PCI DSS 4.0. Protect every transaction.
The mandatory standard for anyone handling payment card data. Alvor maps all 12 requirement families, automates evidence collection, and maintains continuous compliance between annual assessments.
PCI DSS overview
The standard behind every card transaction
12
Requirement families
250+
Sub-requirements mapped
40%
Faster SAQ completion
PCI DSS is required for any organization that stores, processes, or transmits payment card data. Version 4.0 introduced a customized approach alongside the traditional defined approach, giving organizations flexibility in how they meet security objectives. With over 250 sub-requirements across 12 families, achieving and maintaining compliance demands structured, continuous effort.
Domain coverage
Twelve requirement families
PCI DSS 4.0 organizes its requirements into six goals and twelve families covering the full scope of cardholder data protection.
Network Security
Install and maintain network security controls and apply secure configurations to all system components. Covers firewalls, segmentation, and hardening standards.
Account Data Protection
Protect stored account data and protect cardholder data with strong cryptography during transmission over open networks.
Vulnerability Management
Protect systems against malicious software and develop and maintain secure systems and software. Covers patching, anti-malware, and secure SDLC.
Access Control
Restrict access by business need-to-know, identify users and authenticate access, and restrict physical access to cardholder data.
Monitoring & Testing
Log and monitor all access to system components and cardholder data. Test security of systems and networks regularly.
Security Policies
Support information security with organizational policies and programs. Covers security awareness, incident response, and risk assessments.
Common challenges
PCI DSS non-compliance means losing the ability to process payments
The problem
Quarterly vulnerability scans and annual penetration tests generate findings that sit in PDF reports nobody tracks
How Alvor helps
Findings from scans and pen tests flow directly into your risk register with severity, owner, and remediation tracking
The problem
Cardholder data environment scope keeps expanding because nobody maintains a current data flow diagram
How Alvor helps
Architecture design canvas documents your CDE, data flows, and segmentation controls visually — with security annotations
The problem
SAQ completion takes weeks of cross-department coordination to gather evidence from a dozen different systems
How Alvor helps
Automated evidence collection maps artifacts to PCI DSS requirements. SAQ responses are pre-populated from collected evidence
The problem
Compensating controls are documented in Word files with no connection to the requirements they address
How Alvor helps
Compensating controls link directly to requirements, include risk assessments, and are tracked through the customized approach validation process
What you get
PCI DSS compliance, automated
Full v4.0.1 requirement mapping
All 12 requirement families and 250+ sub-requirements pre-mapped with defined and customized approach guidance. Includes the new requirements that became effective March 2025.
CDE scope management
Document your cardholder data environment, data flows, and network segmentation on the architecture design canvas. Maintain living documentation that evolves with your infrastructure.
Vulnerability & scan tracking
Import results from ASV scans, internal vulnerability assessments, and penetration tests. Findings auto-populate your risk register with PCI DSS requirement linkage and remediation tracking.
Evidence collection & SAQ support
Automated evidence collection from infrastructure, access controls, and logging systems. Pre-populate SAQ responses with linked evidence artifacts and control documentation.
Customized approach documentation
If you're using PCI DSS 4.0's customized approach, Alvor helps document your targeted risk analysis, custom controls, and validation testing for each requirement.
Continuous compliance monitoring
PCI DSS requires ongoing security — not just annual assessments. Continuous monitoring tracks control effectiveness between assessments and alerts on drift.
Get started
See how Alvor works for your role
Whether you lead security, run IT, manage compliance, or sit in the C-suite — we'll show you your view.