TL;DR:

PCI DSS 4.0 introduces 51 new requirements becoming mandatory by March 31, 2025. According to a 2024 Verizon Payment Security Report, only 43% of organizations maintain full PCI DSS compliance year-round, with the average cost of a payment card data breach reaching $4.35 million (IBM Security, 2024). Companies implementing PCI DSS 4.0 controls report 76% fewer security incidents affecting cardholder data (Ponemon Institute, 2023).

Key Points:

• PCI DSS (Payment Card Industry Data Security Standard) 4.0 compliance is crucial for merchants and service providers handling payment card transactions to safeguard customer payment data and prevent breaches.
• Compliance involves adhering to 64 core PCI DSS requirements, covering areas like network security, encryption, vulnerability management, access control, monitoring, and information security policies.
• PCI compliance applies to any entity that stores, processes, or transmits cardholder data. This includes all businesses accepting card payments, except for cash-based businesses. Non-compliance can result in fines, increased transaction fees, and reputational damage.
• Download our guide to see how Metomic can help businesses achieve PCI DSS 4.0 compliance by providing visibility, access controls, data location identification, and employee training on handling sensitive data in SaaS applications.

In a world where cash is no longer king, the protection of your customer payment data has become non-negotiable.

Whether you’re a merchant or a service provider, you’re required to comply with the ever evolving Payment Card Industry Data Security Standard (PCI DSS) or be subject to hefty penalties, business disruption, and reputational damage as a resulting failure to do so.

PCI DSS v4.0 was launched in March 2024, and organisations must comply with its 51 new requirements by 31st March 2025, including updates to password rules, expanded multi-factor authentication and stronger protection of cardholder data.

In this guide, we’ll take a look at what it means to be PCI DSS compliant, and what the new PCI DSS guidelines will require.

Why Has PCI DSS Compliance Become Non-Negotiable for UK and US Businesses?

In a world where cash is no longer king, the protection of your customer payment data has become non-negotiable.

Whether you're a merchant or a service provider, you're required to comply with the ever evolving Payment Card Industry Data Security Standard (PCI DSS) or be subject to hefty penalties, business disruption, and reputational damage as a resulting failure to do so.

PCI DSS v4.0 was launched in March 2024, and organisations must comply with its 51 new requirements by 31st March 2025, including updates to password rules, expanded multi-factor authentication and stronger protection of cardholder data.

In this guide, we'll take a look at what it means to be PCI DSS compliant, and what the new PCI DSS guidelines will require.

What is PCI DSS?

The PCI DSS was established in 2006 to ensure payment data is protected when transactions are made, preventing malicious entities from getting their hands on customer information.

All merchants or service providers handling payment cards are required to be compliant with PCI DSS. Although it’s not a law, the standard is regarded globally as the guideline when it comes to payment card regulations.

To comply with PCI DSS, you’ll need to follow 64 core requirements as laid out by the PCI SSC (Payment Card Industry Security Standards Council), which is made up of the five big payment card providers - Mastercard, Visa, American Express, Discover, and JCB.

It’s important to comply with PCI DSS, in addition to the aforementioned risks of failure to comply, there is the added impact of significant fines, increased transaction fees, and potentially, the revocation of card processing privileges to organisations, levied by the PCI SSC.

🎥PCI DSS compliance explained in 1 minute

In this video, we dive into PCI DSS compliance and why it’s critical for safeguarding payment card data

What are PCI DSS standards?

Every payment card provider has their own individual requirements, but essentially, there are four levels of PCI standards. The level you fall into will depend on how many card transactions you process each year:

• Level 1: More than 6 million annual payment card transactions
• Level 2: Between 1 million to 6 million annual payment card transactions
• Level 3: Between 20k and 1 million annual payment card transactions
• Level 4: Fewer than 20k annual payment card transactions

What’s changing in PCI DSS v4.01?

The latest update to PCI DSS introduces 51 new security requirements (in addition to the original 13, all of which become mandatory as of 31 March 2025. These changes are designed to tackle evolving cyber threats, with a strong focus on encryption, access controls, vulnerability management, phishing prevention, and e-commerce security.

For a detailed breakdown of all 51 additional requirements, refer to the official documentation: PCI DSS v4.0.1.

Key Changes You Need to Know

1. Stronger Encryption and Data Protection

• Disk or partition-level encryption no longer meets compliance standards for storing cardholder data. Organisations must implement file or database-level encryption.
• Hashed PANs must be cryptographically keyed (e.g., HMAC) rather than left unhashed or unsalted.

2. Cryptographic Inventory and Risk Assessments

• Businesses must maintain a detailed inventory of all cryptographic methods used to protect cardholder data, both at rest and in transit.
• An annual cryptographic risk assessment is now required to ensure security remains effective, particularly with the growing concerns around quantum computing.

3. Enhanced E-commerce Security

• Organisations must monitor and manage all JavaScript running on payment pages to prevent web skimming attacks.
• Any unauthorised changes to scripts must be detected and addressed, which may prove challenging given the reliance on third-party scripts.

