PCI DSS 4.0: What You Should Know

What Is PCI DSS 4.0?

Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements designed to safeguard cardholder data and ensure secure transactions. Any business processing online transactions must comply with this standard. Compliance with PCI DSS is not just a regulatory necessity but also a crucial step in building trust with customers and avoiding costly data breaches.

There are many facets of compliance involving your payment processor, your eCommerce technology, and the credit card companies themselves. While the scale of your business defines the exact extent of your responsibilities, it is critical for all online businesses to understand how best to meet their compliance requirements.

With the release of PCI DSS version 4.0, businesses must adapt to new and enhanced security measures to stay compliant. This updated standard aims to address emerging security threats and technological advancements while also providing greater flexibility in achieving compliance. This article will guide you through the key changes in PCI DSS 4.0, focusing on practical steps for achieving compliance, especially for those businesses in the SMB space.

Understanding PCI DSS Levels

The PCI DSS compliance framework classifies merchants into different levels based on their annual transaction volume. Each credit card processor—such as American Express, Visa, and Mastercard—sets specific criteria for these levels, which generally increase in requirements as the transaction volumes grow.

Key Players In PCI DSS Compliance

In a typical eCommerce website's PCI DSS compliance, several entities play crucial roles. It is often the case that the merchant’s role could be quite small compared to that of the other players. Here’s a breakdown of the key players involved:

• Credit Card Issuing Company (Issuer): Issuers are financial institutions that provide credit cards to consumers. They set the security standards and policies for cardholders and ensure that the cardholder data is secure during transactions. Examples include: Visa, Mastercard, American Express, Discover.

• Payment Processing Company (Acquirer): Acquirers process credit card transactions on behalf of merchants. They are responsible for ensuring that merchants adhere to PCI DSS standards and handle the transaction process between the merchant and the card issuer. Examples include: First Data, Worldpay, Square, Stripe.

• eCommerce Platform Provider: These companies provide the technology and infrastructure for online stores. They must ensure their platforms are secure and compliant with PCI DSS standards. Due to the fact that some eCommerce platforms can be customized beyond their original design (e.g. WooCommerce or Magento) it is essential to keep in mind the other contributing factors that could impact compliance. Examples include: Shopify, Magento, WooCommerce, BigCommerce.

• Payment Gateway: Payment gateways are technology providers that facilitate the transfer of transaction data between the eCommerce site and the payment processor. They ensure secure transaction data encryption and transmission. Examples include: PayPal, Authorize.Net, Stripe.

• Web Hosting Provider: Hosting providers store the eCommerce website and its data on their servers. They are responsible for ensuring that their hosting environment is secure and compliant with PCI DSS. Examples include: Amazon Web Services (AWS), Bluehost, GoDaddy.

• Third-Party Service Providers: Any other service providers or eCommerce extensions that handle, process, or store cardholder data on behalf of the merchant. They must also comply with PCI DSS. Examples include: ERP, financial, or CRM systems, marketing automation tools, and logistics partners that integrate with the eCommerce platform.

• Internal IT and Security Teams: The merchant's own IT and security teams play a vital role in implementing and maintaining PCI DSS compliance. They manage internal systems, perform regular security audits, and ensure compliance across all operations.

All these entities must work together to ensure that the entire payment ecosystem is secure and compliant with PCI DSS standards.

Volume-Based Classification

While each credit card organization has its own specific classifications, here we present those used by American Express to give a general idea of where your business might fall. For reference, these details come from American Express’ Digital Security Operating Policy.

• Level 1 Merchant – 2.5 million American Express Card Transactions or more per year; or any Merchant that American Express otherwise, in its discretion, assigns a Level 1.
• Level 2 Merchant – 50,000 to 2.5 million American Express Card Transactions per year.
• Level 3 Merchant – 10,000 to 50,000 American Express Card Transactions per year.
• Level 4 Merchant – Less than 10,000 American Express Card Transactions per year.

As transaction volumes increase, the level of scrutiny and the number of security controls required also escalate. Higher levels demand more rigorous security measures and more frequent validation checks to ensure the protection of cardholder data. This tiered approach helps tailor compliance efforts to the risk associated with the volume of transactions processed, ensuring that businesses with higher transaction volumes implement more stringent security protocols.

By understanding these levels and their corresponding requirements, your business can better prepare their compliance to ensure they meet all necessary criteria to protect their customers' payment information effectively.

Key Changes in PCI DSS 4.0

PCI DSS 4.0 introduces several key changes designed to enhance security and provide more flexibility for businesses in achieving compliance. These changes are crucial for maintaining a robust security posture in an evolving threat landscape.

New PCI DSS Security Requirements

While many of these requirements will fall upon your payment processing solution provider, it is important for merchants to obtain verification of their compliance while also ensuring their own internal systems are similarly protected.

• Expanded Use of Multi-Factor Authentication (MFA): One of the significant updates in PCI DSS 4.0 is the expanded use of multi-factor authentication (MFA). Previously, MFA was primarily required for remote access to the cardholder data environment. With PCI DSS 4.0, MFA is now required for all access into the cardholder data environment, including access by administrators and third-party providers. This change aims to further protect against unauthorized access by adding an additional layer of security.

