The Payment Card Industry Data Security Standard (PCI DSS) has long been a cornerstone of payment security, ensuring that organisations handling cardholder data protect it against the ever-evolving threat landscape.
By Simeon Tassev, MD and qualified security assessor at Galix
The latest iteration, PCI DSS v4.0.1, introduces 64 new requirements, with 51 becoming mandatory from April 2025.
For merchants and Third-Party Service Providers (TPSPs), this deadline marks a pivotal moment to adapt security practices, meet compliance standards, and enhance overall cyber resilience. Adequate preparation is key ahead of this deadline to ensure organisations remain compliant and secure and can meet the more stringent requirements that v4.0.1 introduces.
Stricter and more complex requirements
The PCI DSS standard is constantly evolving to address new and emerging threats, growing stricter and more complex over time. The transition to v4.0.1 illustrates this evolution. These changes aim to protect cardholder data and secure environments by introducing advanced controls to keep pace with a more sophisticated threat landscape.
One key update is the requirement for authenticated vulnerability scanning. Previously, non-authenticated scans were sufficient, meaning external systems were scanned without logging in. Authenticated scans now provide a deeper assessment of system vulnerabilities by logging in to access configuration settings.
This change reveals significantly more vulnerabilities, underscoring the importance of a more rigorous approach. For example, one organisation’s unauthenticated scan revealed 300 vulnerabilities, while an authenticated scan uncovered 3,000, highlighting the necessity of this enhanced control.
Preparing for new mandatory controls
From April 2025, businesses must comply with mandatory requirements that were previously considered best practice. Organisations audited before this date could mark these as non-applicable; however, compliance will soon become non-negotiable.
This means businesses need to act now to ensure readiness by the deadline. Waiting until the last-minute risks non-compliance, which can lead to fines, reputational damage, or even the loss of payment processing licenses.
Some of the notable changes include:
- API and web application security: Enhanced requirements now mandate the use of Web Application Firewalls (WAFs) to safeguard against API vulnerabilities and payment script exploitation.
- Comprehensive inventory and monitoring of APIs and scripts: Organisations must maintain a complete list of application APIs and monitor their behaviour to ensure they function as intended.
- Defined periodic checks and targeted risk analyses: Tasks such as inspecting payment terminals for tampering must now follow structured schedules based on risk assessments.
The role of TPSPs in ensuring compliance
PCI DSS-compliant TPSPs play a vital role in this evolving landscape. They offer cutting-edge security technologies, real-time threat intelligence, and specialised expertise to help businesses navigate the complexities of compliance.
By investing in measures such as ethical hacking and vulnerability assessments, TPSPs strengthen their clients’ defences, making them less attractive targets for cybercriminals.
Merchants relying on TPSPs for payment processing must ensure these providers are prepared for the new requirements. Compliance cannot be entirely outsourced; accountability remains with the merchant. Open dialogue with TPSPs about their readiness to meet the updated standards is essential.
Strategies for readiness
To prepare for PCI DSS v4.0.1, organisations should begin by assessing the scope and impact of the new requirements, identifying which controls are applicable to their environment, and determining the resources needed for implementation.
Collaboration with TPSPs and auditors is essential to ensure alignment with the updated standards, leveraging their expertise to navigate the changes effectively.
Key areas to prioritise include API and web security, vulnerability management, and maintaining an accurate, up-to-date inventory of scripts and applications.
Additionally, organisations should invest in robust ongoing monitoring and risk analysis capabilities to enhance their ability to detect anomalies and respond to potential threats in real time.
Final thoughts
Adhering to PCI DSS is not just about ticking boxes; it’s about fostering a culture of deliberate security practices.
Meeting these standards not only safeguards cardholder data but also enhances business resilience and trust.
Proactively addressing the upcoming changes demonstrates a commitment to security, a critical factor in today’s risk-conscious market.
As the deadline for PCI DSS v4.0.1 approaches, the emphasis on tighter controls and advanced security practices reflects the increasing complexity of the digital threat landscape. By acting now, businesses will not only meet compliance requirements but also build a robust security posture that protects both their operations and their customers.