PCI DSS v4.0 — Payment Card Industry Data Security Standard.
Issuer: PCI Security Standards Council · Year: 2022 (full v4.0 effective 2025-03-31) · Source: official text →
Scope: Any entity that stores, processes, or transmits cardholder data — merchants, service providers, payment processors, payment-facilitator platforms.
What KYE Protocol™ supplies
PCI DSS v4.0 introduces 51 new + clarified requirements emphasising risk-based controls + customised approach. KYE Protocol™ supplies the audit-chain + signed-evidence-pack primitives that make PCI DSS v4.0 evidence requirements (1.x–12.x) structurally enforceable and audit-firm-verifiable offline.
Per-clause control mapping
| PCI DSS v4.0 clause | KYE Protocol™ binding |
|---|---|
| Req. 1 — Network security controls | Edge Governance Rail — compiled authority bundle + edge arbiter; network policy as a signed declarative artefact. |
| Req. 3 — Protect stored account data | Data Classification Engine — special_category + restricted classes; per-class retention via WORM Object Lock. |
| Req. 7 — Restrict access by need to know | Purpose Permission™ + Authority Scope — every access cites a granted purpose with bounded scope. |
| Req. 8 — Identify users + authenticate access | Entity Engine — every actor has a KYEID URN; agent vs human vs system clearly classified. |
| Req. 10 — Log + monitor all access | Audit Chain (3-tier WORM) — every access is a signed event. The chain construction is part of the patent track and is not disclosed in this repository. |
| Req. 10.7 — Failure detection + alerting | Drift Cascade™ + Reconciliation Engine™ — declared-vs-deployed drift triggers signed events. The cascade propagation mechanism is part of the patent track and is not disclosed in this repository. |
| Req. 11.4 — Penetration testing | Conformance Pack — 133 black-box fixtures + signed conformance-report; rule-pack expansion for sector PCI tests. |
| Req. 12 — Information security policy + program | Operating Model + Audit Pilot Agent — signed policy + per-90-day attestation. |
Every binding above resolves to a canonical KYE Protocol™ artefact (engine, schema, audit event, or patent claim). The full per-control register is published in the conformance repo at github.com/KYE-Protocol/app/tree/main/internal.
What an auditor / regulator gets
- Replay Proof™ — re-derive any decision offline using only the publisher’s published JWKS. No back-channel to KYE™ project.
- Evidence Pack™ — sealed, signed, replayable container of decisions + bound rules + audit-chain anchors.
- Conformance Pack — 133-fixture black-box test suite; signed
kye.conformance_report.v1envelope. - Audit Chain — per-tenant WORM-anchored audit chain; the specific multi-tier immutability construction is part of the patent track and is not disclosed here.
- Compliance Attestation — per-framework signed
kye.compliance.attestation.v1envelopes (90-day cadence).
Adjacent paths
- All frameworks — the framework catalogue (this is a deep-dive).
- For regulators — what supervisors see.
- For auditors · Onboard your firm
- Whitepaper — the technical foundation.
- Apply for a regulated-pilot — banking-grade scoped engagement.