compliance.tf
Compliance FrameworksCore Frameworks

PCI DSS v4.0

Best for: Any entity that stores, processes, or transmits payment card data from Visa, Mastercard, American Express, Discover, or JCB: merchants, payment processors, acquirers, issuers, and service providers. Transaction volume determines your validation path, a QSA-led Report on Compliance (ROC) or a Self-Assessment Questionnaire (SAQ). Even a small e-commerce site that redirects to a hosted payment page must validate compliance.

Mandatory?Mandatory for any entity processing card data
Who validates?QSA (Level 1 merchants/SPs); SAQ self-assessment (Levels 2โ€“4)
RenewalAnnual
ScopeCardholder data environment (CDE) and connected systems

๐Ÿ› PCI Security Standards Council (PCI SSC), founded by American Express, Discover, JCB, Mastercard, and Visa. ยท PCI DSS v4.0 Official source โ†’

Get Started

module "..." {
  source  = "pcidss.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Encryption at Rest: Checks encryption configuration on API Gateway caches, Athena workgroups, and AWS Backup recovery points, and verifies that KMS-managed keys are applied where available.
  • Encryption in Transit: Validates TLS enforcement on CloudFront distributions and API Gateway stages (SSL certificate attachment), and checks ACM certificate properties including RSA key length (2048-bit minimum) and expiration within 30 days.
  • Access Control: Verifies that API Gateway v2 routes have authorization types explicitly configured, confirms AWS Organizations governance at the account level, and checks IMDSv2 enforcement on Auto Scaling launch configurations to prevent credential exposure.
  • Logging and Monitoring: Confirms logging is enabled on API Gateway stages and AppSync GraphQL APIs (field-level), checks X-Ray tracing on REST API stages, and validates CloudFormation stack notification configuration for change detection.
  • Data Protection and Backup: Validates that backup plans enforce a minimum 35-day retention period, that recovery points are encrypted, and that manual deletion of recovery points is disabled.
  • Network Security: Checks that API Gateway stages are associated with WAF web ACLs, providing layer 7 filtering on public-facing endpoints.

What you handle

  • Encryption at Rest: Key management procedures must be documented per Requirement 3.6, including rotation schedules, split knowledge and dual control for custodians, and the cryptographic key inventory. None of this is enforceable through infrastructure code alone.
  • Encryption in Transit: TLS policy version selection (ensuring TLS 1.2 or higher), cipher suite configuration review, documenting authorized protocols per Requirement 4.2.1, and certificate lifecycle management processes beyond expiration monitoring.
  • Access Control: You own the RBAC design, user provisioning and deprovisioning workflows, quarterly access reviews (Req 7.2.4), and MFA implementation for all access into the CDE (Req 8.4.2).
  • Logging and Monitoring: Log aggregation, correlation, and 12-month retention (Req 10.5.1). Daily log review processes, SIEM integration, alerting rules for security events per Requirement 10.4.1, and defining which events trigger incident response.
  • Data Protection and Backup: Backup restoration testing, documented data retention and disposal policies per Requirement 3.1, and secure media destruction processes for Requirement 9.4.
  • Network Security: WAF rules need human tuning. Annual penetration testing to validate segmentation (Req 11.4.6), firewall rule reviews every six months (Req 1.2.7), and documentation of all inbound and outbound traffic flows are outside what any scanning tool can assess.

Controls by Category

Requirement 10: Log and Monitor All Access (4 controls)

Assessors want logs that capture user identification, event type, timestamp, and success or failure for all access to system components and CHD per Requirement 10.2.1. Disabled logging on API Gateway stages is one of the most common PCI findings in AWS environments. X-Ray tracing and CloudFormation stack notifications both contribute to Requirement 10.4.1's expectation of timely detection for security-relevant changes.

API Gateway REST API stages should have AWS X-Ray tracing enabledAPI Gateway stages should have logging enabledAppSync GraphQL APIs should have field-level logging enabledcompliance.tf moduleCloudFormation stacks should have notifications enabled

Requirement 12: Maintain Security Policies and Data Retention (1 control)

Manual deletion being enabled on backup recovery points is a red flag. It signals weak protection against insider threats and ransomware, and directly conflicts with Requirement 12.3.1's mandate for formal data retention schedules. Assessors also cross-check retention periods against documented organizational policy and the disposal requirements under Requirement 3.1.

Backup plans should have minimum frequency and minimum retention configured

Requirement 3: Protect Stored Account Data (2 controls)

Requirement 3.6 is what assessors focus on: are encryption keys managed separately from the data they protect? They will check every data store, cache, and backup connected to the CDE for strong cryptography. Unencrypted backup recovery points and API Gateway caches holding response data are among the most reliably flagged findings.

