Recent Updates to the Payment Card Industry Data Security Standard (PCI DSS)

If the PCI DSS is new to you, it’s important that you understand why it is needed and how it relates to your business.

  • The PCI DSS is a set of payment card security requirements designed to protect account data.
  • It is a checklist of security measures that merchant businesses accepting card payments must have in place to ensure that payment card information is handled safely.
  • If your business handles, stores, or transmits account data or could impact the security of account data, you must comply with the PCI DSS.

  • It means ensuring the specific security measures applicable to your business’s payment card account data activities are in place to prevent unauthorized access, data breaches, and other security risks.
  • Merchants need to show to their acquiring banks or merchant services providers that they are processing the payments in such a way that aligns with the PCI DSS compliance programs set out by the card brands.

  • PCI DSS compliance is not only a contractual requirement, but may also be a legal obligation, as account data is considered personal information.
  • It is a checklist of security measures that merchant businesses accepting card payments must have in place to ensure that payment card information is handled safely.
  • And, by demonstrating PCI DSS compliance, you’re also building trust and building your business by showing your customers that you take their security seriously.

Understanding PCI DSS 4.X

PCI DSS 4.X is a term used to cover the latest versions of the Payment Card Industry Data Security Standard, a series of the most recent changes implemented by v4.0 and v4.0.1 that come into effect between April 1, 2024 and April 1, 2025.

Version 4.0, published in June 2022, marked the first significant change to the standard in nearly a decade. It is a response to both changes in technology and the evolving threat landscape facing businesses today. It aims to better support businesses in their efforts to secure payment card data and improve security measures to protect against potential risks.

Cardholder Data

Includes the primary account number (PAN, the long card number shown on the payment card), cardholder name, and expiry date.

Sensitive Authentication Data

Includes the full track data (magnetic stripe data or equivalent on the chip), card verification code, or value (the three-digit or four-digit number printed on the card) and the PIN/PIN block.

Payment Card

Is defined by the PCI Security Standards Council (SSC) as any payment card bearing the logo of one of the PCI SSC’s participating payment brands: American Express, Discover, JCB, Mastercard, Visa and UnionPay.

Payment Card Data (also referred to as Account Data)

Is the cardholder data and sensitive authentication data shown on the card or stored in the magnetic stripe/chip.

What’s Changed in the PCI DSS?

Payment Card Industry Security Standards Council (PCI SSC) v4.0 introduced several updates, including increased password complexity, greater use of multi-factor authentication, improved secure software development practices, regular checks to identify potential software vulnerabilities, and increased focus on security awareness training to educate employees about security risks.

In 2024, PCI SSC published minor updates in v4.0.1 and the associated Self-Assessment Questionnaire SAQs and Report on Compliance (ROC) template, an expected natural progression that focuses on clarifying the requirements and guidelines, rather than overhauling them. From April 2025, additional PCI DSS requirements, introduced with v4.0 will be in full effect.

For simplicity, 4.X is an accepted term that includes all versions, and is used by the PCI SSC.