PCI DSS v4.0 was introduced in March 2024 and represented the first major update to PCI regulations in over a decade. There were 64 new requirements designed to improve the security of payment card transactions included within PCI 4.0 of which 51 were future dated in order to give organizations time to comply. Additionally, PCI 4.0.1 was released in June 2024 with some minor revisions to make certain requirements clearer. The final deadline for compliance with these requirements is 31 March 2025, so less than three months away. Meeting the upcoming compliance deadline is essential for organizations to maintain compliance and avoid penalties.
You can access a full list of the requirements of PCI DSS v4.0.1 on the PCI Security Standards Council website here. In this blog we highlight some of the more complex requirements that we know people may have struggled with or that will require more time and effort to implement.
Organizations must implement multi factor authentication for access to any aspect of the cardholder data environment
Prior to March 2025 this had been categorised as best practice but from March 31, 2025 onwards it will be a requirement for all organizations storing any data that is covered by the requirements of PCI DSS.
Organizations using secure payment solutions such as CardEasy will not need to worry about this because they will not be storing any cardholder data in house at all. If you don’t store the data, then no one can access it. However, if you are still storing cardholder data or otherwise letting it enter your network or contact center environment then this requirement will definitely apply to you.
The reason this particular update is potentially challenging is that it cannot be addressed simply by making a policy change or by updating some aspect of your documentation. There is technical implementation work required, as well as a change in working process for anyone who is currently accessing any of the card holder data, so it will take time to ‘bed in’, work out what the new process is going to be and do the internal comms work required to get everyone using the new process.
Payment page script security
The new regulations require organizations to be able to guarantee the authorization and authenticity of every third-party script that runs on their checkout page. This then needs to be documented with an inventory and rationale for each of the scripts. There also needs to be a process in place to ensure that the organization’s security team is alerted should an unauthorized script be loaded into the checkout flow at some point.
The aim of this update is to protect organizations against hackers using techniques such as formjacking, web skimming or e-skimming to gain access to sensitive card data entered by customers onto legitimate payment pages. There are a couple of options in terms of how to address this. One is to remove all third-party scripts from your payment pages unless they are directly related to the process of taking payments in which case they need to be clearly documented, with an associated justification of their presence. The other is for your payment and checkout pages to be hosted by a third party such as a Payment Service Provider (PSP) so customers are rerouted to this third party page at the point at which they give their card details. This achieves the objective but potentially offers a substandard customer experience.
Changes to the self-assessment questionnaire and report on compliance
If you’re currently completing an SAQ and RoC then you need to be aware of some changes to the templates. In particular, there’s a new expectation that if you make any changes to your environment, such as installing a new firewall, then these must be accompanied by a risk assessment. While formal risk assessments might not seem as significant compared to some of the other future-dated requirements in the standard, they can add extra effort and cost to the process.
Again, organizations that use CardEasy’s secure payment solutions don’t need to worry about this at all because CardEasy de-scopes them completely from PCI DSS,
The best way to secure cardholder data is not to hold any cardholder data
PCI compliance is an ongoing process, and an expensive and time consuming one at that. If you’re holding card holder data anywhere in your network or contact center environment, then you will need to be eternally vigilant both to ensure that data is secure and that you remain compliant with the requirements of PCI DSS. Since solutions like CardEasy (which became available in 2011) consumers have become increasingly aware of organizations that handle payments insecurely—for example, asking customers to read out payment card data over the phone. Many consumers now prefer to engage with organizations that provide secure payment options on their preferred channels, whether via phone, email, live chat, or SMS.That’s why both the PCI Security Standards Council and most QSAs recommend de-scoping entirely as the safest and most effective option.
Talk to us today about how CardEasy’s secure payment solution can help you de-scope from PCI DSS entirely.
