A Guide to PCI DSS V4.0 for Merchants

In today’s digital age, where every click can turn into a purchase, keeping sensitive payment data safe is more important than ever. As a merchant, you might already be acquainted with PCI DSS (Payment Card Industry Data Security Standard), a vital framework for payment processing security. While many businesses adhere to PCI DSS V3.2.1, introduced back in May 2018, the landscape of technologies is continually evolving such as cloud and serverless computing, making securing payment data more challenging than ever. This is where PCI DSS V4.0 steps in.

Released by the PCI Security Standards Council on 31 March 2022, PCI DSS V4.0 offers essential updates to help businesses like yours stay ahead in the game of payment security. These updates are not just about keeping up with the latest trends, they’re about ensuring your business can thrive securely in an ever-changing digital environment.

Compliance with the new standards will be mandatory by 31 March 2025. If you haven’t started implementing these changes yet, there’s no need to panic! You still have time, and we’re here to support you every step of the way. Let’s explore these changes together and ensure your business stays secure and ahead of the curve.

What is PCI DSS 4.0? 

PCI DSS 4.0 is the latest update to the Payment Card Industry Data Security Standard, designed to improve payment card security. This version addresses evolving threats, introduces more flexibility, and promotes continuous security, ensuring you stay ahead of cybercriminals and safeguard the trust your customers place in you.

The key updates you need to know about

Enhanced Security Measures:

• Stricter Multi-Factor Authentication (MFA): MFA is now mandatory for all access to the cardholder data environment (CDE), ensuring that only authorised personnel can access sensitive information.
• Updated Password Requirements: Passwords must meet more stringent criteria, including longer lengths and greater complexity to prevent unauthorised access​. We recommend updating your password every three months. 
• New E-Commerce and Phishing Protections: Enhanced security measures for e-commerce transactions and protections against phishing attacks are now required, addressing the increasing threats in online payment environments.

Continuous Security Processes:

• Defined Roles and Responsibilities: Each security requirement now includes clearly defined roles and responsibilities, ensuring accountability and clarity in maintaining security measures​.
• Improved Guidance: Detailed guidance for implementing and maintaining security controls has been provided, helping organisations better understand and execute the requirements​.
• New Reporting Options: More comprehensive reporting options are now available, allowing organisations to better demonstrate their compliance and security posture​.

Increased Flexibility:

• Customisable Security Approaches: PCI DSS 4.0 supports various methods to achieve security objectives, giving organisations the flexibility to choose the most effective solutions for their unique environments​.
• Risk-Based Decision Making: Organisations can now perform targeted risk analyses to determine the frequency of certain security activities, allowing for a more tailored approach to maintaining security​.

Improved Verification and Reporting:

• Detailed Verification Methods: Enhanced verification methods ensure that organisations accurately and thoroughly assess their compliance with the PCI DSS requirements​.
• Alignment of Reports: Compliance Reports and Self-Assessment Questionnaires are now better aligned with Attestations of Compliance, streamlining the reporting process and improving clarity.

Focus on Cloud and Service Providers:

• Expanded Scope: The updated standard includes specific requirements for cloud services and third-party providers, ensuring that all aspects of data storage and processing are secure​.
• Enhanced Controls: Additional controls have been introduced for data protection and risk management in cloud environments, reflecting the growing reliance on cloud services​.

New Customised Approach:

• Flexible Compliance Solutions: The Customised Approach allows organisations to tailor their security measures to their specific needs, as long as they meet the overall security objectives of the PCI DSS. This approach provides greater flexibility while maintaining robust security standards

It is worth noting that these are just a few highlights of the changes to PCI DSS 4.0 and we would highly recommend reading up on the full list of updates and frameworks by visiting PCI SCC’s Document Library. 

What does this mean for you?

The new PCI DSS V4.0 standards bring some important changes for merchants. You’ll need to step up your security game with measures like MFA for all access to the CDE and stronger password policies, which will boost your overall security. There’s also more flexibility now, so you can use customised security solutions that fit your specific needs, potentially saving you money and improving efficiency.

Keeping up with continuous monitoring and automated testing means you’ll need to stay vigilant to ensure your security measures are always effective. If you’re using cloud and serverless technologies, you’ll need to follow the updated guidelines to keep those environments secure. Plus, better documentation and a risk-based approach will help you understand your security posture and prioritise your actions based on the biggest risks. We’re here to support you through these changes and ensure your business stays secure.

How does Truevo validate PCI compliance?

We understand achieving and maintaining PCI compliance can be challenging and resource-intensive. At Truevo, we are dedicated to simplifying this process. We are fully PCI DSS 4.0 compliant, adhering to the most rigorous standards of reporting and security. This commitment ensures that you and your customers can rest easy knowing your card data is protected at the highest level. 

By partnering with Truevo,  you can process payments securely and seamlessly in over 150 currencies along with facilitating payouts in more than 80 countries worldwide, all while ensuring full PCI compliance. Our comprehensive solutions include customised hosted payment pages, hosted fields with express buttons, and tokenizing your payment data for all payment journeys, whether one-time or subscriptions. This provides you with full control and maximum security. 

Remember, compliance isn’t a one-time sprint, it’s a marathon of continuous improvement. Invest in ongoing security training for your team, and foster a culture where security isn’t just a checkbox. If you need any further advice or support, our support team are here to help.