Athena workgroups should be encrypted at restAPI Gateway stages should have cache encryption at rest enabled

Requirement 4: Protect Data in Transit with Strong Cryptography (3 controls)

All CHD transmissions over open, public networks must use TLS 1.2 or higher per Requirement 4.2.1. Assessors check certificate validity, RSA key strength (2048-bit minimum), and HTTPS enforcement on all public-facing endpoints. Expired ACM certificates and CloudFront distributions with HTTP fallback are the gaps that surface most reliably.

API Gateway stages should not use client SSL certificatesCloudFront distributions should require encryption in transitcompliance.tf moduleACM RSA certificates should use a key length of at least 2,048 bitscompliance.tf module

Requirement 7-8: Access Control and Authentication (1 control)

The first question is whether authorization types on API routes are explicitly configured rather than left open by default. Assessors also want evidence that access is restricted by business need to know (Req 7.2) and that every user has a unique ID (Req 8.2.1). A registered security contact demonstrates incident response readiness tied to Requirement 12.10.1.

API Gateway routes should require an authorization type
Additional Controls (159)

AWS CloudTrail (4)

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have logs encrypted using a customer managed KMS keyCloudTrail trails should have log file validation enabled

AWS CodeBuild (4)

CodeBuild projects should have artifact encryption enabledCodeBuild projects should not have privileged mode enabledCodeBuild projects should have logging enabledCodeBuild projects should have S3 logs encrypted

AWS Database Migration Service (3)

DMS endpoints for Redis OSS should have TLS enabledDMS endpoints should use SSLDMS replication instances should not be publicly accessiblecompliance.tf module

AWS IAM (9)

IAM password policies should have minimum length set to 14 or greaterIAM password policies should require at least one lowercase letterIAM password policies should require at least one numberIAM password policies should require at least one symbolIAM password policies should require at least one uppercase letterIAM password policies should prevent password reuseIAM password policies should have strong configurations with minimum length of 8 or greaterIAM password policies should have strong configurationsIAM password policies should expire passwords within 90 days or less

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (2)

Lambda functions should be in a VPCcompliance.tf moduleLambda functions should use latest runtimescompliance.tf module

AWS Secrets Manager (1)

Secrets Manager secrets should be encrypted using CMKcompliance.tf module

AWS Step Functions (1)

Step Functions state machines should have logging enabledcompliance.tf module

AWS WAF (1)

WAFv2 rules should have CloudWatch metrics enabled

Amazon CloudFront (4)

CloudFront distributions access logs should be enabledcompliance.tf moduleCloudFront distributions should use SNI to serve HTTPS requestscompliance.tf moduleCloudFront distributions should use custom SSL/TLS certificatescompliance.tf moduleCloudFront distributions should have AWS WAF enabledcompliance.tf module

Amazon CloudWatch (2)

CloudWatch alarms should have an action configuredcompliance.tf moduleCloudWatch log groups should have retention period of at least 365 dayscompliance.tf module

Amazon CloudWatch Logs (1)

Log groups should have encryption at rest enabledcompliance.tf module

Amazon DocumentDB (3)

DocumentDB clusters should have an adequate backup retention periodDocumentDB clusters should have encryption at rest enabledDocumentDB instance logging should be enabled

Amazon DynamoDB (3)

DynamoDB tables should have AWS KMS encryption enabledcompliance.tf moduleDynamoDB tables should have encryption enabledcompliance.tf moduleDynamoDB tables should have point-in-time recovery enabledcompliance.tf module

Amazon DynamoDB Accelerator (2)

DynamoDB Accelerator (DAX) clusters should be encrypted at restDynamoDB Accelerator clusters should be encrypted in transit

Amazon EBS (3)

Attached EBS volumes should have encryption enabledcompliance.tf moduleEBS snapshots should be encryptedEBS volumes should have encryption at rest enabledcompliance.tf module

Amazon EC2 (10)

EC2 Client VPN endpoints should have client connection logging enabledEC2 instances should have detailed monitoring enabledcompliance.tf moduleEC2 instances should have IAM profile attachedcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not use key pairs in running statecompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf moduleEC2 instances should use IAM instance roles for AWS resource accesscompliance.tf moduleEC2 launch templates should not assign public IPs to network interfacescompliance.tf moduleEC2 transit gateways should have auto accept shared attachments disabled

Amazon ECR (1)

