What is PCI DSS and which businesses must comply?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for any business that stores, processes, or transmits payment card data. If your business accepts credit or debit cards — in person, online, or by phone — you must comply with PCI DSS. There is no size exemption. Merchant levels (1 through 4) determine the specific validation requirements, with Level 1 requiring an annual on-site audit and all others requiring a Self-Assessment Questionnaire (SAQ).

What are the 12 PCI DSS requirements?

PCI DSS v4.0 organizes requirements into 12 domains: install and maintain network security controls; apply secure configurations; protect stored account data; protect data in transit with encryption; protect systems against malware; develop and maintain secure systems; restrict access to cardholder data by business need; identify users and authenticate access; restrict physical access; log and monitor access; test security systems regularly; and maintain an information security policy. Triton maps your environment to each requirement and identifies gaps.

What is a PCI DSS Self-Assessment Questionnaire (SAQ)?

An SAQ is the annual self-assessment document most small and medium merchants use to validate PCI DSS compliance. There are multiple SAQ types (A, A-EP, B, C, D) based on how your business accepts cards. SAQ A applies to businesses that fully outsource payment processing. SAQ D is the most comprehensive, covering merchants who store cardholder data. Your acquiring bank determines which SAQ applies. Triton helps complete the technical portions and ensures your environment satisfies the applicable SAQ requirements.

What are the consequences of PCI DSS non-compliance?

Non-compliance consequences include monthly fines from card brands ($5,000 to $100,000 depending on the period of non-compliance), increased transaction fees, loss of the ability to accept card payments, and full liability for fraud losses and breach costs if cardholder data is compromised. After a breach, non-compliant merchants bear the cost of card replacement, forensic investigation, and notification — which can reach millions of dollars for a small breach. PCI compliance is not a theoretical requirement.

Does Triton perform PCI DSS vulnerability scans?

Yes. PCI DSS requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) and internal scans after significant changes. Triton conducts PCI-scope vulnerability assessments that identify cardholder data environment exposure, produce the scan reports required for SAQ or audit submission, and provide remediation guidance for any failing controls. Annual penetration testing required by PCI DSS v4.0 is also available as part of Triton's security services.

PCI DSS 4.0.1 IS THE STANDARD CARRIERS NOW VERIFY

PCI DSS Compliance: Pass the SAQ Without Breaking the Renewal.

PCI DSS 4.0.1 took effect March 31, 2025; the future-dated requirements landed Q1 2026. The Self-Assessment Questionnaire your acquirer wants now references evidence-based controls, not yes-or-no checkboxes. We translate yours in a 30-minute call. If your current IT can already answer the new sections, you don’t need us.

Updated May 3, 2026

What changed in PCI DSS 4.0.1 that affects small merchants?

PCI DSS 4.0.1 introduced 64 future-dated requirements that became mandatory March 31, 2025, plus an additional set landing through Q1 2026. The shift from 3.2.1 was structural: multi-factor authentication on all administrative access (not just remote), segmented cardholder data environment with documented network diagrams, and customized validation options requiring written justification. The era of attestation-only SAQ-A submissions ended.

Multi-factor authentication scope expanded from “remote network access” to “all access into the CDE” — including console logins, VPN, jump boxes, and administrative portals. The requirement applies to every account with access to systems handling cardholder data. Acquirers and QSAs check enforcement scope in 2026, not just enablement.

Customized approach validation became the primary path for non-standard implementations. If your environment cannot meet a defined approach control as written, you must document the customized control with risk analysis, intended control objective, and the compensating evidence. The “mark not-applicable and move on” option closed for in-scope controls.

Targeted Risk Analysis is a new annual requirement. Every customized control, every compensating control, and every risk-assessed deviation requires documented analysis reviewed annually. The artifact accompanies the SAQ submission.

What does the QSA or acquirer actually inspect for PCI DSS 4.0.1?

For the small-merchant SAQ path, the acquirer inspects three artifacts before processing your renewal: your network segmentation diagram showing the cardholder data environment boundary, your MFA enforcement evidence covering all in-scope accounts, and your penetration test report from a qualified assessor. Without those three, the SAQ submission stalls.

The segmentation diagram is the artifact most merchants miss. PCI DSS 4.0.1 requires documented network architecture showing how the CDE is isolated from out-of-scope systems. Acquirers verify the diagram against your firewall configuration. A diagram showing isolation that the firewall does not enforce is a finding.

