COMPLIANCE / PCI-DSS 4.0.1
Threat intelligence for PCI-DSS: 11.5, 12.10, 12.11 evidence
How threat intelligence maps onto PCI-DSS 4.0.1 detection and incident-response requirements, what QSAs at Coalfire, ControlScan, and NCC Group expect to see, and what costs the evidence really runs at.
Last verified: May 2026. Independent reference. Not legal or QSA advice; engage your QSA for your specific scope.
PCI-DSS 4.0.1 requirements affected by CTI
PCI-DSS 4.0.1, effective 31 March 2025 as the only supported version, has roughly twenty sub-requirements where a CTI programme contributes evidence. The eight below carry the most weight in 2026 QSA fieldwork, with the heaviest concentration in requirement 11.5 (intrusion detection) and requirement 12.10 (incident response).
| Requirement | What it covers | CTI evidence | QSA emphasis |
|---|---|---|---|
| 6.3.1 | Identify and address vulnerabilities | Vulnerability intel feed (NVD, vendor advisories) | How quickly do new CVEs reach your patch list? |
| 6.3.3 | Address critical vulnerabilities within one month | Documented prioritisation tied to CTI severity scoring | Show me a CVE that hit your CDE in the past quarter |
| 11.5.1 | IDS or IPS detects and alerts on intrusions | Signature updates sourced from CTI feeds | Show me the signature update flow |
| 11.5.2 | Change detection monitoring on critical files | FIM tooling tuned to CTI-known malware paths | How does the FIM tooling know what to watch? |
| 11.6.1 | Detect and respond to unauthorised changes on payment pages | Skimmer intelligence feed (Magecart, web skimmer) | How would you know your payment page was compromised today? |
| 12.10.4 | Incident response personnel are available | On-call rota plus CTI-informed playbook | Show me the IR runbook for credential-stuffing |
| 12.10.5 | IR plan includes monitoring and response to detection systems | IR playbook cross-references to CTI sources | Where in the playbook do you reference threat intel? |
| 12.11.1 | Review security event sources at least every 12 months | Annual feed inventory review document | Show me the last review log |
Source: PCI SSC PCI-DSS 4.0.1 (April 2024 release, effective 31 March 2025). Composite of QSA emphasis from publicly available QSA reports of compliance (RoC) templates from Coalfire and ControlScan.
Requirement 11.5: where CTI feeds the IDS
Requirement 11.5.1 calls for intrusion detection or intrusion prevention techniques to detect and alert on intrusions into the network, and to be kept current. The phrase "kept current" is the testable bit. QSAs read this as: the signature set or rule corpus is fed by an active intelligence source, and there is documented evidence that updates flow on a defined cadence.
A merchant running Suricata in front of the cardholder data environment is the simplest pattern. ET Open (Emerging Threats Open) rules are free and updated daily; ET Pro (Proofpoint) is a paid feed; commercial subscribers pull from Recorded Future, Mandiant, or vendor-specific feed bundles. The QSA wants to see the signature source, the update mechanism (cron, signature-update daemon), and the last update timestamp. A signature corpus dated nine months ago is a finding.
For SIEM-based detection (Splunk Enterprise Security, Microsoft Sentinel, Sumo Logic, Chronicle), the same logic applies to detection content. Sigma rule corpus, SOC Prime Marketplace, Splunk ESCU, and Sentinel built-in content all qualify provided the rule set is current and is informed by intelligence sources you can name.
Requirement 11.6.1 is newer in 4.0.1 and specific to e-commerce: detect and respond to unauthorised changes on payment pages. The threat here is web skimmers (Magecart and successors). Intel sources include Sansec, RiskIQ (now Microsoft Defender External Attack Surface Management), and PerimeterX (now HUMAN) public threat data. QSAs in 2026 are scrutinising 11.6 evidence more heavily than they did in 4.0; expect to be asked specifically how you would detect a skimmer injection within hours, not days.
For organisations integrating threat intel with their SIEM, see AI threat intel with Splunk or AI threat intel with Microsoft Sentinel. The integration patterns shown there satisfy 11.5 with documented evidence chains.
Requirement 12.10: where CTI shapes the IR playbook
Requirement 12.10 has eight sub-requirements covering the incident response programme. The two where CTI carries weight are 12.10.4 (response personnel availability) and 12.10.5 (IR plan includes monitoring and response to security detection systems including but not limited to intrusion detection systems, intrusion prevention systems, firewalls, and file integrity monitoring).
12.10.5 effectively requires that your IR playbook reference intelligence sources by name. The QSA will read the playbook and look for explicit hooks: which intel source fires which trigger, what action follows. A playbook that says "respond to alerts from the SIEM" passes a literal reading but fails a thorough QSA. A playbook that says "credential-stuffing alerts from the SIEM correlated against the dark-web credential leak feed trigger the credential-stuffing run-book" is what 12.10.5 actually wants.
12.10.4 about personnel availability is straightforward: who is on call, when, and how do they get the alert. Pager-style on-call rotation with documented coverage gaps closed is the bar. The CTI angle is that the on-call analyst must know the intelligence sources well enough to act on alerts they generate; this is a training and runbook issue more than a technology issue.
Requirement 12.10.7 added in 4.0 covers procedures for responding to PAN suspected to be lost. CTI evidence here includes dark-web monitoring for cardholder data leakage. See dark-web monitoring AI for vendor options. Cyberint, SOCRadar, Flashpoint Ignite, and Recorded Future all cover this; Cyberint and SOCRadar are commonly recommended for cost-sensitive deployments.
Stack patterns by merchant level
Recommended CTI stack varies by PCI merchant level. The patterns below assume the cardholder data environment is properly scoped and segmented; CTI is a layer on top of, not a substitute for, network segmentation and tokenisation.
