Achieving PCI DSS 4.0 compliance ahead of March 2025 deadline

Card not present fraud (predominantly ecommerce) accounted for over 80% of that £0.5 billion. None of us in the industry want to give the hackers out there any accidental support. PCI DSS compliancy is there to protect us all, but are you compliant?

For years now, merchants have successfully relied on payment gateway providers such as WorldPay, Stripe and PayPal to provide tokenised solutions that remove cardholder data from the merchant’s own environment. We sometimes hear smaller scale merchants say “PCI compliancy is only required for big businesses”, which isn’t true. This is closely followed by “we use Stripe/ WorldPay etc and they are fully PCI compliant, so we don’t need to be”. Also, not true.

A lot has changed in our industry since 2004 when the key financial services providers such as Mastercard and Visa came together to define a common set of security standards. This is where Payment Card Industry Data Security Standards, or PCI DSS for short, was born. The standards covered key requirements for security management, policies, procedures, network architecture and software design. Changes continue to be made to the standards which makes this an important blog for anyone responsible for designing, coding, maintaining, or owning websites that take payment.

Before we delve into the key changes, here is a quick reminder of basic compliance requirements by level of merchant activity.

If you’re taking over 1 million card transactions a year then you’re in the top two tiers, both of which require you to complete an annual compliance report by a qualified assessor along with quarterly network scans by an approved scan vendor. Most merchants at this level are in tune with regulations and requirements, but even these latest PCI DSS changes could catch some out.

This blog is more targeted at those processing 1 million or less card transactions. If you fall between 20,000 and 1 million transactions a year then you are probably used to completing a self-assessment questionnaire along with quarterly network scans by an approved scan vendor. The surprise for many merchants processing fewer than 20,000 transactions a year is that they too need to complete a self-assessment questionnaire along with quarterly network scans by an approved scan vendor.

The core principles of PCI compliancy can be summarised as follows;

1. Build and maintain a secure network and systems
2. Protect cardholder data
3. Develop secure systems and software, protecting from malicious software threats
4. Implement strong access control measures, restricting and authenticating system users
5. Regularly monitor and test networks
6. Maintain an information security policy  

At Element78 we advise our clients on how to protect their web, application and data environments in line with key standards. Our consultants provide insights by auditing current client solutions, creating a gap analysis that confirms the differences between current compliance status and the latest requirements. Nobody wants the reputational risks or the commercial impact of not being compliant. Staying on top of regulations is hard as updates to requirements happen in line with hackers targeting new ways to beat the system. One of the biggest recent concerns is how hackers are able to manipulate client-side browser journeys to capture key information, even replicating complete commerce experiences (with your branding and content), with the cardholder none the wiser.

The latest version of PCI DSS is 4.0 and was released in 2022 with a set of over 50 beefed up security requirements in line with the ever-changing threats that are out there. Many of these requirements came into effect in March 2024 but some requirements have been forward dated to March 2025. You should consider March 2025 a key date to be fully compliant with PCI DSS 4.0.  

If you are a merchant that has fully outsourced all cardholder functions to a PCI DSS compliant third party then you will be used to completing your Self Assessment Questionnaire (SAQ-A).

Key changes to be aware of include;  

1. You need to fully document your policies and procedures for data retention and protection of stored account data
2. You must identify and manage security vulnerabilities, including the installation of applicable security patches
3. You must protect your website from unauthorised payment page script activity
4. You must implement a secure password policy, including a minimum of 12 characters for passwords  
5. You must ensure multi factor authentication is used for all access into the cardholder data environment
6. Implementation of DMARC on domains used to send email relating to transactions, designed to stop your domain names being impersonated by hackers.

If your website uses an i-frame embedded form then you will be used to completing your Self Assessment Questionnaire (SAQ-EP). Key changes, in addition to the ones above, that you need to ensure you have covered off going forwards includes maintaining a firewall, applying secure configurations to all your system components and deploying automated solutions to detect and prevent malware and other attacks.

Your own staff are another potential vulnerability. Helping them to understand good coding practices and recognising phishing attempts also forms part of what PCI DSS expect you to comply with.

At Element78 we provide a fast, focused and affordable auditing service with remedial technical support to ensure your regular PCI scans go well. A combination of tech solutions, defined policies and procedures will help you to stay compliant. One of the biggest changes we are focused on supporting is the setting up of audit log reviews with specific focus on JavaScript integrity. Our consultants and developers can also help you to deploy a Content Security Policy (CSP) to control what scripts can be loaded.

The industry is facing continuous threats from hackers and the cases of consumers being duped by websites impersonating genuine brand sites is exactly what these new regulations are looking to tackle. Nobody in your finance, marketing, IT or leadership teams want to face the prospect of fraudulent activity. The payment card industry is getting tougher on the criminals but also tougher on those that don't comply to the new regulations. If you are found to not be complying then this can trigger fines and increased charges, along with the reputational damage.

Talk to our consultants if you have any questions and to find out more about our PCI DSS auditing service.