4. Phishing Prevention and User Training

• Businesses must deploy anti-phishing technologies to block and detect phishing attacks.
• All employees must receive regular training to recognise and report phishing and social engineering attempts.

5. Stronger Access Controls

• Multi-Factor Authentication (MFA) is now required for all users accessing the Cardholder Data Environment (CDE), not just administrators or remote users.
• System and application accounts, which have historically been overlooked, must now be actively managed, reviewed, and secured. Many organisations may need to deploy a Privileged Access Management (PAM) solution to meet this requirement.

6. Automated Security Monitoring

• Manual log reviews are no longer compliant—businesses must use an automated Security Information and Event Management (SIEM) system.
• Internal vulnerability scans must now be authenticated, requiring the use of valid credentials to assess internal systems. Organizations that have not yet implemented this will need to plan for a 12-month project to identify and resolve any newly discovered vulnerabilities.

7. Stricter Inventory Management

• Companies must evaluate risks associated with end-of-life hardware and software and create documented plans to secure or replace them.

These changes significantly raise the bar for security, making it essential for businesses to start adapting now rather than scrambling before the compliance deadline.

Who does PCI DSS compliance typically apply to?

Any merchants or service providers who are using or accepting payments by card must comply with PCI.

The PCI guidelines state:

‍‘The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.’

You’ll only be exempt if you’re a cash-based business, and don’t take card transactions.

💬How do you know whether your business is PCI DSS compliant?

Once you’ve understood the level you fall into and the standards you’ll need to comply with, you should undertake a self assessment to see whether your business is adhering to PCI DSS requirements. With a self assessment in place, you’ll be able to see where your weaknesses lie and where you can improve.

The PCI Security Standards website has many useful guides to help you better understand PCI compliance and how to perform a self assessment, including a self-assessment questionnaire: https://www.pcisecuritystandards.org/merchants/.

You should also establish who in your organisation is responsible for overseeing this project, having an individual or team responsible for managing your compliance means it won’t be overlooked.

Ben van Enckevort, Chief Technology Officer at Metomic, says:

Updating the standards

New PCI DSS v4.01 regulations are set to tighten payment data security, with additional requirements becoming mandatory from 1st April 2025.

These updates aren’t just routine changes—they reflect the need for organisations to strengthen their defences against evolving cyber threats and gaps in security controls. 

Key areas of focus include:

• Stronger encryption standards – Disk- or partition-level encryption alone is no longer sufficient; full data encryption is required for cardholder data.
• Mandatory multi-factor authentication (MFA) – Now required for all users accessing the Cardholder Data Environment (CDE), not just administrators or remote users.
• Authenticated internal vulnerability scanning – Scans must use valid credentials to identify deeper security risks more effectively.
• Stricter JavaScript controls in payment pages – Businesses must monitor and validate scripts to prevent unauthorized modifications and e-commerce skimming attacks.
• Enhanced phishing protection – Combines technical safeguards with ongoing user training to detect and prevent phishing threats.

As cyber threats grow more sophisticated, these updates proactively close security gaps before they turn into breaches.

✅What are the key changes in PCI DSS v4.0?

The transitions to PCI DSS v4.0 bring significant changes to data security standards, including:

• The introduction of 13 new broad requirements by March 31st, 2024.
• These 13 requirements revolve around protecting cardholder data, maintaining a vulnerability management program, implementing strong access controls, regularly monitoring and testing networks, and maintaining an information security policy.
• A further 51 new technical requirements to be implemented by 31st March 2025.
• Updated Self-Assessment Questionnaires (SAQ) to reflect the evolving payment security landscape, with additional requirements to address emerging threats.

For a more detailed and granular breakdown of the requirements your organisation will need to follow, please check the official Payment Card Industry Data Security Standard version 4.0 guidance.

Addressing common compliance questions

As your organisation transitions to PCI DSS v4.0, you may have questions about assessment validity, and the compliance of your service provider.

These include payment processors, hosting providers, managed service providers (MSPs) and any third party that handles payment information on your behalf.

It’s crucial to get clarity on any issues you may be facing to ensure a smooth transition.

These questions could include:

• Will assessment results under PCI DSS v3.2.1 remain valid after the retirement date?
• How should organisations handle meeting PCI DSS v4.0 requirements if their service providers haven't made the transition yet?
• Are there any other important things to consider regarding assessment validity during the transition?
• What steps can organisations take to make sure they're communicating effectively with their service providers during this transition?
• How can organisations reduce risks associated with service provider compliance during the transition?

Effective communication and collaboration with your service provider will be the key to a smooth transition process.

What Steps Should Global Businesses Take to Achieve PCI DSS v4.0 Compliance?

1. Establish Clear Ownership of Compliance

Appoint a dedicated individual or team to oversee PCI DSS compliance.  Without clear accountability, meeting these new requirements will become significantly more challenging.

2. Define Your PCI DSS Scope

• Identify where cardholder data is stored and processed, including third-party services.
• Ensure encryption meets new standards (file or database-level encryption, cryptographically keyed hashes).
• Maintain an up-to-date cryptographic inventory and perform annual risk assessments.