• Updated Encryption Standards: Encryption standards have been updated to ensure stronger protection of cardholder data. PCI DSS 4.0 requires that all cryptographic solutions used to protect cardholder data meet current standards for strong encryption. This includes ensuring that encryption keys are managed securely and that cryptographic algorithms are regularly reviewed and updated to address emerging vulnerabilities.

• Enhanced Testing Requirements: PCI DSS 4.0 introduces more rigorous testing protocols for security systems and networks. These enhancements include:

• Penetration Testing: More detailed requirements for penetration testing methodologies and the need for regular testing to identify and address vulnerabilities.
• Vulnerability Scanning: Increased frequency and thoroughness of vulnerability scans to ensure all potential security gaps are identified and mitigated promptly.

Flexible Implementation Options

To accommodate the diverse range of businesses and their unique security environments, PCI DSS 4.0 provides greater flexibility in how compliance objectives are achieved. This includes allowing businesses to use customized approaches to meet the standard's security objectives, provided they can demonstrate that these methods are as effective as the prescribed controls.

As described above, your transaction volume will define the requirements that apply to your business. No matter what your classification, it is your responsibility to work with your selected technology and service providers to validate your comprehensive compliance.

Increased Focus on Continuous Compliance

PCI DSS 4.0 emphasizes the need for continuous compliance rather than periodic validation. This shift is designed to ensure that security controls are maintained and monitored on an ongoing basis, helping businesses to detect and respond to security incidents more effectively. Continuous compliance includes regular security assessments, real-time monitoring, and automated tools to manage and report on compliance status.

Impact on Level 3 and 4 Merchants

For Level 3 and 4 merchants — businesses processing between 20,000 and 1 million eCommerce transactions annually (Level 3) or fewer than 20,000 eCommerce transactions annually (Level 4) — the updates in PCI DSS 4.0 bring several specific implications and requirements.

Specific Requirements for SMB Merchants

For the purposes of this article, we consider Small to Mid-sized merchants to fall into the level 3 and 4 classifications (as point of reference with the Amex criteria, this is businesses with no more than 50,000 American Express transactions in a given year). While PCI DSS assessment and reporting requirements for SMBs may or may not be deemed mandatory by the credit card processor, the liability of compliance still remains. As the American Express DSOP explains:

Important Note: For the avoidance of doubt, Level 3 and Level 4 Merchants need not submit Validation Documentation unless required in American Express’ discretion, but nevertheless must comply with, and are subject to liability under all other provisions of this Data Security Operating Policy. 

For this reason, it remains important to understand some of the recommended steps to validate compliance.

Self-Assessment Questionnaires (SAQs)

An annual Self-Assessment Questionnaire (SAQ) helps businesses assess their compliance with PCI DSS requirements without the need for a full on-site audit. PCI DSS 4.0 includes updated SAQs that reflect the new requirements and provide more detailed guidance on how to achieve and document compliance.

Quarterly Network Scans

Quarterly network scans by an Approved Scanning Vendor (ASV) help identify vulnerabilities in the network that could be exploited by attackers. PCI DSS 4.0 emphasizes the importance of these scans and requires that any identified vulnerabilities are promptly addressed and mitigated.

Annual Compliance Validation

While rarely required for level 3 or 4 businesses, the annual compliance validation may be a requirement for specific businesses in specific industries. Annual compliance in regards to PCI DSS 4.0 involves completing the relevant SAQ, conducting necessary scans, and maintaining thorough documentation of compliance efforts each year.

By understanding and implementing these changes, Level 3 and 4 merchants can better protect their customers' cardholder data, enhance their security posture, and ensure compliance with the latest PCI DSS requirements. This proactive approach not only helps in avoiding penalties but also builds trust with customers, ultimately contributing to the business's success.

PCI DSS 4.0 Timelines and Deadlines

Transitioning to PCI DSS 4.0 involves understanding and adhering to several key dates and deadlines. This section outlines important milestones and suggests a phased implementation approach to help businesses ensure timely compliance.

PCI DSS version 4.0 was published on March 31, 2022. To allow organizations sufficient time to transition from PCI DSS version 3.2.1 to 4.0, the Payment Card Industry Security Standards Council (PCI SSC) provided a transition period.

PCI DSS version 3.2.1 was retired on March 31, 2024. As of this writing, all organizations must fully comply with PCI DSS 4.0 requirements.

That being said, some new requirements introduced in PCI DSS 4.0 are considered best practices rather than requirements  until March 31, 2025. After this date, those best practices become mandatory requirements. This phased approach allows businesses to gradually implement the new controls while continuing to meet current compliance obligations.

PCI DSS Consultants

For businesses seeking expert guidance in the area of PCI DSS, there are a number of specialized firms or individuals that can help review PCI DSS requirements that are specifically relevant to your business. Further, many of these consultants can provide services to ensure applicable requirements are adequately met. Services typically include risk assessments, compliance audits, and security policy development. Without endorsement for any particular company, here are a few we are aware of: Trustwave, ControlScan, SecurityMetrics.