Compliance Guide

PCI DSS Compliance for Endpoints

A Practical Guide to PCI DSS 4.0.1's Endpoint Security Requirements

PCI DSS v4.0.1 is now the only active version of the standard, and every requirement, including those once designated as future-dated, became mandatory on 31 March 2025. This guide breaks down what that means for the endpoints that touch cardholder data, and how Zecurit Endpoint Manager helps you meet it.

Published byZecurit
CategoryCompliance & Regulation
AudienceIT Teams, Security Officers, QSAs, Compliance Leads

Why PCI DSS Treats the Endpoint as Frontline Defence

At a Glance
  • Who is impacted: Any merchant, service provider, or organisation that stores, processes, or transmits cardholder data, regardless of transaction volume.
  • What changed: PCI DSS v4.0.1 is now the only active version. All 47 new requirements introduced in v4.0, once future-dated as best practices, became mandatory on 31 March 2025.
  • Why endpoints matter now: Anti-malware, removable media scanning, MFA, patch management, and authenticated vulnerability scanning are explicit, testable requirements that live on the endpoint.
  • How Zecurit helps: Patch management, device control, access management, BitLocker encryption, and audit-ready compliance reporting from a single agent and console.

The Payment Card Industry Data Security Standard governs every organisation that handles cardholder data, enforced not by a government regulator but by the major card brands, Visa, Mastercard, American Express, Discover, and JCB, through acquiring banks. Non-compliance carries monthly fines ranging from roughly $5,000 to $100,000, increased per-transaction processing fees, and in serious cases, the loss of card processing privileges altogether.

PCI DSS v4.0.1 became the only active version of the standard once v4.0 retired at the end of 2024, and it remains the current standard for 2026 compliance assessments. With over 500 individual controls spanning 12 core requirements, much of what auditors test traces directly back to how endpoints are configured, patched, monitored, and locked down.

The Endpoint Is Where Most Tests Land: Anti-malware coverage, removable media scanning, authenticated vulnerability scans, patch timelines, and access control for the cardholder data environment are not abstract policy statements. They are specific, testable controls that a Qualified Security Assessor verifies device by device.

This guide maps PCI DSS v4.0.1's endpoint-relevant requirements to specific capabilities in Zecurit Endpoint Manager, so IT teams preparing for a Report on Compliance or Self-Assessment Questionnaire can turn the standard's language into operational controls.

Key Terminology Under PCI DSS

A handful of terms recur throughout the standard and its assessment process:

  • CDE

    The Cardholder Data Environment: the people, processes, and technology that store, process, or transmit cardholder data, plus any directly connected systems.

  • PAN

    Primary Account Number, the full card number. PAN is the most sensitive data element PCI DSS protects, requiring encryption, truncation, or tokenisation wherever it is stored.

  • ROC / SAQ

    Report on Compliance (for larger merchants and service providers) and Self-Assessment Questionnaire (for smaller merchants), the two paths to demonstrating compliance.

  • QSA

    Qualified Security Assessor: an individual certified by the PCI Security Standards Council to perform formal PCI DSS compliance assessments.

  • Targeted Risk Analysis (TRA)

    A new concept under v4.x that lets organisations justify the frequency of certain recurring controls, such as malware scans, based on documented risk rather than a fixed PCI-mandated interval.

  • Customised Approach

    An alternative to the standard's defined approach, allowing organisations to design their own controls to meet a requirement's stated objective, validated through additional documentation.

Who Must Comply With PCI DSS?

PCI DSS applies to any entity that touches cardholder data, regardless of size or transaction volume. This includes:

  • Retailers and e-commerce platforms accepting card payments
  • Payment processors, gateways, and acquiring banks
  • Hospitality, travel, and subscription billing businesses
  • SaaS platforms that store or transmit cardholder data on behalf of merchants
  • Call centres and contact centres taking card payments by phone
  • Point-of-sale and payment terminal vendors
  • Managed service providers supporting the CDE of any client
  • Any business outsourcing payment processing but retaining card data in logs or backups
Penalty Exposure: Non-compliance is enforced contractually rather than by statute, through fines from card brands and acquiring banks that typically range from $5,000 to $100,000 per month, alongside increased transaction processing fees. Following a breach, non-compliant organisations also face the cost of mandatory forensic investigations, potential loss of card processing privileges, and reputational damage that often outweighs the direct financial penalty.

