The Payment Card Industry Security Standards Council (PCI SSC) remains a cornerstone in the global effort to enhance payment security for cardholder data environments. Its flagship standard, the PCI Data Security Standard (PCI DSS), is widely regarded as the global benchmark for safeguarding account data. Organizations that process, store, or transmit cardholder data — or handle sensitive authentication data — must comply with PCI DSS to ensure the security of their cardholder environments.
Over the years, PCI DSS evolved to address the shifting landscape of payment security threats and technological advancements. The release of PCI DSS 4.0 represents the most significant update. This version introduced 64 new requirements, aimed at addressing emerging threats, aligning with advancements in technology, and providing greater flexibility in achieving compliance. Initially labeled as best practices, these requirements become mandatory on March 31, 2025.
For businesses that accept or process payment cards, compliance with PCI DSS 4.0 is not optional — it’s a critical step to ensure the safety and trust of your customers. Whether you’re a small retailer or a large enterprise, now is the time to assess your readiness and compliance. Questions surrounding PCI DSS 4.0 abound; following are answers to some of the more common questions we’ve received.
Is There Another PCI DSS Update on the Horizon?
Actually, it’s already happened. In June 2024, PCI DSS 4.0.1 was published in response to questions and feedback PCI SSC received. This update took effect immediately. It’s important to note that no requirements changed from PCI DSS 4.0 to PCI DSS 4.0.1. The update’s intent was to clarify the standard so organizations can effectively achieve compliance.
What Is Meant by the Customized Approach?
Prior to the new version, there was one approach that all organizations took to maintain PCI DSS compliance. With PCI DSS 4.0, organizations can choose between the traditional approach, now known as the defined approach, and the new more flexible customized approach:
- Defined approach: With this approach, organizations implement security controls as prescribed in the Standard’s requirements, and the assessor then follows the defined testing procedures to ensure requirements are met. This approach provides more direction on how to meet security objectives.
- Customized approach: Organizations create a customized implementation, giving them flexibility to implement controls. With this approach, there are no defined testing procedures; it will be up to the qualified security assessors (QSAs) to develop validation testing procedures. The intent of this option was for it to be used by “risk-mature entities that demonstrate a robust risk-management approach to security, including, but not limited to, a dedicated risk management department or an organization-wide risk management approach.”
Is PCI DSS a Law?
Unlike government-enacted laws, PCI DSS does not carry the force of law. Since PCI SSC operates independently of governmental agencies, the standard is not bound by traditional regulatory compliance requirements. Furthermore, the PCI SSC does not enforce compliance or oversee the implementation of its standards. However, non-compliance can lead to significant consequences including fines ranging from $5,000 to $100,000 a month, suspension of credit card processing privileges, liability for fraud-related costs, expenses for credit card replacement, and mandatory forensic investigations.
What Does “PCI data” Refer to?
This pertains to sensitive payment card information covered by the PCI DSS, including credit card numbers, expiration dates, security codes (CVV), and any personal data linked to cardholders that organizations process, store, or transmit during payment transactions.
Are Web Application Firewalls (WAFs) Required with PCI DSS 4.0?
In earlier versions of the standard, WAFs were referenced but not included as a formal requirement. However, PCI DSS 4.0 introduces a WAF mandate under requirement 6.4.2 for public-facing web applications.
“The new standard elevates the role of web application firewalls (WAFs) from a highly recommended security measure to an indispensable compliance requirement,” explains Josh Davies, Principal Technical Product Marketing Manager at Fortra’s Alert Logic. “This is more than a change in the security vernacular; it’s a strategic move to bolster the fortifications around our most sensitive data. PCI DSS 4.0 leaves no room for ambiguity: It mandates an automated technical solution that doesn’t merely detect threats but actively prevents them. Requirement 6.4.2 explicitly requires affected businesses to ‘deploy an automated technical solution for public-facing web applications that continually detects and prevents web-based attacks.’”
In addition to requirement 6.4.2, a WAF with client-side protection also meets requirements 6.4.3 and 11.6.1. Why the focus on client-side protection? “The main culprit is Magecart (or web skimming) attacks that compromised the credit card and personal information of millions of customers and end users, resulting in hundreds of millions of dollars in credit card costs and losses for financial institutions, as well as fines for PCI merchants,” explained Samuel Lam, Principal Implementation Engineer at Alert Logic. Fully managed WAFs that have page script integrity and content security policy modules will help organizations achieve this level of compliance and fend off data-stealing attacks.
What Types of Threats Can a WAF Defend Against?
A WAF should protect against common web-based threats by filtering and monitoring HTTP/HTTPS traffic between a web application and the internet. These attacks should include SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), file inclusion, and Distributed Denial of Service (DDoS).
What is an ASV scan?
An ASV scan is a vulnerability scan performed by an approved scanning vendor (ASV). The scan identifies vulnerabilities in internet-facing systems that could be exploited by attackers to gain unauthorized access or compromise payment card data.
ASV scans are external vulnerability assessments conducted to evaluate and validate the security of systems and networks that handle payment card data. For PCI DSS 4.0, ASV scans ensure compliance with the external scanning requirements outlined in requirement 11.3.2; these scans must be done at least every three months. The PCI SSC hosts a PCI ASV list on its website with the most current list of ASVs such as Fortra.
How Can We Sustain PCI DSS 4.0 Compliance once It’s Achieved?
Security compliance, like cybersecurity in general, is not a check-the-box activity. Rather, it’s a never-ending journey to ensure your IT environment is secure and any issues are quickly detected and corrected. Adopting a continuous process mindset for security will not only improve your security outcomes but help you maintain compliance.
By focusing on security as a continuous process, an organization should be able to maintain their PCI DSS 4.0 compliance as well as reduce the risk of security incidents and breaches. Steps to take to ensure compliance include conducting regular risk assessments, maintaining policies and procedures for consistent implementation of security controls, implementing a formal security awareness program that is regularly updated, and revisit settings to account for changes in the threat landscape and web stack.
As a leading managed security services provider, Alert Logic helps organizations achieve their compliance goals with Fortra XDR, Fortra’s Alert Logic MDR, and Fortra Managed WAF. Discover how we can partner with you to reach your compliance targets by scheduling a demo.
Additional Resources:
PCI DSS 4.0 Compliance | Solution Brief
The 12 PCI DSS Compliance Requirements
PCI DSS 4.0: Understanding the Expanded Role of Web Application Firewalls
Check out our ebook, Overcoming PCI DDS 4.0 Compliance Challenges
