PCI DSS 4.0 for Indian Merchants and Payment Aggregators

PCI DSS 4.0 is the current mandatory version of the Payment Card Industry Data Security Standard, replacing version 3.2.1 after its retirement in March 2024. For Indian merchants, payment aggregators (PAs), payment gateways (PGs), and fintechs that store, process, or transmit cardholder data, compliance is not optional — card networks (Visa, Mastercard, RuPay) and acquirers enforce it contractually. Version 4.0 introduces a Customized Approach for mature organisations, expanded multi-factor authentication (MFA) mandates, targeted risk analysis, and continuous monitoring requirements. Critically, 64 future-dated requirements that were phased in from 31 March 2025 are now fully mandatory. This guide explains what changed, who it affects in India, and how to scope, assess, and remediate efficiently.

Who Must Comply with PCI DSS in India

Any organisation that touches payment card data falls under the PCI DSS umbrella, regardless of whether it is headquartered in India or abroad. In the Indian context, three major categories are relevant:

Merchants accepting card payments — from large e-commerce platforms to retail POS operators — are tiered by annual transaction volume. Tier 1 merchants (over 6 million Visa or Mastercard transactions per year) must complete a full Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA). Tier 2–4 merchants typically self-assess using a Self-Assessment Questionnaire (SAQ).

Payment Aggregators and Payment Gateways licensed by the Reserve Bank of India (RBI) under the Payment Aggregators and Payment Gateways guidelines (March 2020) are required by RBI to hold a PCI DSS certificate at Level 1. This is non-negotiable: RBI has embedded PCI DSS compliance as a condition of authorisation. The RBI PA/PG circular explicitly references the standard as a baseline security requirement.

Fintechs and Neobanks that issue co-branded cards, store card tokens, or operate card-linked loyalty programmes must scope their cardholder data environment (CDE) correctly or face card-brand fines routed through their acquirer.

⚠️

WARNING

RBI's Payment Aggregator authorisation framework requires Level 1 PCI DSS certification. Operating a PA/PG without a current PCI DSS certificate puts your RBI licence at risk, not just your card-brand relationship.

64Future-dated PCI DSS 4.0 requirements that became mandatory on 31 March 2025 (PCI SSC 2024)

100%Indian RBI-authorised Payment Aggregators required to hold PCI DSS Level 1 certification (RBI PA/PG Guidelines 2020)

The 12 Requirements: What PCI DSS 4.0 Actually Covers

PCI DSS organises its controls into 12 high-level requirements grouped across six goals. Version 4.0 restructured the language around outcomes rather than prescriptive checklists, but the 12 headings remain:

#	Requirement	Key 4.0 Change
1	Install and maintain network security controls	"Firewalls" renamed to "network security controls"; covers cloud NSGs and WAFs
2	Apply secure configurations to all system components	Expanded to cover bespoke and custom software
3	Protect stored account data	Stronger controls on PAN truncation and hashing algorithms
4	Protect cardholder data in transit	TLS 1.2 minimum; TLS 1.3 explicitly encouraged
5	Protect all systems against malware	Anti-malware must be capable of detecting all types, not just signature-based
6	Develop and maintain secure systems and software	Targeted risk analysis for change management; web app protection mandatory
7	Restrict access to system components and cardholder data	Need-to-know basis; role-based access reviews formalised
8	Identify users and authenticate access	MFA expanded — required for all access into CDE, not just remote
9	Restrict physical access to cardholder data	No major structural change; biometric controls referenced
10	Log and monitor all access	Automated log monitoring now required; manual review insufficient
11	Test security of systems and networks	ASV scanning, penetration testing, internal vulnerability scans retained
12	Support information security with org policies	Targeted risk analysis formalised as a standalone process

The Four Major Changes in PCI DSS 4.0

1. Customized Approach

The most architecturally significant change is the introduction of a Customized Approach alongside the existing Defined Approach. The Defined Approach is the prescriptive, step-by-step path — it specifies exact controls. The Customized Approach lets organisations with mature security programmes design their own controls that meet the stated objective, provided they document the control, perform a targeted risk analysis, and have a QSA validate the outcome.

This is not a shortcut — it is harder. It requires thorough documentation and a QSA willing to assess bespoke controls. For most Indian merchants and PAs, the Defined Approach remains the right choice. The Customized Approach is relevant for large banks and financial institutions that already operate controls that exceed the prescriptive baseline.

2. Expanded Multi-Factor Authentication

PCI DSS 3.2.1 required MFA for remote access into the CDE. Version 4.0 extends this to all administrative access into the CDE, regardless of whether the session originates from within the corporate network or remotely. Database admins, application administrators, and system operators who access CDE systems from internal networks now require MFA.

For Indian organisations with legacy on-premise infrastructure and large internal admin teams, this is a significant operational change. OTP-over-SMS does not qualify — phishing-resistant MFA (TOTP apps, hardware tokens, or passkeys) is required for privileged access.

