The Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 is now fully in effect, and organizations handling payment card data are under increasing scrutiny from their acquiring banks and payment brands. MSPs that deliver PCI DSS compliance can command strong subscription fees and maintain deep client stickiness.
Who this is for: MSPs serving retail, e-commerce, hospitality, or financial services clients that process, store, or transmit payment card data.
TL;DR
- PCI DSS v4.0.1 introduces requirements around multi-factor authentication (MFA), encryption, and vulnerability management
- Any organization that processes, stores, or transmits cardholder data must comply with PCI-DSS
- Compliance levels (SAQ vs QSA assessment) are determined by annual transaction volume
- 6clicks supports PCI DSS v4.0.1 compliance delivery with pre-built content, control mapping, and evidence workflows
- PCI DSS non-compliance can result in loss of card processing capability, a severe commercial consequence that motivates client investment
What is PCI DSS, and who does it apply to?
PCI DSS is a set of security standards developed by the PCI Security Standards Council to protect cardholder data. It applies to all organizations that process, store, or transmit credit or debit card data, including merchants, payment processors, and their service providers.
Compliance levels
Merchants are classified into four levels based on annual transaction volume:
- Level 1: More than 6 million card transactions per year (requires an annual Report on Compliance by a Qualified Security Assessor or QSA)
- Level 2: 1–6 million transactions per year (annual Self-Assessment Questionnaire or SAQ)
- Level 3: 20,000 to 1 million e-commerce transactions per year (annual SAQ)
- Level 4: Fewer than 20,000 e-commerce transactions per year or up to 1 million other transactions (annual SAQ)
Most mid-market clients fall into Level 2-4, requiring annual SAQ completion.
PCI DSS v4.0.1 key changes
PCI DSS v4.0.1 clarifies and reinforces the requirements introduced in PCI DSS v4.0, requiring organizations to update their compliance programs:
- MFA: Required for all access into the cardholder data environment (CDE), not just remote access
- Targeted risk analysis: Organizations must conduct and document targeted risk analyses for requirements that allow customized implementation
- Password requirements: Minimum password length increased to 12 characters where supported (from 8)
- Anti-phishing controls: New requirements for anti-phishing mechanisms and enhanced security awareness measures
- E-commerce security: New requirements to protect payment pages from web-skimming and unauthorized script attacks
How MSPs deliver PCI DSS compliance using 6clicks
Scoping and gap assessment
Define the cardholder data environment (CDE) scope with the client. Use 6clicks' pre-configured PCI DSS framework to run a gap assessment against all 12 requirements.
SAQ preparation and completion
For Level 2–4 merchants, the MSP manages the annual SAQ completion process using 6clicks. Evidence is collected and mapped to SAQ requirements automatically.
Control implementation support
Where gaps are identified, the MSP supports implementation using 6clicks control management module, automated evidence collection, and policy templates. Key areas include network segmentation, access control, vulnerability management, and logging.
Ongoing quarterly scanning
PCI DSS requires quarterly vulnerability scans of all internet-facing systems by an Approved Scanning Vendor (ASV). MSPs coordinate scanning and manage remediation using 6clicks.
How 6clicks supports PCI-DSS delivery
- PCI DSS v4.0.1 framework pre-mapped to all 12 requirements and sub-requirements
- SAQ template support for common SAQ types (SAQ-A, SAQ-A EP, SAQ-B, SAQ-D, etc.)
- Evidence workflows for all 12 PCI-DSS requirements
- Cross-mapping to ISO 27001 for clients managing multiple frameworks
Frequently asked questions
No. For many Level 2–4 merchants, MSPs can manage the SAQ process, evidence collection, remediation, and ongoing compliance activities without being a Qualified Security Assessor (QSA). QSA involvement is typically required for Level 1 merchants completing a Report on Compliance (ROC), although acquiring banks or payment brands may require QSA validation for other merchants in some situations.
Non-compliant merchants may face fines from acquiring banks or payment brands, potential suspension of card processing capabilities, increased transaction fees, and liability for breach-related costs if a data breach occurs. The commercial and reputational consequences can be severe.
PCI DSS v4.0.1 clarifies and reinforces the requirements introduced in v4.0. Clients that were previously compliant under earlier PCI DSS versions should conduct a gap assessment to identify new obligations, particularly around MFA, targeted risk analysis, and e-commerce security.
Managed PCI DSS subscriptions in Australia typically range from AUD 2,500 to AUD 8,000 per month, depending on the client's transaction volume, CDE complexity, and scope of services.
Yes. 6clicks can be used for evidence collection, control tracking, and audit preparation for Level 1 merchants, even though the formal Report on Compliance must be issued by a QSA.
Next step
Build your PCI DSS compliance
practice with 6clicks.