The Six Control Objectives

PCI DSS v4.0.1's 12 requirements are organised under six broader control objectives. Understanding this structure makes it easier to see where endpoint management does the heaviest lifting.

Objective 01

Build and Maintain a Secure Network

Network security controls and secure configurations across all system components, with no vendor-default passwords or unnecessary services left enabled.

Objective 02

Protect Account Data

Encryption, truncation, or tokenisation of stored PAN, plus strong cryptography for cardholder data transmitted across open, public networks.

Objective 03

Maintain a Vulnerability Management Programme

Anti-malware deployment across every channel that touches the CDE, plus secure development practices and prompt patching of known vulnerabilities.

Objective 04

Implement Strong Access Control

Least-privilege access, unique user IDs, multi-factor authentication for CDE access, and strict physical access restrictions to cardholder data.

Objective 05

Monitor and Test Networks Regularly

Logging and monitoring of all access to system components and cardholder data, alongside regular vulnerability scans and penetration testing.

Objective 06

Maintain an Information Security Policy

A formal information security policy addressing all personnel, supported by ongoing security awareness training reviewed at least annually.

What Changed in v4.0.1, and What's Mandatory Now

Current Status: PCI DSS v4.0.1 is a limited revision of v4.0, published in June 2024 to clarify wording rather than introduce new controls. As of 31 March 2025, every requirement under v4.0.1, including those originally marked future-dated, is mandatory for every organisation in scope. There is no grace period remaining.

Several of v4.0.1's clarifications directly affect how endpoint controls are scoped and tested. The patch management language was reverted to match the older v3.2.1 wording, confirming that the 30-day patch installation window applies specifically to critical vulnerabilities, rather than every patch regardless of severity. This gives IT teams a clearer prioritisation signal: critical patches move fast, lower-severity patches follow a documented, risk-based schedule.

The standard also clarified that multi-factor authentication is required for all non-console access into the cardholder data environment, from any role, from any location, inside the corporate network or outside it, with a narrow exception for accounts authenticated solely through phishing-resistant factors. Malware scanning requirements were extended explicitly to removable media: USB drives and external storage must be scanned automatically on connection or continuously while connected, not governed by a manual policy alone.

PCI DSS Requirements Mapped to Zecurit Endpoint Manager

The following sections translate each endpoint-relevant PCI DSS v4.0.1 requirement into the specific Zecurit capabilities that support it.

Requirement 01

Anti-Malware Protection, Including Removable Media

Requirement 5

Organisations must deploy and maintain anti-malware protection across all systems commonly affected by malicious software. PCI DSS v4.0.1 explicitly extends this to removable media, requiring automatic scanning of USB drives and external storage on connection or while connected, not a manual policy alone.

Zecurit Endpoint Manager

Security Alerts in the Monitoring and Alerts module notify IT teams instantly when antivirus or antimalware protection is disabled on any endpoint within the CDE. Device Control governs how removable media connects to managed endpoints in the first place, with BadUSB keystroke injection prevention and policy enforcement that holds even when a device is offline.

Security AlertsDevice ControlUSB/Removable Storage Policies
Requirement 02

Patch Management for Critical Vulnerabilities

Requirement 6.3.3

Organisations must install applicable security patches and updates within one month of release for critical vulnerabilities, with all other patches installed based on a documented risk-ranking process. Knowing which vulnerabilities are critical, and proving patches were applied on time, are both auditable controls.

Zecurit Endpoint Manager

Patch Management continuously scans every managed endpoint for missing patches, ranking them by CVSS score and active exploit intelligence so critical vulnerabilities surface first. Patches deploy automatically during configured maintenance windows, and Real-Time Patch Status Monitoring with Patch Compliance Reports gives QSAs the dated evidence that the 30-day window was met.

