Overview
Following our recent client alert, learn more about PCI DSS 4.0 coming into effect and its impact on organizations in 2025. Mark Schreiber, Brian Long, and Sam Genovese share further insights from working with clients on these issues.
In Depth
What is PCI DSS and to whom does it apply?
Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security requirements that apply to the processing of credit and debit cards. It applies to all merchants and third-party service providers (TPSPs) who use e-commerce for online credit or debit card payments, call centers taking card payments, in-store payments with swipe machines, or any other form of card processing. Even TPSPs that can merely affect the security of card processing are required to comply with PCI DSS.
What are the new PCI DSS 4.0 obligations that are effective March 31, 2025?
The deadline for full implementation of the heightened compliance obligations under PCI DSS 4.0 is March 31, 2025. The transition to the new PCI DSS 4.0 controls requires new policies, processes, and technology solutions for card transactions.
PCI DSS 4.0 introduces significant changes, including longer and more detailed self-assessment questionnaire (SAQ) forms. One major difference is the increased focus on targeted risk analysis and organizational maturity. Additionally, the new version introduces a customized approach to PCI assessments, allowing businesses to implement alternative technical and administrative controls that address the customized approach.
To prepare for the transition, companies should conduct a thorough gap analysis to identify areas where their current practices diverge from the new 4.0 requirements to avoid fines, penalties, and assessments. They will also need to update their security policies, implement necessary technical changes to meet the enhanced security standards, and train staff on new procedures.
What are common misconceptions about PCI DSS 4.0 compliance?
Some merchants mistakenly believe that if they outsource card functions to a third-party payment platform and don’t store card numbers, they are exempt from PCI DSS obligations. This is incorrect. These merchants must still complete an annual PCI SAQ and document an Attestation of Compliance (AOC).
Another common misconception is that PCI DSS 4.0 is solely a technology standard or should only be handled by the information technology (IT) department. This is not true. It addresses a variety of risks associated with people, processes, and technology. PCI DSS 4.0 often requires a team approach involving several departments to address different aspects, including legal, compliance, procurement, vendor management, and IT or IT security.
What are examples of key changes in PCI DSS 4.0?
The following are examples of new PCI DSS 4.0 requirements that are mandatory by March 31, 2025:
- Defining PCI DSS Scope: This must be done annually for merchants (or every six months for TPSPs) and involves documenting roles and responsibilities across multiple controls.
- Payment Page Scripts: Implement controls for all payment page scripts executed in consumers’ browsers.
- Automated Technical Solutions: Required for public-facing web applications to continually detect and prevent web-based attacks.
- Monitoring and Response: Enhanced obligations for monitoring and obtaining documents from TPSPs.
- Targeted Risk Analyses: Required for several controls, necessitating granular risk assessments.
- Enhanced Encryption Requirements: Necessary when using whole-disk encryption to protect card numbers.
What impact does PCI DSS 4.0 have on third-party vendors and service providers?
As the March 31, 2025, deadline for PCI DSS 4.0 compliance approaches, there is greater emphasis on the security of third-party vendors and service providers. Companies must ensure and monitor that their partners comply with the new standards. This includes conducting thorough due diligence, requiring contractual agreements for compliance, obtaining third-party AOCs, and regularly assessing third-party security practices. To ensure compliance, companies should establish or obtain a responsibility matrix of services from each vendor that identifies what the vendor and the merchant are each responsible for in the covered services.
