Key Takeaways
- PCI DSS 4.0 became fully mandatory in 2025. Indian e-commerce handling card data must comply, with significant changes from PCI DSS 3.2.1.
- Scope reduction is the highest-leverage decision: tokenization, hosted payment pages and outsourcing to Level 1 service providers can dramatically reduce direct compliance burden.
- Key 4.0 changes: customized approach option, expanded MFA requirements, encryption changes, frequent vulnerability scanning, expanded targeted risk analyses.
- Alignment with ISO 27001 and DPDP creates efficiency: roughly 60-70% control overlap; build one program, satisfy multiple frameworks.
- Annual assessment: Level 1 merchants (6M+ transactions) need annual on-site QSA assessment; lower levels typically need self-assessment + quarterly scans.
PCI DSS 4.0: What Changed
PCI DSS 4.0 has been the active standard since 2025 (with full enforcement of all new requirements by April 2025). The major changes from 3.2.1 affect all Indian merchants and service providers handling card data:
- Customized Approach: organizations can use alternative controls to meet the objective of a requirement, if they document equivalent security. Significant flexibility for sophisticated security programs.
- Expanded MFA: MFA now required for ALL access into the Cardholder Data Environment (CDE), not just remote access. Internal admin access too.
- Stronger password requirements: minimum 12 characters or risk-based authentication; longer for service accounts
- Encryption changes: keyed cryptographic hashes preferred over plain hashes for protecting cardholder data
- Frequent scanning: every 3 months minimum for internal vulnerability scans (was 'periodically' in 3.2.1)
- Targeted risk analysis: required for several controls; documented justification for chosen frequencies, scopes, controls
- Phishing-resistant authentication encouraged: while not strictly mandatory, MFA must be resistant to phishing for newly-implemented systems
Scoping: The Highest-Leverage Decision
The biggest factor in PCI DSS cost and complexity is scope, how many systems are in the Cardholder Data Environment. Aggressive scope reduction can cut compliance burden by 70-90%:
- Tokenization: replace card numbers with tokens at point of capture. Token vault is the only system handling real card data; everything downstream handles tokens (out of PCI scope)
- Hosted payment pages: card data entry redirected to payment processor's domain; merchant systems never see card data. Often reduces merchant to SAQ A scope (simplest)
- Outsource to Level 1 service provider: PG/PA handles card data; merchant becomes more limited PCI scope
- Network segmentation: rigorous segmentation between CDE and rest of network reduces scope to just the segmented zone
- Out-of-scope confirmation: documented analysis with QSA validation that segmentation is effective
PCI DSS Scoping Assessment
60-minute call to scope your PCI environment. We will identify scope reduction opportunities (tokenization, hosted payment, segmentation) and outline a realistic compliance path.
Book Free Scoping →Merchant and Service Provider Levels
This section breaks down the topic in concrete bullets.
- Level 1 Merchant: 6 million+ card transactions per year. Annual on-site assessment by QSA. Annual penetration test. Quarterly internal and external scans. Most rigorous.
- Level 2 Merchant: 1-6 million transactions. Annual SAQ (Self-Assessment Questionnaire) D submission. Annual penetration test (recommended). Quarterly scans.
- Level 3 Merchant: 20K-1M e-commerce transactions. Annual SAQ. Quarterly scans.
- Level 4 Merchant: less than 20K e-commerce transactions or less than 1M total. Annual SAQ (often shorter form). Quarterly scans where applicable.
- Service Provider Level 1: 300K+ transactions. Annual on-site assessment.
- Service Provider Level 2: fewer than 300K. Annual SAQ submission.
Key Technical Controls for E-Commerce
This section breaks down the topic in concrete bullets.