Patch ManagementCVSS PrioritisationPatch Compliance Reports
Requirement 03

Multi-Factor Authentication for CDE Access

Requirement 8.4.2

MFA is required for all non-console access into the cardholder data environment, for any role, from any location, including from within the corporate network, with a narrow exception for accounts using only phishing-resistant authentication factors.

Zecurit Endpoint Manager

Configuration Management's User and Group Management enforces password policy and supports the access discipline MFA depends on, while Remote Access sessions require the end user to explicitly confirm any incoming session before access is granted, layering verification on top of credential-based authentication. Role-based access controls ensure only authorised personnel can reach endpoints within CDE scope.

User and Group ManagementSession Confirmation and AuditRole-Based Access
Requirement 04

Protecting Stored Account Data

Requirement 3

Primary Account Numbers must be rendered unreadable wherever stored, through encryption, truncation, or tokenisation, with strong key management. v4.0.1 clarifies that disk or partition-level encryption alone is insufficient and must be paired with another mechanism, since full-disk encryption decrypts automatically once a user is authenticated.

Zecurit Endpoint Manager

BitLocker Management enforces drive-level encryption across every managed Windows endpoint as a baseline control, with TPM-only, TPM+PIN, and passphrase modes, automatic recovery key backup, and BitLocker Compliance Reports that flag any unprotected device. This forms the foundational disk-level layer that, paired with your payment application's field-level tokenisation, satisfies Requirement 3's layered encryption expectation.

BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports
Requirement 05

Preventing Unauthorised PAN Copying and Exfiltration

Requirement 3.4.2, 3.5.1.x

Technical controls must prevent PAN from being copied or relocated by users without a documented, explicitly authorised business need, including blocking copy functionality on systems with remote access to full PAN data.

Zecurit Endpoint Manager

Device Control enforces allow, block, or trusted-only policies for removable storage, Bluetooth, and wireless adapters, preventing the most common channels through which PAN data leaves a managed endpoint without authorisation. Every connection attempt and blocked event is logged with a timestamp and user account, supporting the audit trail this requirement expects.

Device ControlUSB/Removable Storage PoliciesAudit Device Logs
Requirement 06

Vulnerability Scanning and Targeted Risk Analysis

Requirement 11.3

Internal and external vulnerability scans must be performed at defined intervals, with all high-risk and critical vulnerabilities remediated and rescanned. v4.0.1 expands this further, requiring remediation of lower-risk vulnerabilities too, based on a documented targeted risk analysis.

Zecurit Endpoint Manager

Vulnerability Management continuously maps installed software across the fleet against known CVEs, giving IT and security teams the prioritised, severity-ranked vulnerability data that internal scans and targeted risk analyses depend on, without waiting for a quarterly or annual scan cycle to surface gaps.

Vulnerability ManagementCVSS PrioritisationPatch Management
Requirement 07

Logging and Monitoring of System Access

Requirement 10

All access to system components and cardholder data must be tracked and logged, with audit logs detailing user identification, type of event, date and time, and the affected system or resource. These logs are central to detecting and investigating any compromise of the CDE.

Zecurit Endpoint Manager

The Monitoring and Alerts module logs security, hardware, software, and access events in real time across the endpoint fleet. User Logon Reports record access patterns by account, and Device Control logs every connection attempt with a timestamp, building the detailed activity record Requirement 10 expects to see during an investigation or assessment.

Real-Time Monitoring and AlertsUser Logon ReportsAudit Device Logs
Requirement 08

Secure Configuration of System Components

Requirement 2

All system components must have secure configurations applied, with vendor-supplied default passwords changed and unnecessary services, protocols, and functions disabled before a device is deployed into the CDE.

Zecurit Endpoint Manager

Configuration Management lets IT teams define named profiles bundling firewall rules, Windows Update policy, and security hardening settings, then deploy those profiles consistently to every device entering the CDE. Hardware and software change alerts detect configuration drift the moment an endpoint deviates from its approved baseline.

