PCI DSS v4.0.1 is now the only active version of the standard, and every requirement, including those once designated as future-dated, became mandatory on 31 March 2025. This guide breaks down what that means for the endpoints that touch cardholder data, and how Zecurit Endpoint Manager helps you meet it.
The Payment Card Industry Data Security Standard governs every organisation that handles cardholder data, enforced not by a government regulator but by the major card brands, Visa, Mastercard, American Express, Discover, and JCB, through acquiring banks. Non-compliance carries monthly fines ranging from roughly $5,000 to $100,000, increased per-transaction processing fees, and in serious cases, the loss of card processing privileges altogether.
PCI DSS v4.0.1 became the only active version of the standard once v4.0 retired at the end of 2024, and it remains the current standard for 2026 compliance assessments. With over 500 individual controls spanning 12 core requirements, much of what auditors test traces directly back to how endpoints are configured, patched, monitored, and locked down.
This guide maps PCI DSS v4.0.1's endpoint-relevant requirements to specific capabilities in Zecurit Endpoint Manager, so IT teams preparing for a Report on Compliance or Self-Assessment Questionnaire can turn the standard's language into operational controls.
A handful of terms recur throughout the standard and its assessment process:
The Cardholder Data Environment: the people, processes, and technology that store, process, or transmit cardholder data, plus any directly connected systems.
Primary Account Number, the full card number. PAN is the most sensitive data element PCI DSS protects, requiring encryption, truncation, or tokenisation wherever it is stored.
Report on Compliance (for larger merchants and service providers) and Self-Assessment Questionnaire (for smaller merchants), the two paths to demonstrating compliance.
Qualified Security Assessor: an individual certified by the PCI Security Standards Council to perform formal PCI DSS compliance assessments.
A new concept under v4.x that lets organisations justify the frequency of certain recurring controls, such as malware scans, based on documented risk rather than a fixed PCI-mandated interval.
An alternative to the standard's defined approach, allowing organisations to design their own controls to meet a requirement's stated objective, validated through additional documentation.
PCI DSS applies to any entity that touches cardholder data, regardless of size or transaction volume. This includes:
PCI DSS v4.0.1's 12 requirements are organised under six broader control objectives. Understanding this structure makes it easier to see where endpoint management does the heaviest lifting.
Network security controls and secure configurations across all system components, with no vendor-default passwords or unnecessary services left enabled.
Encryption, truncation, or tokenisation of stored PAN, plus strong cryptography for cardholder data transmitted across open, public networks.
Anti-malware deployment across every channel that touches the CDE, plus secure development practices and prompt patching of known vulnerabilities.
Least-privilege access, unique user IDs, multi-factor authentication for CDE access, and strict physical access restrictions to cardholder data.
Logging and monitoring of all access to system components and cardholder data, alongside regular vulnerability scans and penetration testing.
A formal information security policy addressing all personnel, supported by ongoing security awareness training reviewed at least annually.
Several of v4.0.1's clarifications directly affect how endpoint controls are scoped and tested. The patch management language was reverted to match the older v3.2.1 wording, confirming that the 30-day patch installation window applies specifically to critical vulnerabilities, rather than every patch regardless of severity. This gives IT teams a clearer prioritisation signal: critical patches move fast, lower-severity patches follow a documented, risk-based schedule.
The standard also clarified that multi-factor authentication is required for all non-console access into the cardholder data environment, from any role, from any location, inside the corporate network or outside it, with a narrow exception for accounts authenticated solely through phishing-resistant factors. Malware scanning requirements were extended explicitly to removable media: USB drives and external storage must be scanned automatically on connection or continuously while connected, not governed by a manual policy alone.
The following sections translate each endpoint-relevant PCI DSS v4.0.1 requirement into the specific Zecurit capabilities that support it.
Organisations must deploy and maintain anti-malware protection across all systems commonly affected by malicious software. PCI DSS v4.0.1 explicitly extends this to removable media, requiring automatic scanning of USB drives and external storage on connection or while connected, not a manual policy alone.
Security Alerts in the Monitoring and Alerts module notify IT teams instantly when antivirus or antimalware protection is disabled on any endpoint within the CDE. Device Control governs how removable media connects to managed endpoints in the first place, with BadUSB keystroke injection prevention and policy enforcement that holds even when a device is offline.
Organisations must install applicable security patches and updates within one month of release for critical vulnerabilities, with all other patches installed based on a documented risk-ranking process. Knowing which vulnerabilities are critical, and proving patches were applied on time, are both auditable controls.
Patch Management continuously scans every managed endpoint for missing patches, ranking them by CVSS score and active exploit intelligence so critical vulnerabilities surface first. Patches deploy automatically during configured maintenance windows, and Real-Time Patch Status Monitoring with Patch Compliance Reports gives QSAs the dated evidence that the 30-day window was met.
MFA is required for all non-console access into the cardholder data environment, for any role, from any location, including from within the corporate network, with a narrow exception for accounts using only phishing-resistant authentication factors.
Configuration Management's User and Group Management enforces password policy and supports the access discipline MFA depends on, while Remote Access sessions require the end user to explicitly confirm any incoming session before access is granted, layering verification on top of credential-based authentication. Role-based access controls ensure only authorised personnel can reach endpoints within CDE scope.
Primary Account Numbers must be rendered unreadable wherever stored, through encryption, truncation, or tokenisation, with strong key management. v4.0.1 clarifies that disk or partition-level encryption alone is insufficient and must be paired with another mechanism, since full-disk encryption decrypts automatically once a user is authenticated.
