Compliance regime · Global

PCI DSS compliance — what GateTest actually catches

Payment Card Industry Data Security Standard (v4.0)

PCI DSS v4.0 became fully mandatory in March 2025. v4.0 specifically calls out client-side script integrity (Requirement 6.4.3), TLS configuration (Requirement 4.2), and credential storage (Requirement 8.3) — every one of those is a static finding before a QSA ever sees it.

Run a scan →See the modules

The regime

Payment Card Industry Data Security Standard (v4.0) — Global — any entity that stores, processes, or transmits cardholder data, enforced contractually by the card networks.. Effective since v4.0 published March 2022, mandatory from 31 March 2024 (with newer requirements effective 31 March 2025).

Maximum penalty: Card networks (Visa, Mastercard) can levy fines of $5,000 to $100,000 per month on the merchant's acquirer for non-compliance, passed through contractually. Forensic investigation costs typically dwarf the fines.

Authoritative source: https://www.pcisecuritystandards.org/standards/pci-dss/

The 3 modules that do the heaviest lifting for PCI DSS

Linked to each module's page for the full finding list.

Technical findings GateTest catches for PCI DSS

Each item ties a specific code-level pattern to a clause or principle of PCI DSS. These are the findings auditors sample.

Hardcoded API keys or DB credentials in source touching cardholder data — Req. 8.3 + 3.4 storage of authentication data.
TLS validation disabled (rejectUnauthorized: false, verify=False) on any path moving card data — Req. 4.2 strong cryptography in transit.
Currency arithmetic in IEEE-754 floats on amount / total / charge variables — Req. 6.3.1 secure coding (integrity of payment values).
PAN-shaped or CVV-shaped values logged via console / logger — Req. 3.3 prohibits storing CVV after authorisation; logs count.
Outdated dependencies with known CVEs in card-handling services — Req. 6.3.3 patch management within 30 days for critical vulnerabilities.
Cookies on payment endpoints set without httpOnly / Secure — Req. 6.4 + 8.3 session management.
Missing CSP on payment pages — Req. 6.4.3 client-side script integrity (new in v4.0).
Wildcard CORS with credentials on payment endpoints — Req. 6.2 secure system development.

Out of scope — what you still need humans for

GateTest is a code scanner. PCI DSS compliance is a programme, not a tool. These items will never be answerable from source code alone.

Quarterly external ASV scans against your perimeter (Req. 11.3.2) — requires a PCI-approved scanning vendor.
Network segmentation evidence (Req. 1) — needs network-level testing.
Penetration testing (Req. 11.4) — human red-team work.
Physical security of card-handling locations (Req. 9).
Personnel security policies, security-awareness training, and incident-response plans (Req. 12).

Where this regime applies

Country-specific guides:

usa uk eu australia new zealand singapore canada

How GateTest fits a compliance programme

GateTest is a code-quality and security scanner. It belongs in your CI pipeline, not in your auditor's office. We catch the technical findings auditors look for — secrets, missing rotation, weak TLS, PII in logs, dangerous dependencies — so the audit becomes a paperwork exercise instead of an emergency.