PCI DSS for modern payment stacks
PCI DSS v4.0 rewrote the rules. The customized approach means more flexibility but also more burden of proof. Quarterly ASV scans are the floor, not the ceiling. If you process, store, or transmit cardholder data, continuous validation is no longer optional -- it is the standard.
What changed in v4.0.
March 2024 was the deadline. If you are still operating under v3.2.1 controls, you are behind.
Customized approach is now first-class
v4.0 lets you meet requirements your own way -- but that flexibility comes with a catch. You need continuous evidence that your custom controls actually work. Annual self-assessment questionnaires are not enough anymore.
Targeted risk analysis is mandatory
Requirements 12.3.1 and 12.3.2 demand documented, targeted risk analysis for controls with flexible implementation. You need to show why your approach is sufficient, backed by ongoing validation -- not a one-time justification.
Continuous security is the expectation
Multiple requirements now specify that controls must be reviewed upon significant changes and at least every 12 months. The spirit of v4.0 is clear: security is not a yearly checkbox. It is an operational discipline.
How MANTIS maps to PCI DSS.
Network Security (Req 1-2)
Firewall rules, segmentation between CDE and untrusted networks, secure configurations. MANTIS Control maps your VPCs, security groups, and NACLs to validate isolation of cardholder data zones.
Data Protection (Req 3-4)
Encryption of stored cardholder data, masking of PAN displays, TLS for transmission. MANTIS validates encryption settings on every data store and tests TLS configurations against PCI requirements.
Vulnerability Management (Req 5-6)
Anti-malware, secure development, patch management. MANTIS Agent tests your payment applications for injection, authentication bypass, and business logic flaws that automated scanners miss.
Access Control (Req 7-9)
Need-to-know enforcement, unique IDs, MFA. MANTIS scans IAM for overprivileged service accounts, shared credentials, and missing MFA on administrative access to cardholder data environments.
Payment API security testing
Requirement 6.2 demands secure software development. Requirement 11.3 requires penetration testing. MANTIS Agent combines both -- testing your payment endpoints, checkout flows, and tokenization implementations with the same methodology a skilled pentester would use. Injection, authentication bypass, IDOR on transaction IDs, race conditions on payment state machines. The vulnerabilities that matter for PCI, tested continuously.
Cardholder data deserves more than quarterly scans.
Continuous PCI DSS validation for v4.0 and beyond.
Start Free