For QSA-assessed environments (typically Level 1 and Level 2 merchants), the inspection depth increases. The QSA pulls firewall rule sets, samples log retention, validates encryption at rest and in transit, and tests MFA enforcement on randomly selected accounts. The Report on Compliance is the deliverable; the evidence file backing it is twelve months of operational artifacts.

Compliance is a snapshot, not a destination. A passed SAQ in 2024 does not protect you in 2026 — the standard moved while you were not watching, and the evidence the acquirer requested last year is not the evidence they require now. The honest path is continuous evidence collection, not annual SAQ panic.

What happens if you fail your PCI DSS attestation?

Acquirer suspension of card processing rights typically follows within 30 to 90 days of a failed attestation, depending on the merchant agreement. For restaurants, hotels, and retail merchants where card processing is not optional, the suspension is an existential event — not a fine to pay and move on.

The path is mechanical. Acquirer requests current SAQ. Merchant submits attestation against PCI DSS 4.0.1 controls the merchant cannot substantiate. Acquirer issues deficiency notice with cure period (typically 30-90 days). Merchant either remediates within the window or processing rights suspend. A suspended merchant cannot accept cards through the acquirer relationship until reinstatement.

For multi-location operators — particularly hospitality groups, restaurant chains, and retail multi-location — the failure cascades. Each location processes through the same acquirer relationship. A SAQ failure at the corporate level suspends every location. Diversified card-acceptance arrangements are not a fix when the same parent firm holds the merchant agreement.

The harder consequence is at breach time. PCI DSS attestation is a contractual representation to the acquirer. A breach affecting cardholder data with attestation gaps the acquirer can show were known to the merchant exposes the merchant to fines, forensic costs, and card-brand penalties — typically $50 to $90 per affected cardholder record before legal exposure even starts.

How does Triton get your firm PCI DSS 4.0.1 compliant?

We deploy Sophos Firewall to enforce CDE segmentation, Sophos Endpoint XDR plus Microsoft Defender to satisfy the malware-protection and audit-logging controls, and AWS-backed immutable backup with restore-test logging. We then deliver your acquirer the segmentation diagram, the MFA enforcement attestation, and the penetration-test coordination the SAQ submission requires.

The stack matters because each component maps to specific PCI DSS 4.0.1 requirements. Sophos Firewall produces the segmentation diagram (req 1.2.1) and the active-rule configuration export (req 1.4.1). Sophos Endpoint XDR satisfies the malware-protection and file-integrity-monitoring requirements (req 5.x and 11.5.x). Microsoft Defender covers the MFA enforcement scope across the Microsoft tenant (req 8.4.x). AWS-backed immutable backup produces the data-recovery evidence (req 12.10.x).

We deploy on AWS because downtime is not an option. When a critical system goes down — including the POS systems your card processing depends on — AWS support responds with enterprise urgency. Every dollar of downtime is a dollar of card revenue you can’t collect.

Our typical PCI DSS 4.0.1 engagement delivers the segmentation diagram, MFA attestation, audit log retention proof, and SAQ-ready packet inside 60 days. For multi-location operators we have run a hospitality and property management group of 85 locations and 1,000-plus employees through standardization in 60 days — same operating discipline applies to PCI scope work.

What evidence does the acquirer or QSA actually want on file?

Six artifacts, in the format the acquirer’s back-office or your QSA expects to see at submission time. Every one maps to specific 4.0.1 requirements. The evidence file is the work — the SAQ checkbox is the cover sheet.

Why start now? Because the renewal cycle is shorter than the remediation cycle.

Most merchant agreements require annual SAQ submission within 30 days of the anniversary date. Segmentation diagram authoring and validation takes three to four weeks. Penetration testing scheduling takes another two to four weeks. Sophos Firewall and Defender deployment with documented evidence capture takes 30 to 60 days. The end-to-end window is 90-plus days from engagement start to acquirer-ready SAQ.

Multi-location restaurant, hotel, and retail operators across CT/NY/RI/MA that we have helped through prior renewal cycles started PCI work 90 days before the SAQ anniversary. The firms that started 30 days out submitted with deficiencies and remediated under cure-period pressure — paying for engineering work at premium rates and accepting weaker attestations than they would have under normal scoping.