ECR repositories should have image scan on push enabledcompliance.tf module

Amazon ECS (3)

ECS clusters should have container insights enabledcompliance.tf moduleECS fargate services should run on the latest fargate platform versioncompliance.tf moduleECS task definitions should not share the host's process namespacecompliance.tf module

Amazon EFS (4)

EFS access points should enforce a root directoryEFS access points should enforce a user identityEFS file systems should have encryption at rest enabledcompliance.tf moduleEFS file systems should be encrypted with CMKcompliance.tf module

Amazon EKS (4)

EKS clusters should have control plane audit logging enabledcompliance.tf moduleEKS clusters endpoint public access should be restrictedcompliance.tf moduleEKS clusters endpoint should restrict public accesscompliance.tf moduleEKS clusters should be configured to have kubernetes secrets encrypted using KMScompliance.tf module

Amazon EMR (1)

EMR cluster Kerberos should be enabledcompliance.tf module

Amazon ElastiCache (5)

ElastiCache clusters should not use the default subnet groupElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greatercompliance.tf moduleElastiCache for Redis replication groups should be encrypted at restcompliance.tf moduleElastiCache for Redis replication groups should be encrypted with CMKcompliance.tf moduleElastiCache for Redis replication groups should be encrypted in transitcompliance.tf module

Amazon Kinesis (2)

Kinesis streams should be encrypted with CMKKinesis streams should have server side encryption enabled

Amazon MQ (1)

MQ brokers should have audit log streaming to CloudWatch enabled

Amazon MSK (1)

MSK clusters should be encrypted in transit among broker nodescompliance.tf module

Amazon Neptune (4)

Neptune DB clusters should publish audit logs to CloudWatch LogsNeptune DB clusters should have automated backups enabledNeptune DB clusters should be encrypted at restNeptune DB clusters should have IAM database authentication enabled

Amazon OpenSearch Service (7)

OpenSearch domains should have audit logging enabledcompliance.tf moduleOpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains should have fine-grained access control enabledcompliance.tf moduleOpenSearch domains should use HTTPScompliance.tf moduleOpenSearch domains should be in a VPCcompliance.tf moduleOpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf module

Amazon RDS (18)

Aurora MySQL DB clusters should have audit logging enabledcompliance.tf moduleAurora PostgreSQL DB clusters should publish logs to CloudWatch Logscompliance.tf moduleRDS DB clusters should have automatic minor version upgrade enabledRDS DB clusters should be encrypted with CMKcompliance.tf moduleRDS DB clusters should be encrypted at restcompliance.tf moduleRDS DB clusters should have IAM authentication configuredcompliance.tf moduleRDS DB instance automatic minor version upgrade should be enabledcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have iam authentication enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf module

Amazon Redshift (10)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift clusters should have automatic upgrades to major versions enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have enhanced VPC routing enabledcompliance.tf moduleRedshift clusters should have KMS encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should have Multi-AZ deployments enabledcompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon S3 (21)

S3 access points should have block public access settings enabledS3 buckets should not use ACLs for user access controlcompliance.tf moduleS3 buckets should have cross-region replication enabledcompliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have event notifications enabledcompliance.tf moduleS3 buckets should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should have MFA delete enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object lock enabledcompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should restrict cross-account permissionscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets with versioning enabled should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 Multi-Region Access Points should have block public access settings enabledS3 public access should be blocked at account levelcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at restcompliance.tf module

Amazon SageMaker (6)

SageMaker endpoint configuration encryption should be enabledSageMaker notebook instances should not have direct internet accessSageMaker notebook instances should be encrypted using CMKSageMaker notebook instance encryption should be enabledSageMaker notebook instances should be in a VPCSageMaker notebook instances root access should be disabled

Amazon VPC (1)

VPC Security groups should only allow unrestricted incoming traffic for authorized portscompliance.tf module

Elastic Load Balancing (4)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB application and network load balancers should only use SSL or HTTPS listenerscompliance.tf moduleELB application and network load balancer listeners should use secure protocolscompliance.tf moduleELB classic load balancers should be configured with defensive or strictest desync mitigation modecompliance.tf module

Other (11)

Elasticsearch domains should have audit logging enabledES domain encryption at rest should be enabledES domains should be in a VPCElasticsearch domain should send logs to CloudWatchElasticsearch domain node-to-node encryption should be enabledFSx for OpenZFS file systems should be configured to copy tags to backups and volumescompliance.tf moduleFSx for Lustre file systems should be configured to copy tags to backupscompliance.tf moduleAPI Gateway V2 stages should have access logging configuredcompliance.tf moduleNetwork Firewall policies should have default stateless action set to drop or forward for fragmented packetscompliance.tf moduleNetwork Firewall policies should have default stateless action set to drop or forward for full packetscompliance.tf moduleRedshift Serverless workgroups should have enhanced VPC routing enabled

