Frontrow Technology
← Wiki

Cyber & compliance frameworks

PCI-DSS 4.0 — what Australian merchants must do and which Microsoft tools help

PCI-DSS 4.0 is the current standard for protecting cardholder data, outlining security requirements for organisations that process, store, or transmit payment card information.

Last reviewed 3 July 2026

What PCI-DSS 4.0 does

PCI-DSS 4.0 establishes a baseline security standard to reduce credit card fraud. It outlines twelve key requirements, grouped into six control objectives: network security, cardholder data protection, vulnerability management, access control measures, regularly monitoring and testing networks, and maintaining an information security policy. Version 4.0 introduces a Customised Approach, allowing organisations greater flexibility in how they meet requirements, while strengthening authentication controls, notably mandating multi-factor authentication for all access to the Cardholder Data Environment (CDE).

PCI-DSS 4.0 in Australian tenants today

AU mid-market merchants are subject to PCI-DSS based on their transaction volume and data handling practices. Level 1 merchants require a Qualified Security Assessor (QSA) attestation, while Level 2–4 merchants can often self-assess using a Self-Assessment Questionnaire (SAQ). The shift towards self-assessment at lower levels reduces costs, but only if internal controls are genuinely in place and evidenced rather than asserted. Microsoft Compliance Manager can assist in mapping PCI-DSS controls and gathering evidence, while Defender for Cloud helps identify vulnerabilities and misconfigurations within the CDE. Adherence to PCI-DSS is crucial for avoiding penalties and maintaining customer trust, and is a consideration for organisations subject to APRA CPS 234.

Want Frontrow to walk this through with your team?

30 minutes. No deck. A senior Frontrow consultant walks through your tenant, your priorities, and the next sensible move.