External requirements for any business handling cardholder data.
See your PCI DSS 4.0 readiness in 60 seconds. Free, no signup.
PCI DSS 4.0 is mandatory for any organisation that stores, processes or transmits payment card data. Several requirements explicitly demand external verification — encrypted transmission, public-facing web protections, external vulnerability scans and incident detection. Non-compliance leads to higher transaction fees, fines from card brands, and loss of merchant status.
All merchants and service providers that handle cardholder data, regardless of size. SAQ-A merchants outsourcing payment pages still inherit several requirements on their domain.
Card brand fines up to USD 100,000/month + per-transaction penalties + loss of merchant account.
Each row links a PCI DSS 4.0 clause to the external check we perform and the evidence it produces. Mappings are reviewed by our compliance team and updated when standards change.
| PCI DSS 4.0 clause | What it requires | How we evidence it |
|---|---|---|
TLS-1 Req. 4.2.1 Strong cryptography in transit | Strong cryptography and security protocols protect PAN during transmission over open, public networks. | Encrypted transport (TLS 1.2+) We verify the certificate chain, expiry, supported TLS versions and cipher suites on every public hostname. |
WEB-1 Req. 6.4.3 Payment page script integrity | All payment page scripts loaded in the consumer browser are managed via integrity-assurance mechanisms (CSP, SRI). | Secure HTTP response headers We test for HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy and X-Content-Type-Options on the live site. |
EMAIL-1 Req. 5.4.1 Anti-phishing controls | Processes and automated mechanisms protect personnel against phishing attacks (SPF, DKIM, DMARC enforcement). | Email authentication (SPF / DKIM / DMARC) We resolve and validate SPF, DKIM and DMARC records, including DMARC enforcement policy and reporting addresses. |
DNS-1 Req. 1.4 Network security controls | Network connections between trusted and untrusted networks are controlled; DNS configuration is secured. | DNS hygiene & DNSSEC We resolve A, AAAA, MX, NS, CAA and DNSSEC records and flag anomalies, dangling records and missing controls. |
REP-1 Req. 11.3.2 External vulnerability scans (ASV) | External vulnerability scans are performed at least every three months and after any significant change by an Approved Scanning Vendor or equivalent. | Reputation & threat intelligence We cross-check the domain and its IPs against VirusTotal, Shodan, Spamhaus, URLhaus and Google Safe Browsing. |
BREACH-1 Req. 12.10 Incident response | An incident response plan is in place and tested; suspected or confirmed breaches must be detected and responded to promptly. | Credential exposure monitoring We query Have I Been Pwned for breaches involving the monitored domain and surface affected accounts. |
EXP-1 Req. 6.4.2 Public-facing web app protection | Public-facing web applications are protected against attacks; sensitive files and admin interfaces must not be exposed. | Exposed files & admin panels We probe for publicly accessible .env, .git, backups, admin panels and other sensitive paths that should never be reachable. |
SUB-1 Req. 12.5.1 / 12.8 Inventory of components & TPSP management | Maintain an inventory of system components in scope and a list of third-party service providers with whom CHD is shared or that could affect cardholder data security. The data flow map evidences which scripts run on payment-adjacent pages. | Third-party data flow map (subdomains & external services) We enumerate subdomains via Certificate Transparency logs, fingerprint every third-party service they load (analytics, payments, chat, CDNs, tag managers, ad networks, fonts) and map where browser-side data flows. This is the externally-observable evidence regulators ask for under supplier, supply-chain and processor-inventory clauses. |
External monitoring is one part of compliance. These areas need other evidence — typically from your GRC platform, HR system, or internal logging:
One scan. Every clause on this page evaluated against your live domain. Auditor-ready PDF in your inbox.
Annex A controls auto-evidenced from the public attack surface.
Article 21 cybersecurity measures + Article 23 incident reporting.
Information security in Dutch healthcare — technische maatregelen.
Continuous evidence for CC6 (logical access) and CC7 (system operations).
Article 32 security of processing + Article 33 breach notification.
Digital Operational Resilience Act for financial entities.
We use strictly necessary cookies to run the site, and — only with your consent — analytics and marketing cookies (Google Analytics, Google Tag Manager) to improve the product. You can change your choice anytime via "Cookie preferences" in the footer. Privacy Policy · Sub-processors