Frequently Asked Questions

Which SAQ type applies to my business?

For card-present merchants without electronic cardholder data storage: SAQ B-IP (network-connected POS) or SAQ C-VT (virtual terminal) typically apply. For e-commerce with redirect-to-processor: SAQ A. For e-commerce with direct payment page hosting: SAQ A-EP. For full storage/processing/transmission: SAQ D. The acquirer’s eligibility worksheet drives the selection — not the merchant’s preference. Triton scopes the correct SAQ as part of the engagement intake.

Does PCI DSS 4.0.1 apply if I use Toast or Square?

Yes. The PSP integration reduces your SAQ scope but does not eliminate it. SAQ B-IP or P2PE (depending on whether the integration is Point-to-Point Encrypted) still applies. Your network segmentation, MFA on administrative access, and incident response plan remain in scope regardless of the POS vendor. The PSP handles the cardholder-data-storage requirements only when the integration is genuinely outside your environment.

What is the difference between SAQ A and SAQ A-EP for e-commerce?

SAQ A applies when the entire payment page is hosted by the third-party processor — the customer never lands on your domain during payment entry. SAQ A-EP applies when you host the payment page but redirect or iframe the actual card-entry to the processor. SAQ A-EP scope is significantly larger because your servers are still in the path. PCI DSS 4.0.1 introduced new requirements specifically targeting SAQ A-EP merchants — penetration testing, segmentation, and integrity monitoring on the payment page server.

What does PCI 4.0.1 cost for a 5-location restaurant operator?

Total compliance investment for a five-location small operator typically runs $18,000 to $45,000 over the first year. The split: Sophos Firewall + Endpoint deployment ($6-15K), MFA + Defender configuration ($3-8K), penetration test ($4-8K), segmentation documentation and SAQ authoring ($3-8K), continuous monitoring tooling ($2-6K annual). The acquirer assessment fee varies by acquirer — most include it in monthly processing.

Does Triton handle the QSA assessment directly?

For Level 3-4 merchants on the SAQ path, no QSA is required — Triton delivers the evidence file the acquirer needs for self-attestation. For Level 1-2 merchants requiring a QSA, we partner with a named QSA firm and provide the technical evidence the QSA validates. We do not function as a QSA — that creates an independence conflict — but the evidence file we deliver is the bulk of the work the QSA assessment runs against.

What if my POS vendor refuses to provide a P2PE attestation?

That is a SAQ scope problem on its face. The P2PE attestation is what reduces your SAQ B-IP to P2PE (smallest scope). Without it, you stay on the larger-scope SAQ. The fix is either pressuring the POS vendor, switching to a P2PE-attested vendor, or accepting the larger SAQ scope. We help operators evaluate the cost-of-switching against the cost-of-larger-SAQ before recommending a path.

How does cyber insurance interact with PCI DSS?

Cyber insurance carriers have aligned their underwriting questionnaires to PCI DSS 4.0.1 — the same MFA, segmentation, and penetration-testing evidence satisfies both. The reverse is also true: a cyber-insurance non-renewal can trigger acquirer scrutiny, since most carriers communicate underwriting failures to acquirers under shared-risk arrangements. Our PCI engagement and our cyber-insurance-readiness engagement share most of the evidence file by design.

Do we need dark web monitoring as part of PCI DSS 4.0.1?

No. Dark web monitoring is a notification service, not a PCI DSS control. The 4.0.1 standard does not reference it. The correct investment is the proactive hardening 4.0.1 actually requires — segmentation, MFA, file integrity monitoring, audit logging, and quarterly external scanning by an Approved Scanning Vendor. We do not bundle dark web monitoring and it does not appear on any PCI DSS evidence list.

Founded in 2001

25 Years of IT Expertise

Worcester · Providence · Hartford

Regional Offices

Ranked 84th Percentile Nationally

National Benchmark

Under 10 Minute Response

Third-Party Verified

HIPAA · CMMC · SOC 2 · PCI

Multi-Framework Compliance

Let's Discuss Your IT Needs

Triton Technologies delivers managed IT services, cybersecurity, and IT support for businesses across Connecticut, Massachusetts, New York, Rhode Island, and beyond. Contact our team today to start a conversation about your technology environment.