🛡️

SECURITY

Requirement 8.4.2 mandates MFA for all access to the CDE. This explicitly includes access from within your own data centre. Budget for MFA deployment across all privileged accounts that touch cardholder systems — not just VPN sessions.

3. Targeted Risk Analysis (TRA)

Version 4.0 introduces a formalised Targeted Risk Analysis process for several requirements that previously had fixed timescales. For example, the frequency of reviewing log anomalies, the schedule for reviewing access rights, and the cadence of internal vulnerability scans could historically be set to a fixed period. Under 4.0, an organisation must justify its chosen frequency through a documented risk analysis that considers threat likelihood, detection capability, and compensating control maturity.

This shifts compliance from a calendar-driven tick-box exercise to a risk-informed programme — which is better security, but more documentation work.

4. Continuous Monitoring and Automated Log Analysis

Requirement 10.7 now mandates that critical security controls are monitored continuously and that failures are detected and responded to promptly. Log review can no longer be a weekly manual task — automated alerting on suspicious patterns is required. This aligns PCI DSS 4.0 with SIEM (Security Information and Event Management) best practice.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

SAQ vs ROC: Which Assessment Path Applies to You

graph TD
    A[Do you store process or transmit cardholder data?] -->|No| B[Out of Scope — document segmentation]
    A -->|Yes| C[How many card transactions per year?]
    C -->|Over 6M Visa or MC| D[Tier 1 Merchant or Level 1 PA]
    C -->|Under 6M| E[Tier 2-4 Merchant]
    D --> F[ROC by QSA — mandatory]
    E --> G[Which SAQ applies?]
    G -->|Card-not-present — fully outsourced CDE| H[SAQ A]
    G -->|Imprint only or standalone terminals| I[SAQ B]
    G -->|eCommerce — partial card page| J[SAQ A-EP]
    G -->|IP-connected terminals| K[SAQ C]
    G -->|Internal CDE| L[SAQ D — full controls]
    F --> M[Annual ROC plus quarterly ASV scans]
    H --> N[Lightest burden — 22 controls]
    L --> O[Heaviest burden — all 12 requirements]

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style M fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style N fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style O fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style H fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style I fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style J fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style K fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style L fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

The self-assessment questionnaire you complete depends entirely on how your organisation handles card data. SAQ A applies when you have fully outsourced all card processing and your e-commerce pages redirect to a third-party hosted payment page with no card data ever touching your servers. SAQ D is the most comprehensive and applies to any merchant or service provider with an internal CDE.

💡

TIP

The fastest path to reducing compliance burden is scope reduction through segmentation. If your systems that handle cardholder data are isolated from the rest of your network through firewalls, VLANs, or tokenisation, only those in-scope systems need to comply. Investing in proper network segmentation typically halves the number of systems audited.

Scoping and Segmentation: The Most Efficient Path to Compliance

Scope defines which systems, people, and processes must comply. Everything in or connected to the CDE is in scope. The most effective compliance strategy is minimising the CDE through:

Tokenisation: Replace the Primary Account Number (PAN) with a surrogate token in your systems. Only the token vault (held by your payment processor) touches the real PAN.
Network segmentation: Use firewall rules and VLANs to isolate CDE systems. Systems that have no network path to the CDE can be documented as out of scope.
Hosted payment pages: For e-commerce merchants, redirecting to a PCI-compliant hosted payment page (operated by your PA/PG) means card data never enters your domain.

Indian e-commerce platforms that use Razorpay, PayU, or similar aggregators and redirect to a hosted payment page can typically qualify for SAQ A — the lightest assessment track. The aggregator holds Level 1 certification; the merchant only needs to validate that their redirect is not tampered with and their environment is clean.

VAPT and ASV Scanning Requirements

PCI DSS 4.0 Requirement 11 mandates specific security testing:

Requirement 11.3: Internal vulnerability scans must be performed at least quarterly and after any significant change, and high-risk and critical vulnerabilities must be remediated before the next scan.
Requirement 11.3.2: External vulnerability scans must be performed quarterly by an Approved Scanning Vendor (ASV) approved by the PCI SSC. ASVs are a specific certification category distinct from general security firms.
Requirement 11.4: Penetration testing must be performed at least annually and after significant infrastructure changes. The scope includes network-layer and application-layer testing.
Requirement 6.4: All public-facing web applications must be protected by a WAF or undergo a web application vulnerability assessment at least annually.