3. Conduct a Security Risk Assessment

• Review JavaScript on payment pages to mitigate web skimming risks.
• Evaluate phishing threats and deploy anti-phishing tools.
• Identify end-of-life systems and document a plan to secure or replace them.

4. Implement New Security Controls

• Extend MFA to all users accessing the CDE.
• Secure system and application accounts with a Privileged Access Management (PAM) solution.
• Ensure log reviews are automated with a SIEM system.
• Deploy authenticated internal vulnerability scanning to identify security risks.

Use the PCI Self-Assessment Questionnaire to help you cover all the necessary steps.

5. Continuously Monitor and Test Security Measures

• Implement real-time network monitoring to detect threats.
• Conduct regular vulnerability assessments, leveraging authenticated scans for better accuracy.
• Track and respond to unauthorised JavaScript changes on payment pages.

6. Maintain Comprehensive Compliance Documentation

• Keep records of your cryptographic inventory, risk assessments, and vulnerability scans.
• Document security policies, user access reviews, and phishing training sessions.
• Regularly review third-party vendor compliance to ensure they meet PCI DSS standards.

PCI DSS compliance is now more demanding than ever. Start making these changes now to avoid last-minute compliance challenges before the March 2025 deadline.

For a full list of all 51 new requirements, refer to the official PCI DSS v4.0 documentation: PCI DSS v4.0.1.

What happens if you don’t comply with PCI DSS?

You could end up paying fines that range from $5k to $100k per month to the payment card providers. How much you pay will depend on the level you fall into and the circumstances behind the non-compliance.

For instance, companies that are in the Level 1 category will likely pay out a lot more than those in the Level 4 category. Fines are also dependant on the severity of breaches - if data was breached and it took a long time to fix the issue, you could end up with a heavier fine.

For example, in 2017, British Airways was fined $229 million for a data breach that affected 500,000 customers.

You’ll also lose the trust of your customers who are expecting you to protect their sensitive data. Reputational damage could hurt you long-term, even after you’ve paid the monetary penalties. If your clients find that you’ve put their data at risk, they’re likely to take their business elsewhere.

To sum it all up

The transition to PCI DSS v4.0 is a critical step for organisations that in any way deal with payment data and security, and by April 31st 2025, your organisation needs to be ready to comply with the 51 requirements of the new standard.

Understanding the key changes, updating SAQs for compliance, and addressing any common questions will be integral to the success of this process.

By effectively implementing all of these measures, you can stay compliant with industry standards and strengthen your overall security posture around payment data and security.

Frequently Asked Questions About PCI DSS 4.0 Compliance

How do PCI DSS 4.0 requirements vary between UK and US markets?

While PCI DSS 4.0 provides a global standard, implementation varies by region. UK organizations must align with both PCI DSS and post-Brexit data protection regulations, while US businesses navigate federal requirements plus state-specific laws like California's CCPA and New York's SHIELD Act. European companies face stricter GDPR integration, whereas US companies often focus more on sector-specific compliance (HIPAA for healthcare, GLBA for financial).

What are the exact costs of PCI DSS 4.0 compliance for businesses of different sizes?

PCI DSS 4.0 compliance costs vary significantly by company size and region. Small UK businesses (Level 4) typically spend £5,000-£15,000, while US counterparts invest $3,000-$10,000. Mid-sized organizations (Level 2-3) face costs of £15,000-£50,000 in the UK and $10,000-$50,000 in the US. Large enterprises (Level 1) should budget £50,000-£200,000+ in the UK and $50,000-$250,000+ in the US, with ongoing annual maintenance requiring 15-25% of initial investment.

How should multinational companies approach PCI DSS 4.0 implementation across different regions?

Multinational companies should establish a centralized compliance framework while accommodating regional variations. Start by mapping all payment processing environments across locations, then create region-specific implementation teams familiar with local regulations. Prioritize uniform controls that satisfy the strictest requirements (typically EU standards), while developing market-specific procedures for unique jurisdictional demands. Implement consistent documentation standards but allow for regional appendices addressing local requirements, and select QSAs with international experience spanning all operational regions.

What is the timeline for PCI DSS 4.0 implementation in different global regions?

While the global deadlines remain March 31, 2024 (for new requirements) and March 31, 2025 (for all 51 technical requirements), regional adoption timelines may vary. UK organizations typically face tighter schedules due to FCA expectations of early adoption, while North American companies often adhere strictly to the formal deadlines. Organizations in the Asia-Pacific region, particularly in Singapore and Australia, are advised to begin implementation approximately 18 months before deadlines, with local regulatory authorities sometimes introducing region-specific interim milestones.

🔒How does Metomic help you comply with PCI DSS 4.0?

• The Metomic platform gives you full visibility and control over financial data held in your SaaS apps like Google Drive, Slack, and Jira.
• Helps you put access controls in place, limiting over-exposure of sensitive information
• Identifies where sensitive data is stored and who has access to it
• Reinforces PCI DSS compliance by sending employee notifications to your staff when they share sensitive data within SaaS apps

Download our guide to see how Metomic can help businesses achieve PCI DSS compliance by providing visibility, access controls, data location identification, and employee training on handling sensitive data in SaaS applications.