FRAMEWORK · PCI-DSS v4.0

PCI-DSS v4.0.
For those who process cards.

If your company processes, stores or transmits card data (physical POS, e-commerce, POS terminals), PCI-DSS v4.0 is mandatory. Itamite covers technical requirements on endpoints (Req. 5, 6, 7, 8, 10, 11.5) with signed evidence for your QSA.

See pricing PCI-DSS demo

PCI levels by volume

Level 1: > 6M transactions/year. Mandatory annual QSA audit + quarterly ASV scan. Level 2: 1-6M transactions. Annual SAQ (Self Assessment Questionnaire) + quarterly ASV scan. Level 3: 20K-1M e-commerce. Annual SAQ + quarterly ASV scan. Level 4: < 20K e-commerce or < 1M total. Annual SAQ recommended.

Non-compliance fines: $5,000-100,000/month depending on the acquiring bank. In case of breach: up to $500,000 per event + possible exclusion from card processing.

PCI REQUIREMENTS ↔ ITAMITE

Point-by-point mapping

Req. 5 — Antimalware protection

Itamite continuously verifies: AV installed and operational (5.2.1), AV updated <7 days (5.2.2), AV scans automatically (5.2.3), no possibility to disable by end user (5.2.5). Compatible with CrowdStrike, SentinelOne, Defender, Sophos, ESET, Kaspersky.

Req. 6 — Secure systems and applications

Detection of pending critical patches (6.3.3), software inventory with versions (6.2), EOL software alerted, known CVE vulnerabilities in detected software (6.2.4).

Req. 7 — Function-based access restriction

Detection of local administrator accounts and their justification (7.2), least privilege policies (7.2.2), periodic access review (7.2.4). AD/Azure AD integration for centralized management.

Req. 8 — Identification and authentication

Password policy (length, complexity, expiration — 8.3), MFA for administrative access (8.4), detection of inactive accounts, Guest account disabled. Complete login audit.

Req. 10 — Logging and monitoring

Hash-chain immutable audit of all administrative activity (10.2), minimum 1 year retention with 3 months immediately accessible (10.5.1), NTP time synchronization (10.6), automatic daily log review (10.4.1).

Req. 11.5 — Unauthorized change detection

Itamite detects changes in critical configuration of each device, alerting to unauthorized modifications (11.5.2). Declarative policies that revert changes automatically.

FAQ

PCI-DSS questions

Is Itamite PCI-DSS compliant?
Itamite does NOT store card data (PAN, CVV, etc) itself. Therefore the PCI scope of the platform itself is limited. Stripe (our payment processor) is PCI-DSS Level 1. Your use of Itamite doesn't expand your PCI scope as long as you only use it for IT management.
Does it cover quarterly ASV scan?
Not directly. ASV scan is an external web vulnerability scan performed by an Approved Scanning Vendor (Qualys, Tenable, Trustwave). Itamite is complementary: covers internal endpoint state, not perimeter scanning.
And for environments with physical POS?
Especially useful. Each POS terminal must have Itamite agent. Continuously verify: AV active, patches up to date, correct configuration, no unauthorized software. Drastically reduces risk of skimming/POS malware.
Is Itamite report valid for QSA?
Yes, as technical evidence of covered requirements. QSA will still perform their own verifications. Itamite reduces audit time by providing prepared and signed evidence.
How much does it reduce QSA audit cost?
Depending on QSA and scope, typically 20-40% reduction in billable hours by having technical evidence prepared in direct format. Some QSAs already recommend tools like Itamite to their clients for process agility.

Upcoming PCI-DSS audit?

Demo focused on your PCI level with real retail/e-commerce case. We show you the technical report for QSA.

See pricing Request demo