API Marketplace

Solutions

Resources

Our Company

Book a Demo

← Back to Glossary

PCI DSS v4.0 Global Standard

Q: Who needs to comply with PCI DSS v4.0?

Any entity handling payment card data — including merchants, service providers, and financial institutions.

Global

2022

Payments

Cybersecurity

Overview

The Payment Card Industry Data Security Standard (PCI DSS) v4.0 is the latest global framework for securing cardholder data, published by the PCI Security Standards Council in March 2022. It replaces version 3.2.1 and becomes fully enforceable by March 31, 2025. The update introduces more flexible compliance paths, stronger authentication measures, and new controls for evolving payment technologies.

PCI DSS v4.0 outlines twelve core requirements to protect cardholder data across its lifecycle. It emphasizes continuous risk assessment, customized implementation, and expanded use of multi-factor authentication (MFA). The standard applies to any entity that stores, processes, or transmits payment card data, including merchants, payment processors, fintech companies, banks, and card issuers globally.

Key Obligations

Implement and maintain 12 baseline controls for cardholder data protection
Use multi-factor authentication for all access to cardholder data environments
Monitor and test networks regularly to identify vulnerabilities

Restrict access to cardholder data to authorized personnel only
Conduct annual risk assessments and document compliance status

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

One Touch KYC

Launch global KYC flows with built-in document OCR, liveness checks, deepfake detection, and AML, all through a single, customizable dashboard.

AML Screening

Screen users against Politically Exposed Persons (PEP), watchlists, sanctions lists, adverse media, and more through one-time screening and advanced monitoring.

Transaction Monitoring

Monitor transactions in real-time and analyse past behaviour to identify suspicious activities and ensure regulatory compliance across the user journey.

Related Regulations

GLBA Safeguards Rule Compliance

FedNow Reg J Instant Payments

FTC Safeguards Rule Amendments

FAQ

Is PCI DSS v4.0 mandatory?

Yes. While not a law, it is contractually required by card networks (Visa, Mastercard, etc.) and enforced via acquiring banks.

Who needs to comply with PCI DSS v4.0?

Any entity handling payment card data — including merchants, service providers, and financial institutions.

What's new in PCI DSS v4.0 compared to v3.2.1?

v4.0 introduces custom implementation options, stricter MFA requirements, and an emphasis on continuous compliance.

What happens if a business fails to comply?

Non-compliance can lead to fines, increased transaction fees, or termination of the ability to process card payments.