Related Frameworks

NIST 800-53 Rev 5 โ€” ๐ŸŸข High overlap (65%)

PCI DSS v4.0 maps extensively to NIST 800-53 Rev 5 control families, especially SC (System and Communications Protection), AC (Access Control), AU (Audit and Accountability), and IA (Identification and Authentication). NIST 800-53 is broader in scope and covers federal information systems, while PCI DSS narrows focus to cardholder data protection. Organizations already compliant with NIST 800-53 will find significant reuse when scoping a PCI assessment.

SOC 2 โ€” ๐ŸŸก Medium overlap (50%)

SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality partially overlaps with PCI DSS requirements for access control, logging, encryption, and change management. SOC 2 does not prescribe the same technical specificity (no explicit TLS version requirement or key length mandate), so PCI DSS controls generally satisfy SOC 2 criteria but not the reverse.

NIST CSF v1.0 โ€” ๐ŸŸก Medium overlap (55%)

The NIST Cybersecurity Framework maps to PCI DSS across Identify, Protect, Detect, Respond, and Recover functions. PCI SSC publishes an official mapping between PCI DSS v4.0 and NIST CSF. NIST CSF is risk-based and outcome-oriented, while PCI DSS prescribes specific implementation requirements.

Frequently Asked Questions

Does PCI DSS v4.0 apply to my organization if we use a third-party payment processor?
Yes. Using a third-party processor reduces your scope but does not eliminate your compliance obligation. If your systems touch cardholder data at any point, including web pages that host payment fields or redirect to a processor, you are in scope. Most small merchants using hosted payment pages can complete SAQ A, which has the fewest requirements. Your acquiring bank determines your merchant level and the applicable SAQ type.
What changed between PCI DSS v3.2.1 and v4.0 that I need to know?
The largest changes are: expanded MFA requirements covering all access into the CDE, not just remote access (Req 8.4.2); a new requirement for automated log review mechanisms (Req 10.4.1.1); targeted risk analysis replacing the blanket 'periodic' language across several requirements (Req 12.3.1); client-side script integrity monitoring for payment pages (Req 6.4.3); and the customized approach as an alternative validation method. Requirements that were labeled future-dated until March 31, 2025 are now mandatory.
How long does a PCI DSS v4.0 assessment typically take?
It depends on your level and readiness. A Level 1 merchant or service provider undergoing a full QSA-led ROC assessment typically runs 3 to 6 months from gap analysis through final report submission. SAQ completion for smaller merchants can take 2 to 6 weeks. The formal assessment is annual, but quarterly ASV scans and ongoing monitoring run year-round.
What does the 'customized approach' in PCI DSS v4.0 mean for my AWS environment?
The customized approach (defined in PCI DSS v4.0 Section 12.3.2 and Appendix D) lets you meet a requirement's stated objective using a control different from the defined approach. You must document a controls matrix, perform a targeted risk analysis, and have the QSA validate that your custom control meets the objective. For AWS environments, one approach to meeting this would be combining native services (GuardDuty, Security Hub, Config Rules) to satisfy a requirement's intent where the specific prescribed method differs. Be aware that the customized approach requires more documentation and QSA scrutiny, not less.
How many of the 50 mapped controls can compliance.tf automate versus what requires manual evidence?
The 50 controls mapped here cover technical configuration checks: encryption settings, logging enablement, access authorization, certificate validity, and backup policies, all continuously assessable through Terraform and PowerPipe. That said, PCI DSS v4.0 has 64 base requirements across 12 requirement groups, many of which require procedural evidence (written policies, training records, physical security controls, penetration test reports, incident response plans). Expect compliance.tf to automate roughly 40-60% of the technical evidence for Requirements 1 through 4 and 10, with minimal coverage for Requirements 5, 9, 11, and 12, which depend on non-infrastructure evidence.

SOC 2

Previous Page

HIPAA Omnibus Rule 2013

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryRequirement 10: Log and Monitor All Access (4)Requirement 12: Maintain Security Policies and Data Retention (1)Requirement 3: Protect Stored Account Data (2)Requirement 4: Protect Data in Transit with Strong Cryptography (3)Requirement 7-8: Access Control and Authentication (1)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page