PCI DSS v4.0 Payment Security
United States
2008
Consumer Protection
Privacy
Overview
The Payment Card Industry Data Security Standard (PCI DSS) v4.0, released in March 2022, is the latest global framework for securing cardholder data. It replaces version 3.2.1 and becomes fully enforceable from March 31, 2025, after the transition period ends. Developed by the PCI Security Standards Council (PCI SSC), this version enhances flexibility, strengthens authentication requirements, and focuses on continuous monitoring.It applies to all merchants, payment processors, banks, issuers, fintech companies, and other organizations that store, process, or transmit cardholder data. PCI DSS v4.0 supports both traditional and modern payment environments, including cloud and mobile platforms, requiring organizations to implement robust fraud risk management systems to protect sensitive cardholder information and maintain compliance with evolving security standards.
Key Obligations
- Implement and maintain firewalls and secure configurations for all systems
- Use strong encryption for transmission and storage of cardholder data
- Enforce multi-factor authentication (MFA) for all access to cardholder data
- Regularly test security systems and processes
- Monitor and log access to network resources and cardholder data
- Maintain an ongoing risk assessment process and ensure continuous compliance
- Comply with twelve core requirements, with additional flexibility through customized approaches
Stay ahead of risk with Signzy
Explore tools that help you onboard, monitor, and verify with confidence
Identity Verification
Use facial match and liveness checks paired with government ID verification to validate users while onboarding.
Transaction Monitoring
Monitor transactions in real-time and analyse past behaviour to identify suspicious activities and ensure regulatory compliance across the user journey.
Related Regulations
FAQ
What is the deadline for complying with PCI DSS v4.0?
Full compliance with v4.0 is mandatory from March 31, 2025, replacing the previous version 3.2.1.
Who enforces PCI DSS compliance?
Enforcement is handled by payment card brands like Visa and Mastercard through acquiring banks.
Are small businesses required to comply?
Yes. All businesses that process, store, or transmit cardholder data must comply, regardless of size.
What are some new features in v4.0?
Enhanced MFA requirements, customized implementation options, and improved risk-based testing methodologies.