requirement read by a software engineer who has never sat through a real PCI engagement.

Multi-tenant delivery lets MSPs deliver PCI DSS readiness across multiple merchant clients. Service-provider-tier evidence is also supported for MSPs that themselves fall in PCI scope.

Frequently asked

Do I need to be PCI compliant if I just process card payments?: Yes. Any organisation that stores, processes, or transmits cardholder data is in scope. The compliance approach (SAQ vs QSA-led assessment) depends on transaction volume.
What is the customised approach in 4.0?: Version 4.0 allows organisations to design alternative controls that meet the security objective even when they don't literally implement the prescribed control. Documentation and assessor review are required.
Are MSPs in scope?: MSPs that handle cardholder data on behalf of merchant clients are typically service providers under PCI and have specific obligations including annual assessment for Level 1 service providers.
Does Lavawall® replace my QSA?: No. PCI DSS Level 1 assessments are performed by accredited QSA firms. Lavawall® produces evidence; the QSA samples and attests. ThreeShield offers PCI readiness work; the QSA assessment of record is a separate engagement.