Configuration ManagementCentralised Profile ManagementHardware/Software Change Alerts
Requirement 09

Inventory of Bespoke and Third-Party Software

Requirement 6.3.2

Organisations must maintain an inventory of bespoke and custom software, along with all third-party software components, to facilitate vulnerability and patch management. A binary shipping with a known CVE in a dependency is a risk waiting for an exploit, regardless of whether endpoint anti-malware ever flags it.

Zecurit Endpoint Manager

Software Inventory discovers and tracks every installed application across the fleet with real-time version data, while Software Alerts flag unauthorised installations the moment they occur. This gives security teams the live software inventory Requirement 6.3.2 expects, rather than a stale spreadsheet updated once a year.

Software InventorySoftware AlertsSoftware Licence Management
Requirement 10

Audit-Ready Compliance Reporting for ROC and SAQ

Supports the ROC / SAQ assessment process

Whether assessed through a formal Report on Compliance or a Self-Assessment Questionnaire, organisations must produce evidence across encryption, patch status, access control, and monitoring for every applicable requirement. Assembling that evidence under assessment deadline pressure is when gaps tend to surface.

Zecurit Endpoint Manager

Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for PCI-DSS, ISO 27001, HIPAA, GDPR, CIS, and NIST. Security Reports surface BitLocker gaps, firewall status, and antivirus health across all endpoints, and Scheduled Report Delivery automates this evidence on a recurring basis, well ahead of your next QSA engagement.

100+ Compliance ReportsPCI-DSS Report TemplatesScheduled Report Delivery

PCI DSS Requirements and Zecurit Endpoint Manager Capabilities

A consolidated reference mapping each PCI DSS v4.0.1 endpoint-relevant requirement to the relevant Zecurit features, useful for ROC and SAQ preparation.

PCI DSS RequirementZecurit Endpoint Manager Capability
Anti-Malware and Removable Media (Req. 5)Security AlertsDevice ControlUSB/Removable Storage Policies
Patch Management (Req. 6.3.3)Patch ManagementCVSS PrioritisationPatch Compliance Reports
Multi-Factor Authentication (Req. 8.4.2)User and Group ManagementSession Confirmation and AuditRole-Based Access
Protecting Stored Account Data (Req. 3)BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports
Preventing PAN Exfiltration (Req. 3.4.2)Device ControlUSB/Removable Storage PoliciesAudit Device Logs
Vulnerability Scanning (Req. 11.3)Vulnerability ManagementCVSS PrioritisationPatch Management
Logging and Monitoring (Req. 10)Real-Time Monitoring and AlertsUser Logon ReportsAudit Device Logs
Secure Configuration (Req. 2)Configuration ManagementCentralised Profile ManagementHardware/Software Change Alerts
Software Inventory (Req. 6.3.2)Software InventorySoftware AlertsSoftware Licence Management
Audit-Ready Reporting (ROC / SAQ)100+ Compliance ReportsPCI-DSS Report TemplatesScheduled Report Delivery

PCI DSS Compliance Is a Continuous Endpoint Discipline

PCI DSS v4.0.1 was deliberately designed to move organisations away from annual compliance scrambles and toward continuous, year-round security practices. With every previously future-dated requirement now mandatory, there is no remaining grace period for anti-malware on removable media, MFA into the CDE, or authenticated vulnerability scanning.

Almost every one of these controls lives on the endpoint: the device that connects to the CDE, the USB drive someone plugs in, the workstation that has or hasn't been patched this month. Auditors test these controls individually, device by device, not as a single organisational statement of intent.

Zecurit Endpoint Manager addresses PCI DSS's core endpoint-relevant requirements from a single lightweight agent and unified console, giving IT teams the encryption, device control, patch management, and audit-ready reporting that a QSA expects to see, without assembling evidence from a patchwork of disconnected tools before assessment season.

About Zecurit

Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.

To learn more about Zecurit Endpoint Manager and how it supports your PCI DSS compliance programme, start a free 14-day trial or contact the Zecurit team.

Contact Zecurit