Back to blog
Security 9 min

What Is PCI DSS and What Changed in Version 4.0

September 15, 2025

What Is PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements defined by the PCI SSC (Security Standards Council) — an entity created by the major card schemes: Visa, Mastercard, American Express, Discover, and JCB.

The standard applies to any entity that processes, stores, or transmits cardholder data (CHD). This includes:

  • Merchants that accept card payments
  • Acquirers and payment processors
  • Service providers (gateways, tokenizers, cloud providers)
  • Hardware manufacturers (POS terminals, PIN pads)

Non-compliance can result in fines, loss of the ability to accept card payments, and — in the event of a breach — civil and criminal liability.

What Is the Cardholder Data Environment (CDE)

The CDE is the set of systems, networks, and processes that store, process, or transmit cardholder data. The central idea behind PCI DSS is to minimize the scope of the CDE — the smaller the CDE, the fewer controls you need to implement.

Data that must be protected (CHD):

  • PAN (Primary Account Number) — the card number
  • Cardholder name
  • Expiration date
  • Service code

Data that MUST NEVER be stored after authorization (SAD):

  • CVV/CVC
  • Full magnetic stripe data
  • PIN and PIN Blocks

The 12 PCI DSS Requirements

The standard is organized into 6 goals and 12 requirements:

Build and Maintain a Secure Network

  1. Install and maintain network security controls (firewalls)
  2. Do not use vendor-supplied defaults for system passwords and security settings

Protect Cardholder Data

  1. Protect stored cardholder data
  2. Protect cardholder data in transit with strong cryptography

Maintain a Vulnerability Management Program

  1. Protect systems against malware and keep antivirus software current
  2. Develop and maintain secure systems and software

Implement Strong Access Control Measures

  1. Restrict access to cardholder data on a need-to-know basis (least privilege)
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Log and monitor all access to network resources and cardholder data
  2. Test the security of systems and networks regularly

Maintain an Information Security Policy

  1. Maintain a corporate information security policy

Compliance Levels

The compliance level depends on the volume of transactions processed per year:

| Level | Criteria | Validation | |-------|----------|------------| | 1 | > 6 million transactions/year | Audit by a QSA (Qualified Security Assessor) + ROC | | 2 | 1–6 million transactions/year | Annual SAQ (Self-Assessment Questionnaire) + quarterly ASV scan | | 3 | 20k–1 million e-commerce transactions/year | Annual SAQ + quarterly ASV scan | | 4 | < 20k transactions/year | Annual SAQ (recommended) |

A QSA is an auditor certified by the PCI SSC. The ROC (Report on Compliance) is the full audit report.

What Changed in PCI DSS 4.0

Version 4.0 (published in 2022, mandatory since March 2024) introduces significant changes:

Customized Approach

Organizations can now define alternative controls that meet the security objective of a requirement, rather than following the exact prescribed implementation. This requires documentation and QSA approval.

Expanded Multi-Factor Authentication (MFA)

MFA is now required for all access to the CDE, not just remote access. This affects administrators and developers with access to CDE systems.

Phishing Testing and Security Awareness

Explicit requirement for training programs and phishing simulations, with annual review.

Payment Page Script Monitoring

New requirements to control and monitor all scripts loaded on payment pages (anti-Magecart), including a script inventory and integrity hashes.

API Protection

Increased focus on authentication and authorization for APIs that access cardholder data.

Strategies to Reduce PCI Scope

The best strategy for most organizations is to minimize contact with cardholder data:

Tokenization: Replace the PAN with a non-sensitive token after the first transaction. The token can be freely stored; the PAN stays in the tokenizer's vault (which assumes the PCI scope).

Redirection: In e-commerce, redirect the customer to the payment gateway's hosted payment page — your servers never see the card data.

P2PE (Point-to-Point Encryption): With certified P2PE terminals, data is encrypted at the PIN entry device and only decrypted at the certified processor. This can dramatically reduce the merchant's PCI scope.

Conclusion

PCI DSS is not just a compliance formality — it is a solid security framework for environments that handle sensitive financial data. Version 4.0 reinforces modern technical controls such as universal MFA, script monitoring, and API authentication, reflecting the current threat landscape.

For organizations starting their compliance journey, the first step is always to map and minimize the CDE scope — this reduces cost, complexity, and risk.

Did you enjoy the content?

If you're building a system in this area, we can help. Talk to a specialist.

Schedule Consultation
What Is PCI DSS and What Changed in Version 4.0 — APCosta — APCosta