BitLocker Management enforces drive-level encryption across every managed Windows endpoint as a baseline control, with TPM-only, TPM+PIN, and passphrase modes, automatic recovery key backup, and BitLocker Compliance Reports that flag any unprotected device. This forms the foundational disk-level layer that, paired with your payment application's field-level tokenisation, satisfies Requirement 3's layered encryption expectation.
Technical controls must prevent PAN from being copied or relocated by users without a documented, explicitly authorised business need, including blocking copy functionality on systems with remote access to full PAN data.
Device Control enforces allow, block, or trusted-only policies for removable storage, Bluetooth, and wireless adapters, preventing the most common channels through which PAN data leaves a managed endpoint without authorisation. Every connection attempt and blocked event is logged with a timestamp and user account, supporting the audit trail this requirement expects.
Internal and external vulnerability scans must be performed at defined intervals, with all high-risk and critical vulnerabilities remediated and rescanned. v4.0.1 expands this further, requiring remediation of lower-risk vulnerabilities too, based on a documented targeted risk analysis.
Vulnerability Management continuously maps installed software across the fleet against known CVEs, giving IT and security teams the prioritised, severity-ranked vulnerability data that internal scans and targeted risk analyses depend on, without waiting for a quarterly or annual scan cycle to surface gaps.
All access to system components and cardholder data must be tracked and logged, with audit logs detailing user identification, type of event, date and time, and the affected system or resource. These logs are central to detecting and investigating any compromise of the CDE.
The Monitoring and Alerts module logs security, hardware, software, and access events in real time across the endpoint fleet. User Logon Reports record access patterns by account, and Device Control logs every connection attempt with a timestamp, building the detailed activity record Requirement 10 expects to see during an investigation or assessment.
All system components must have secure configurations applied, with vendor-supplied default passwords changed and unnecessary services, protocols, and functions disabled before a device is deployed into the CDE.
Configuration Management lets IT teams define named profiles bundling firewall rules, Windows Update policy, and security hardening settings, then deploy those profiles consistently to every device entering the CDE. Hardware and software change alerts detect configuration drift the moment an endpoint deviates from its approved baseline.
Organisations must maintain an inventory of bespoke and custom software, along with all third-party software components, to facilitate vulnerability and patch management. A binary shipping with a known CVE in a dependency is a risk waiting for an exploit, regardless of whether endpoint anti-malware ever flags it.
Software Inventory discovers and tracks every installed application across the fleet with real-time version data, while Software Alerts flag unauthorised installations the moment they occur. This gives security teams the live software inventory Requirement 6.3.2 expects, rather than a stale spreadsheet updated once a year.
Whether assessed through a formal Report on Compliance or a Self-Assessment Questionnaire, organisations must produce evidence across encryption, patch status, access control, and monitoring for every applicable requirement. Assembling that evidence under assessment deadline pressure is when gaps tend to surface.
Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for PCI-DSS, ISO 27001, HIPAA, GDPR, CIS, and NIST. Security Reports surface BitLocker gaps, firewall status, and antivirus health across all endpoints, and Scheduled Report Delivery automates this evidence on a recurring basis, well ahead of your next QSA engagement.
A consolidated reference mapping each PCI DSS v4.0.1 endpoint-relevant requirement to the relevant Zecurit features, useful for ROC and SAQ preparation.
| PCI DSS Requirement | Zecurit Endpoint Manager Capability |
|---|---|
| Anti-Malware and Removable Media (Req. 5) | Security AlertsDevice ControlUSB/Removable Storage Policies |
| Patch Management (Req. 6.3.3) | Patch ManagementCVSS PrioritisationPatch Compliance Reports |
| Multi-Factor Authentication (Req. 8.4.2) | User and Group ManagementSession Confirmation and AuditRole-Based Access |
| Protecting Stored Account Data (Req. 3) | BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports |
| Preventing PAN Exfiltration (Req. 3.4.2) | Device ControlUSB/Removable Storage PoliciesAudit Device Logs |
| Vulnerability Scanning (Req. 11.3) | Vulnerability ManagementCVSS PrioritisationPatch Management |
| Logging and Monitoring (Req. 10) | Real-Time Monitoring and AlertsUser Logon ReportsAudit Device Logs |
| Secure Configuration (Req. 2) | Configuration ManagementCentralised Profile ManagementHardware/Software Change Alerts |
| Software Inventory (Req. 6.3.2) | Software InventorySoftware AlertsSoftware Licence Management |
| Audit-Ready Reporting (ROC / SAQ) | 100+ Compliance ReportsPCI-DSS Report TemplatesScheduled Report Delivery |
PCI DSS v4.0.1 was deliberately designed to move organisations away from annual compliance scrambles and toward continuous, year-round security practices. With every previously future-dated requirement now mandatory, there is no remaining grace period for anti-malware on removable media, MFA into the CDE, or authenticated vulnerability scanning.
Almost every one of these controls lives on the endpoint: the device that connects to the CDE, the USB drive someone plugs in, the workstation that has or hasn't been patched this month. Auditors test these controls individually, device by device, not as a single organisational statement of intent.
Zecurit Endpoint Manager addresses PCI DSS's core endpoint-relevant requirements from a single lightweight agent and unified console, giving IT teams the encryption, device control, patch management, and audit-ready reporting that a QSA expects to see, without assembling evidence from a patchwork of disconnected tools before assessment season.
Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.
To learn more about Zecurit Endpoint Manager and how it supports your PCI DSS compliance programme, start a free 14-day trial or contact the Zecurit team.
Contact Zecurit