- Tokenization gateway: card data tokenized at entry; tokens used downstream
- Hosted payment integration: HPP or iframe redirect for card data entry; merchant systems never see real PAN
- Network segmentation: CDE strictly isolated; only essential traffic, all logged, all firewalled
- WAF: required for public-facing applications handling cardholder data
- Vulnerability management: quarterly internal/external scans, annual penetration test (Level 1), regular VAPT
- Strong cryptography: TLS 1.2+ for cardholder data transmission; AES-256 for data at rest; HSM for production keys
- Logging and monitoring: all CDE activity logged; daily log review (automated acceptable); 1-year online + 1-year offline retention
- MFA into CDE: required for all access (admin and otherwise); phishing-resistant where possible
- Patch management: critical patches within 30 days; others within 90 days; documented risk-based deviations
Aligning PCI DSS with ISO 27001 and DPDP
Indian e-commerce serving Indian and international customers often needs to comply with multiple frameworks. The good news: 60-70% control overlap. Strategic alignment reduces total cost:
- Build ISO 27001 ISMS first: comprehensive coverage including risk management, governance, all 93 Annex A controls
- PCI DSS layers on top: ISO 27001 satisfies majority of PCI DSS requirements; PCI-specific additions (cardholder data handling, specific scanning frequencies) are incremental
- DPDP overlays for personal data: card data is personal data; PCI DSS protection satisfies many DPDP technical requirements; add DPDP-specific governance (consent, rights, breach notification)
- Single audit-evidence repository: same evidence supports ISO 27001 surveillance audit, PCI DSS assessment, DPDP audit
- Estimated cost savings: 25-40% versus building each program independently
Full PCI DSS Implementation
Fixed-price PCI DSS 4.0 implementation including scope reduction, control implementation, scanning, penetration testing, QSA coordination.
Contact Us →PCI DSS Implementation Roadmap
This section breaks down the topic in concrete bullets.
- Month 1: scoping analysis, tokenization architecture if not in place, gap assessment against 4.0 controls
- Month 2-3: scope reduction implementation (tokenization, hosted payment pages, segmentation)
- Month 4: control implementation (MFA expansion, logging, encryption, monitoring)
- Month 5: documentation (policies, procedures, evidence collection), internal vulnerability scan + remediation
- Month 6: penetration test (Level 1 requirement, recommended for all levels), pre-assessment review
- Month 7-8: external assessment (QSA or self-assessment per level), report submission
- Ongoing: quarterly scans, annual assessment, change-based reassessment, ongoing monitoring
Frequently Asked Questions
Is PCI DSS mandatory for Indian e-commerce?
If you store, process or transmit cardholder data, yes. The card brands (Visa, Mastercard, Amex, RuPay) enforce it via your acquirer bank. Indian e-commerce that uses tokenization + hosted payment pages may have minimal direct scope but still some PCI obligations.
What is the 'customized approach' in PCI DSS 4.0?
Organizations can meet a requirement's intent through alternative controls if they document equivalence in a Customized Approach Worksheet. Provides flexibility for sophisticated security programs. Requires substantial security maturity to use effectively; most merchants use the Defined Approach (traditional).
How much does PCI DSS compliance cost in India?
Highly scope-dependent. SAQ A (simplest, hosted payment): INR 3-8 lakh first year, INR 2-3 lakh ongoing. SAQ D (full scope): INR 15-35 lakh first year. Level 1 with on-site QSA: INR 25-75 lakh first year, INR 15-25 lakh annual. Scope reduction is the biggest cost lever.
Can I do PCI DSS alongside ISO 27001 in the same project?
Yes and recommended. Roughly 60-70% control overlap. Sequential is often easier: ISO 27001 first (broader foundation), then add PCI DSS-specific elements. Combined cost typically 30-40% less than independent programs.
What is a SAQ and which one applies to me?
Self-Assessment Questionnaire. Multiple variants based on payment acceptance model: SAQ A (fully outsourced e-commerce), SAQ A-EP (partial outsourced with iframe), SAQ B/B-IP (terminals only), SAQ C (segmented), SAQ D (everything else). SAQ A is simplest, fewest questions. Acquirer bank or QSA determines the appropriate SAQ for your environment.
What changes in PCI DSS 4.0 are most disruptive for existing merchants?
Expanded MFA requirements (for all CDE access, not just remote), targeted risk analyses (documented justification for many controls), and frequent scanning expectations. The customized approach is opportunity, not disruption. Most well-run merchants need 6-9 months to comfortably move from 3.2.1 to 4.0.
Do I need penetration testing for PCI DSS?
Required for Level 1 merchants and service providers (annual external + internal pentest of CDE). Strongly recommended for Level 2-3 even though not strictly required. Pentest must be conducted by qualified personnel (not the same team that built the system). See VAPT guide.
Comply with PCI DSS Without Boiling the Ocean
Codesecure helps Indian e-commerce achieve PCI DSS 4.0 compliance efficiently through aggressive scope reduction and aligned ISO 27001 + DPDP implementation. ISO/IEC 27001:2022 certified.
