PCI DSS 4.0: What Merchants Must Do to Stay Compliant

The latest version, PCI DSS 4.0, has brought significant updates that reflect the modern payment landscape. From cloud adoption to mobile wallets to IoT payments, merchants now operate in a world where payment data moves across countless platforms. 

This article breaks down what PCI DSS 4.0 is, the changes it introduces, and what your business must do to stay compliant.

What Is PCI DSS 4.0?

PCI DSS 4.0 is the newest version of the industry standard that governs how merchants and service providers handle payment card data. Released in March 2022, it replaced PCI DSS 3.2.1, giving organizations a transition period to fully adopt the new framework by March 2025.

Any merchant, payment service provider, or organization that stores, processes, or transmits cardholder data must comply. Your business size doesn’t matter — PCI DSS 4.0 applies to you all the same.

The overarching goal is straightforward: strengthen payment security in today’s fast-changing digital ecosystem. With threats becoming more sophisticated and new payment technologies emerging, PCI DSS 4.0 ensures merchants keep up with both risks and opportunities.

Key PCI DSS 4.0 Changes

The jump from PCI DSS 3.2.1 to 4.0 isn’t just cosmetic—it introduces structural and practical improvements. Here are the biggest PCI DSS 4.0 changes merchants need to know:

Risk-based Approach

Instead of rigidly prescriptive controls, PCI DSS 4.0 allows merchants to use customized, risk-based approaches to demonstrate security compliance. This offers flexibility while ensuring strong safeguards.

Expanded Multi-factor Authentication (MFA)

MFA now applies to all accounts that have access to cardholder data, not just administrators. This means broader protection against unauthorized access.

Stronger Password Requirements

Passwords must meet updated complexity standards, aligning with current NIST guidance.

Encryption Improvements

Stricter requirements for encrypting data in transit and at rest ensure stronger protection against interception.

Support for Modern Environments

PCI DSS 4.0 introduces flexibility for organizations using cloud services, APIs, and other emerging technologies.

These changes acknowledge that the payment world is mobile, connected, and global.

PCI DSS 4.0 Requirements for Merchants

PCI DSS 4.0 retains the 12 foundational requirements but adds refinements to keep pace with new risks. Here’s a quick summary:

1. Install and maintain secure network systems.
2. Protect stored cardholder data.
3. Encrypt data when transmitted across public networks.
4. Use updated anti-virus and anti-malware tools.
5. Maintain secure systems and applications.
6. Restrict access to cardholder data by business need-to-know.
7. Authenticate access using strong controls, like MFA.
8. Track and monitor all access to cardholder data.
9. Regularly test security systems and processes.
10. Maintain an information security policy.
11. Manage vulnerabilities with scans and patching.
12. Protect cardholder data with encryption and logging updates.

Merchants face additional PCI DSS 4.0 requirements around documenting policies, conducting continuous monitoring, and proving they actively manage risks, not just once a year but all the time.

Why Compliance Matters for Merchants

Complying with PCI DSS 4.0 isn’t just about ticking regulatory boxes. It delivers real-world benefits:

• Protects customer data: Compliance reduces the risk of breaches that could expose cardholder information.
• Avoids penalties: Non-compliance can result in heavy fines from card networks and acquirers.
• Strengthens trust: Customers are more likely to shop with businesses they believe take data security seriously.
• Supports partnerships: Banks and payment processors prefer working with merchants that meet compliance standards.

For merchants, compliance is a competitive advantage as much as a necessity.

Steps Merchants Must Take to Comply with PCI DSS 4.0

If you’re wondering how to get compliant, here’s a roadmap:

1. Conduct a gap analysis: Compare your current security practices against PCI DSS 4.0 requirements to identify weak spots.
2. Update policies and training: Make sure employees understand new rules, especially MFA and password updates.
3. Upgrade technical systems: Implement encryption, logging, and authentication tools that meet the latest standards.
4. Strengthen vendor oversight: Third-party providers, such as hosting platforms or payment gateways, must also comply.
5. Test and monitor regularly: Continuous testing, vulnerability scans, and audits are mandatory.
6. Document everything: Keep detailed records of compliance efforts for assessors.

Think of it as shifting from a “one-and-done” checklist to an ongoing cycle of security practices.

Common Challenges in PCI DSS 4.0 Compliance

Of course, compliance isn’t without obstacles. Many merchants struggle with:

• Complexity: Smaller merchants often lack in-house expertise to interpret the technical requirements.
• Resource constraints: Budgets and staff shortages make implementing robust security controls challenging.
• Third-party risks: Vendors that touch payment data can expose merchants if they’re not compliant.
• Continuous monitoring: Merchants must shift from yearly audits to ongoing compliance, which demands time and tools.

Understanding these challenges is the first step in tackling them head-on.

Best Practices to Stay Compliant Long-Term

Long-term PCI DSS 4.0 compliance requires shifting your mindset from “project” to “practice.” Here are best practices:

Embrace Continuous Compliance

Instead of waiting for annual reviews, monitor daily.

Automate When Possible

Use security automation tools to handle monitoring, logging, and reporting.

Train Employees

Human error remains the top cause of breaches. Regular training reduces risks.

Work with a QSA (Qualified Security Assessor)

An experienced partner can simplify compliance and reduce stress.

Merchants who embed compliance into everyday business practices will find it less overwhelming.

The Future of PCI Compliance

As payment technology continues to evolve, so will compliance requirements. Here’s what’s on the horizon:

• Cloud-first compliance: With more businesses moving operations online, PCI DSS will keep expanding its cloud-focused guidance.
• IoT and mobile payments: As smart devices become payment tools, requirements will expand to cover new risks.
• Regulatory alignment: Expect PCI DSS to continue aligning with global privacy and data rules like GDPR.
• Layered security: Relying on one tool or approach won’t cut it — future compliance will push for multiple layers of defense.

Merchants should also expect compliance to overlap with areas like fraud prevention and even sanctions screening in payments, creating a more integrated approach to financial security.

The path forward requires embracing a culture of security. Those who do will not only stay compliant but thrive in the evolving world of digital payments.

Frequently Asked Questions (FAQs)

What is PCI DSS 4.0?

PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard, designed to protect cardholder data and strengthen payment security.

What are the biggest PCI DSS 4.0 changes?

Key updates include expanded multi-factor authentication (MFA), stronger password rules, enhanced encryption standards, and greater flexibility to adapt to modern technologies like cloud and APIs.

Who must comply with PCI DSS 4.0 requirements?

All merchants, service providers, and organizations that store, process, or transmit payment card data must comply.

When does PCI DSS 4.0 take effect?

Released in March 2022, it becomes mandatory by March 2025, with some requirements extended to March 2025–2026 for full adoption.

What happens if a merchant doesn’t comply?

Non-compliance can result in heavy fines, increased risk of data breaches, reputational damage, and strained relationships with banks and payment processors.

References

Payment Card Industry Security Standards Council. (2022, May). Summary of Changes from PCI DSS Version 3.2.1 to 4.0 (Revision 1, May 2022). PCI Security Standards Council. https://listings.pcisecuritystandards.org/documents/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r1.pdf 

Checkout.com. (2024, March 5). PCI 4.0: What Do Merchants Need to Know? Checkout.com. https://www.checkout.com/blog/pci-dss-4-what-do-merchants-need-to-know 

Ground Labs. (2024, March 28). A Guide to PCI DSS Compliance for Merchants. Ground Labs. https://www.groundlabs.com/blog/pci-dss-v4-0-for-merchants/