Question 1

What is the difference between PCI DSS v3.2.1 and v4.0?

Accepted Answer

PCI DSS v4.0 became the only valid version after March 31, 2024 (with new requirements becoming mandatory March 31, 2025). v4.0 adds customized approach options, expanded MFA requirements, targeted risk analyses, and stronger authentication for non-console administrative access.

Question 2

Do I need a QSA assessment?

Accepted Answer

Only Level 1 merchants (>6M transactions/year) and most service providers require a Qualified Security Assessor (QSA) Report on Compliance. Smaller merchants self-assess via the appropriate SAQ (A, A-EP, B, C, D, P2PE) based on how cardholder data is handled.

Question 3

Can a SOC 2 report substitute for PCI DSS?

Accepted Answer

No. PCI DSS is a contractual requirement from card networks and is enforced separately from SOC 2. The two frameworks share many controls (access, encryption, monitoring) and many SOC 2 platforms map to PCI DSS, but you still need a separate PCI assessment to satisfy your acquiring bank.

PCI DSS

Key controls