PCI Compliance Solutions

One platform. One agent. Complete compliance for PCI DSS 4.0.

Are you fully covered for PCI DSS 4.0?

PCI DSS 4.0 adds new requirements related to vulnerability scanning authentication, asset classification, file access management, cloud security, and much more. Are you ready? Qualys can help.

What’s new in PCI DSS 4.0?

Learn More

Risk-based prioritization

PCI DSS 4.0 focuses more on risk analysis and stronger validated risk prioritization. Cloud infrastructure requirements are more enhanced and flexible, and additional requirements were introduced for internal software development.

Vulnerability management

New 4.0 requirements emphasize ensuring external vulnerability scans are performed by an Authorized Scanning Vendor (ASV), and adds the requirement to ensure internal scans are authenticated. Also, scan frequencies must be based on targeted risk analysis.

File Integrity Monitoring

Real-time monitoring of unauthorized access to sensitive data and configuration change detection on network devices is required. Automated mechanisms must be used to perform change event reviews. Failures of critical security control systems, such as change-detection mechanisms, must be detected and alerted.

Software & Configuration Management

More stringent password complexity requirements and privilege accounts must be verified periodically. First-party software risk assessments should cover vulnerabilities for bespoke and custom software.

PCI DSS 4.0 introduces a more flexible and risk-based approach to cybersecurity compared to its predecessor, PCI DSS 3.2.1. This updated standard emphasizes continuous monitoring and allows organizations to tailor their security measures to align with their unique risks and business priorities. By enabling customization based on real-world scenarios, such as adopting cloud-native solutions for large cloud infrastructures, companies can implement more effective controls while maintaining compliance.

Under PCI DSS 4.0, firms are encouraged to adopt a risk-based approach to cybersecurity implementation. By leveraging robust threat intelligence, organizations can better understand and prioritize their true risks, ensuring efficient resource allocation and faster resolution of critical issues. This proactive stance enhances overall security posture and helps businesses stay ahead of evolving cyberthreats. The Qualys Enterprise TruRisk Platform includes more than a dozen apps that can help ensure audit ready compliance with PCI DSS 4.0.

Leverage the Qualys Enterprise TruRisk Platform to meet your PCI DSS 4.0 risk-based requirements

Requirements 6.3.1, 6.3.3

The Qualys Enterprise TruRisk platform enhances risk-based analysis and prioritization for vulnerability management and patching requirements by using the Qualys TruRisk score and comprehensive threat intelligence.

Learn More

Requirements 7.2.4, 7.2.5, 8.3.6, 8.6.3

Qualys Policy Compliance (PC) continuously validates privileged account access. Inappropriate accounts can be identified and removed using remediation capabilities. Qualys PC includes controls for password complexity and password history settings to ensure that passwords are sufficiently complex and cannot be used indefinitely.

Learn More

Requirements 11.6.1, 6.4.1

Qualys Web Application Scanning (WAS) provides a change-and-tamper detection mechanism to alert for unauthorized modifications to the HTTP headers and contents of payment pages as received by the consumer browser.

Learn More

Requirements, 6.3.3

Qualys Patch Management (PM) ensures adherence to PCI DSS 4.0 timely patch requirements by providing one console to patch everything using a prioritized risk-based approach.

Learn More

Requirements, 1.2.2.c

The Qualys Enterprise TruRisk Platform extends File Integrity Monitoring (FIM) with real-time monitoring of unauthorized access to sensitive data and configuration change detection on network devices.

Learn More

Requirements 12.5.1, 2.2.3

Qualys CyberSecurity Asset Management (CSAM) discovers all assets with complete business context for all cardholder data environment (CDE) external facing assets.

Learn More


Qualys Vulnerability Management, Detection & Response (VMDR) includes Qualys PCI ASV. Requirements for external scanning can be met as Qualys is an Approved Scanning Vendor (ASV). Qualys VMDR also covers all the new requirements for internal scanning authentication.

Learn More

All PCI DSS 4.0 Requirements

For each requirement, testing procedures require the examination of documented policies and procedures. The roles and responsibilities for performing activities in each PCI requirement need to be documented, which can be done using the Qualys Security Assessment Questionnaire (SAQ).

Learn More

Requirements 1, 6

PCI DSS 4.0 has been expanded to cover cloud infrastructure and components, both external and on premises. This includes instantiations of containers or images, virtual private clouds, cloud-based identity and access management, CDEs residing on premises or in the cloud, service meshes with containerized applications, and container orchestration tools. Qualys TotalCloud (TC) covers these requirements.

Learn More

Extend Compliance Coverage from VMDR

Qualys Compliance Solutions are built natively into the Enterprise TruRisk Platform. Combined with VMDR, customers can:

Qualys VMDR Dashboard PCI Compliance Unified View

Create compliance dashboards to highlight compliance gaps and provide pre-built templates, profiles, and policies to achieve full compliance.

Measure, communicate, and eliminate cyber risk across the global hybrid IT environment.

Clearly report and articulate risk to internal and external compliance stakeholders across 950 policies, 20,000 controls, and 100 regulations.

Learn More

Powered by the Enterprise TruRiskTM Platform

The Enterprise TruRisk Platform provides you with a unified view of your entire cyber risk posture so you can efficiently aggregate and measure all Qualys & non-Qualys risk factors in a unified view, communicate cyber risk with context to your business, and go beyond patching to eliminate the risk that threatens the business in any area of your attack surface.

Qualys TotalCloud™ Cybersecurity Asset Management Dashboard

Assess your environment within 15 minutes of provisioning and drive efficiency along with PCI DSS 4.0 compliance.

Consolidate your approach to PCI compliance within a single platform

By submitting this form, you consent to Qualys' privacy policy.

Email or call us at 1 (800) 745-4355