Organisations not yet running regular external scanning can start with a free VAPT scan to establish a baseline of externally visible vulnerabilities before engaging a QSA. Bachao.AI automates external web application scanning and delivers structured findings that align with PCI DSS Requirement 6 and 11 control objectives. For the mandatory ASV quarterly scan under Requirement 11.3.2, you will need an ASV on the PCI SSC's approved list; Dhisattva AI Pvt Ltd connects clients with accredited partners for this component.

xychart-beta
    title "PCI DSS 4.0 — Future-Dated Requirements: Illustrative Category Distribution (64 total)"
    x-axis ["Authentication", "Monitoring", "Encryption", "Software Security", "Risk Analysis", "Other"]
    y-axis "Approx Count" 0 --> 20
    bar [12, 11, 9, 14, 8, 10]

The 31 March 2025 Deadline: What Became Mandatory

When PCI DSS 4.0 was published in March 2022, the PCI SSC designated 64 requirements as future-dated, meaning they were best-practice guidance that would become mandatory on 31 March 2025. As of that date, these are now fully enforceable. The most operationally significant ones include:

Requirement 5.3.3: Anti-phishing mechanisms must be in place for personnel who could be targeted via email.
Requirement 6.3.2: An inventory of all bespoke and custom software must be maintained.
Requirement 6.4.2: WAF or equivalent protection for all public-facing web applications must be deployed (not merely planned).
Requirement 8.4.2: MFA for all access into the CDE (the expanded scope beyond remote access).
Requirement 10.7.2: Failures of critical security controls must be detected, alerted, and resolved promptly.
Requirement 12.3.2: A TRA must be performed and documented for requirements where frequency is driven by the entity's own risk assessment.

Organisations that completed a PCI DSS 4.0 ROC or SAQ before March 2025 and treated these as best-practice items are now non-compliant unless they have remediated. QSAs conducting 2025–2026 assessments are validating all 64 former future-dated requirements as mandatory controls.

🚨

DANGER

If your last assessment was completed between April 2022 and March 2025, your compliance programme likely has gaps in the 64 newly mandatory requirements. Schedule a gap assessment against the full 4.0 requirement set before your next QSA engagement.

External Authoritative Sources

The PCI Security Standards Council publishes all official documentation at pcisecuritystandards.org, including the full PCI DSS 4.0 standard, the SAQ forms, the list of approved QSAs and ASVs, and the Customized Approach guidance. The RBI's Payment Aggregator and Payment Gateway framework circular (March 17, 2020) is available at rbi.org.in and explicitly lists PCI DSS compliance as a licensing prerequisite for Payment Aggregators.

For further reading on India's broader cybersecurity and data protection obligations, the CERT-In guidelines under the IT Amendment Rules 2022 are published at cert-in.org.in, and the Digital Personal Data Protection Act 2023 framework is available through meity.gov.in.

🎯Key Takeaway

PCI DSS 4.0 is not merely an updated checklist — it is a shift toward risk-informed, continuously monitored security. For Indian merchants, the fastest compliance path is scope reduction through tokenisation and hosted payment pages. For PAs and PGs, Level 1 ROC with a QSA is mandatory under RBI rules. The 64 future-dated requirements that became mandatory on 31 March 2025 require an immediate gap assessment if your last review was completed before that date.

Frequently Asked Questions

Is PCI DSS mandatory for all Indian merchants?

PCI DSS is contractually required by card networks (Visa, Mastercard, RuPay) and enforced through your acquirer. It is not a statutory law in India, but non-compliance exposes merchants to fines and card-acceptance termination. RBI-authorised Payment Aggregators have an additional statutory obligation under RBI's PA/PG framework.

What is the difference between PCI DSS 4.0 and 3.2.1?

PCI DSS 3.2.1 was retired in March 2024. Version 4.0 introduces the Customized Approach, expands MFA requirements to all CDE access (not just remote), formalises Targeted Risk Analysis for frequency decisions, and mandates automated log monitoring. It also added 64 future-dated requirements that became mandatory on 31 March 2025.

Do I need a QSA or can I self-assess?

Tier 1 merchants and RBI-authorised Level 1 PAs/PGs must use a QSA for a full ROC. Tier 2–4 merchants can self-assess using the appropriate SAQ form. The SAQ you use depends on how your environment handles card data — SAQ A is the lightest (for fully outsourced card processing) while SAQ D covers a full internal CDE.

What is an ASV and do I need one?

An Approved Scanning Vendor (ASV) is a company certified by the PCI SSC to perform external network vulnerability scans under Requirement 11.3.2. Quarterly external scans by an ASV on the PCI SSC's approved list are mandatory for most merchants and all service providers. A general penetration testing firm does not satisfy this requirement unless it is also PCI SSC-approved as an ASV.

How does scope reduction work in practice?

Scope reduction means minimising the number of systems that store, process, or transmit cardholder data. Common techniques include tokenisation (replacing PANs with non-sensitive tokens), using hosted payment pages (so card data never reaches your servers), and network segmentation (firewalls and VLANs that isolate CDE systems). Fewer in-scope systems means fewer controls to implement and a shorter audit.

What happens if a company is found non-compliant during an assessment?

A QSA finding of non-compliance results in a Report on Compliance that documents open controls. Card brands can impose fines on the acquiring bank, which are passed through to the merchant or PA. In severe cases — particularly following a data breach — card networks can revoke card-acceptance privileges. Indian PA/PGs also face the added risk of RBI licence conditions being breached.

PCI DSS 4.0 for Indian Merchants and Payment Aggregators

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.