Level 4 (under 20,000 transactions/year)
OSS-only acceptable
MISP plus Suricata with ET Open rules plus Wazuh for FIM. Update cadence weekly. Single analyst (often part-time) for review. Total cost $300 to $700 per month. SAQ-A or SAQ-A-EP scope.
Level 3 (20,000 to 1M transactions/year)
OSS plus one commercial feed entry tier
MISP plus OpenCTI plus Suricata with ET Pro plus Wazuh. Add SOCRadar or Cyberint entry tier for dark-web monitoring and brand-protect. $50,000 to $80,000 per year stack cost.
Level 2 (1M to 6M transactions/year)
Hybrid OSS plus mid-tier commercial
Full OSS knowledge graph (OpenCTI plus MISP plus TheHive plus Cortex) plus Recorded Future Core or equivalent plus a SIEM with managed detection content. $100,000 to $200,000 per year stack cost plus SIEM cost.
Level 1 (over 6M transactions/year)
Enterprise stack with attested vendors
Recorded Future Professional or Elite, plus Mandiant Advantage, plus brand-protect (ZeroFox or Cyberint), plus internal SOC with 24x7 coverage. $300,000 to $600,000 per year stack cost. Usually paired with an MDR provider for off-hours coverage; see mdrcost.com.
For QSA fee ranges and end-to-end PCI-DSS audit cost see pcicompliancecost.com. QSA assessment fees are typically $40,000 to $200,000 per year depending on scope and merchant level.
11.6 is where most 2026 findings are landing
Of the new 4.0.1 requirements, 11.6 is generating the most QSA findings in 2026. The requirement is to detect and respond to unauthorised changes on payment pages, with a tolerance period that QSAs commonly read as "within hours, not days". The threat model is web skimmers: Magecart-family supply-chain injections that lift cardholder data from the checkout form before it reaches your server.
Detection patterns in 2026 fall into three categories. The first is content security policy plus subresource integrity (CSP plus SRI) which prevents the injection at the browser level; this is defensive rather than detective and does not alone satisfy 11.6.1. The second is real-user monitoring with script-allowlist enforcement (Akamai Page Integrity Manager, Imperva Client-Side Protection, HUMAN Code Defender, Datadog RUM with custom monitors). The third is automated periodic crawl of the checkout flow looking for unexpected scripts (Sansec, PCI Pal, custom Puppeteer scripts).
CTI feeds plug into all three. A skimmer-IoC feed (Sansec, Microsoft Defender External Attack Surface Management formerly RiskIQ) provides known-bad domains and JavaScript fingerprints that get loaded into the allowlist enforcement layer or matched against crawl results. Without an active intel feed, your detection only catches skimmers you already know about; with the feed, you catch the next variant when it shows up in someone else's environment first.
For the broader brand-impersonation monitoring problem (typosquatted checkout pages, clone storefronts), see AI brand-impersonation monitoring. Skimmer and brand-protect intel often come from the same vendor in 2026 (Cyberint and SOCRadar both cover both).
FAQ
Does PCI-DSS 4.0.1 require a threat intelligence feed?
The PCI-DSS 4.0.1 standard does not name a specific vendor or feed. Requirement 12.10.5 requires the IR plan to include monitoring and responding to security and threat detection systems, and 12.10.4 requires personnel responsible for responding to alerts to be available. Requirement 12.11.1 requires reviewing security event sources at least every 12 months. In practice, QSAs at Coalfire, ControlScan, and NCC Group expect to see a documented intelligence source feeding either an IDS or SIEM in scope of the cardholder data environment.
How does requirement 11.5.1 affect threat intelligence?
Requirement 11.5.1 in PCI-DSS 4.0.1 requires intrusion detection or intrusion prevention techniques to detect and alert on intrusions into the network. The IDS or IPS signatures should be kept current. A documented connection from a threat intelligence source to the signature update flow is the cleanest QSA evidence. For organisations using a managed SIEM (Microsoft Sentinel, Splunk Enterprise Security, Sumo Logic), the SIEM detection content backed by a current CTI source meets the same standard.
What CTI evidence does a QSA actually want to see?
QSAs typically request three artefacts. First, the CTI source inventory: which feeds you ingest, when they update, and who is responsible. Second, the detection-to-intelligence trace: take three detection rules in your IDS or SIEM that touch the cardholder data environment, and show the threat intelligence source that informed them. Third, a sample case from the past 90 days where a CTI-sourced indicator fired in the cardholder data environment, with the triage and resolution. A QSA who sees those three artefacts will not raise a 11.5 or 12.10 finding.
Can OSS threat intel meet PCI-DSS evidence requirements?
Yes. MISP feeding signatures into Suricata or Zeek, or feeding indicators into a Splunk or Sentinel SIEM, is auditable and meets PCI-DSS expectations provided the documentation is consistent. The risk with OSS-only is operational continuity. Many QSAs are happy with OSS in the technical layer provided there is a documented analyst review cadence at least monthly. A commercial feed (Recorded Future, Mandiant, SOCRadar) provides a vendor SOC 2 attestation to drop into your vendor management evidence; this can simplify the QSA conversation but is not required by the standard.
What does CTI for PCI-DSS cost in 2026?
An OSS-only CTI stack sufficient for PCI-DSS evidence is $300 to $1,500 per month in infrastructure plus analyst time. Adding a commercial entry feed (SOCRadar, RecF Core, Cyberint) lands at $50,000 to $120,000 per year. Most level 1 and 2 merchants pursuing 4.0.1 attestation budget within that band. Premium enterprise feeds are not required by the standard and rarely justified solely by PCI scope; they get budgeted when fraud risk or brand-protect scope is part of the same conversation.