Lesson 9 — PCI-DSS: what hotels owe, and how Wazuh helps

Why every card-taking hotel is in scope, exactly which requirements your Wazuh service helps satisfy — and how to say so honestly without becoming a liability.

Your mission Hotels take cards, so hotels are in PCI-DSS scope — and they know it's a headache. This is one of your sharpest sales angles, but only if you get the claims exactly right. This lesson gives you the honest value story: the requirements Wazuh genuinely helps with, the audit evidence you produce monthly, and the line you must never cross — promising "compliance" you can't deliver alone.

What PCI-DSS is, and who's in scope

PCI DSS — the Payment Card Industry Data Security Standard — is the mandatory rulebook for anyone who stores, processes, or transmits cardholder data. That phrasing is the whole ballgame: if a hotel takes a card, it is in scope. Every hotel is in scope. The standard is maintained by the PCI Security Standards Council (PCI SSC).¹

The current version is PCI DSS v4.0.1. Version 4.0 was retired at the end of 2024, and the future-dated v4 requirements became mandatory in March 2025 — so "we follow PCI" without a version number is already a red flag. Always pull the actual standard from the PCI SSC Document Library rather than trusting a blog summary (including this one).²

Key idea PCI DSS is 12 requirements grouped under 6 control objectives. How a merchant proves compliance depends on how it handles cards — captured by which SAQ (Self-Assessment Questionnaire) type applies. You don't need all 12 memorized. You need the few a SIEM directly supports — because those are the ones you sell.

Where Wazuh genuinely helps

This is your value map: requirement → Wazuh capability. Be precise here. Each of these is something you can demonstrate from a hotel's dashboard tenant.

Requirement 10 — log and monitor all access

This is the heart of it. Requirement 10 says: log and monitor all access to system components and cardholder data. It demands centralized log collection, regular log review, synchronized time across systems, and log retention. That description is a SIEM. Wazuh does log collection, analysis, alerting, and searchable retention directly.

Note the retention expectation precisely, because hotels and assessors ask: keep audit logs for at least 12 months, with at least the most recent 3 months immediately available for analysis. Your indexer is what makes "show me every access to the PMS in March" answerable in seconds.

File Integrity Monitoring

PCI requires change-detection / FIM on critical files (historically requirement 11.5, and tied to the change-detection language in requirement 10). Wazuh's FIM does this directly — the same capability you pointed at PMS config and POS binaries in Lesson 8 is a named PCI control.

Requirement 5 — protect against malware

Requirement 5 covers anti-malware. Wazuh is not an antivirus — say that plainly — but its process and anomaly detection, plus integration signals, contribute monitoring that supports this requirement. You add detection and visibility on top of whatever AV the hotel runs.

Requirement 6 — patch known vulnerabilities

Requirement 6 is about developing and maintaining secure systems, including patching known vulnerabilities. Wazuh's vulnerability detection finds unpatched software inside the cardholder environment — exactly the kind of gap (recall CVE-2023-21932 on the PMS) that this requirement exists to close.

Requirement 8 — identify & authenticate access

Requirement 8 governs identifying and authenticating users. Wazuh detects failed logins, brute force, and anomalous authentication — the monitoring side of access control that proves the policy is actually being watched.

The shortcut you get for free Wazuh ships a PCI DSS compliance mapping built in: its rules are tagged with PCI requirement numbers, and there's a PCI DSS dashboard. That means your alerts can be reported by PCI requirement — so when a hotel asks "show me our Requirement 10 evidence," it's a filter, not a research project. See the regulatory-compliance feature noted in the Wazuh Getting Started overview.³

The honesty line — do not cross it

Here is the most important paragraph in the lesson. Wazuh helps you satisfy the logging, monitoring, FIM, and detection requirements. Wazuh is not, by itself, "PCI compliance." Full compliance also needs network segmentation, encryption of cardholder data, access-control policies, physical security, secure development, and a QSA / SAQ assessment process — none of which a SIEM provides.

Scope your claims — this protects you legally Overpromising PCI compliance is a real liability. If a hotel is breached and you told them you "made them PCI compliant," that's your problem now. The honest pitch — which is also the stronger one — is: "I give you the continuous logging, monitoring, file-integrity, and alerting that several PCI requirements demand, plus the audit evidence to prove it. I'm a major piece of your compliance — not the whole thing." That sentence sells, and it keeps you safe.

Why this makes hotels pay you every month

PCI isn't a one-time box-tick — it's continuous, and it needs evidence on an ongoing basis. That's a recurring deliverable you produce per hotel from their dashboard tenant (recall Lesson 7):

Those monthly and quarterly evidence packs — log-review records, FIM reports, alert summaries, all filterable by PCI requirement — are a concrete, recurring reason a hotel keeps paying you. You're not selling software; you're selling the ongoing proof a hotel needs every time an assessor or acquiring bank asks.

Check yourself

Retrieval practice — answer from memory. Getting the scope claim right is the one that protects your business, so be sure of it.

Question 1 of 3

Which PCI DSS requirement is the logging-and-monitoring one — the heart of what a SIEM supports?

Requirement 10 — log and monitor all access to system components and cardholder data — is the core SIEM requirement: centralized collection, review, time-sync, and retention. It's the center of your value story.

Question 2 of 3

A hotel owner asks: "So Wazuh makes us PCI compliant, right?" What's the honest answer?

Wazuh helps satisfy logging, monitoring, FIM, and detection requirements and supplies audit evidence — a major piece. Full compliance also needs segmentation, encryption, policies, physical security, and a QSA/SAQ process. Overclaiming is a real liability.

Question 3 of 3

What's PCI's audit-log retention expectation that your indexer has to meet?

PCI expects audit logs retained for at least 12 months, with at least the most recent 3 months immediately available for analysis. That retention-plus-searchability is exactly what the Wazuh indexer gives you.

Primary source to read next
PCI SSC Document Library — download the actual PCI DSS v4.0.1 standard (free) and read Requirement 10 in full; everything you sell on logging traces back to that text. Start from the PCI Security Standards Council home if you need orientation first. Trust the standard, not summaries.

I'm your teacher — ask me anything. Want to draft the exact wording of a PCI value pitch that won't get you in trouble? Curious how a Wazuh PCI dashboard filter maps to a specific requirement? Want me to play a skeptical hotel owner and have you defend the scope of your claims? Ask in the chat — getting these sentences right is part of the product.

You just earned: why every card-taking hotel is in PCI scope, the current version (v4.0.1) and where to get the real standard, the specific requirements Wazuh helps satisfy (10, FIM, 5, 6, 8), the 12-month / 3-month retention rule, the built-in PCI mapping, the recurring evidence deliverable — and the honesty line that keeps "major piece of compliance" from becoming "compliance."

Up next (Lesson 10): theory done — time to do it for real. Onboard your first hotel: take the threat model and PCI value story from these two lessons and turn them into a live pilot client.

← Previous: Lesson 8 — The hotel attack surface

Reference: Glossary · All resources · Mission