To comply with PCI DSS, you’ll need to follow 64 requirements as laid out by the PCI SSC (Payment Card Industry Security Standards Council) by 31st March 2025, which is made up of the five big payment card providers - Mastercard, Visa, American Express, Discover, and JCB. 12 of these are already in effect as of March 31st 2024.
In a world where cash is no longer king, the protection of your customer payment data has become non-negotiable.
Whether you’re a merchant or a service provider, you’re required to comply with the ever evolving Payment Card Industry Data Security Standard (PCI DSS) or be subject to hefty penalties, business disruption, and reputational damage as a resulting failure to do so.
PCI DSS v4.0 was launched in March 2024, and organisations must comply with its 51 new requirements by 31st March 2025, including updates to password rules, expanded multi-factor authentication and stronger protection of cardholder data.
In this guide, we’ll take a look at what it means to be PCI DSS compliant, and what the new PCI DSS guidelines will require.
The PCI DSS was established in 2006 to ensure payment data is protected when transactions are made, preventing malicious entities from getting their hands on customer information.
All merchants or service providers handling payment cards are required to be compliant with PCI DSS. Although it’s not a law, the standard is regarded globally as the guideline when it comes to payment card regulations.
To comply with PCI DSS, you’ll need to follow 64 core requirements as laid out by the PCI SSC (Payment Card Industry Security Standards Council), which is made up of the five big payment card providers - Mastercard, Visa, American Express, Discover, and JCB.
It’s important to comply with PCI DSS, in addition to the aforementioned risks of failure to comply, there is the added impact of significant fines, increased transaction fees, and potentially, the revocation of card processing privileges to organisations, levied by the PCI SSC.
In this video, we dive into PCI DSS compliance and why it’s critical for safeguarding payment card data
Every payment card provider has their own individual requirements, but essentially, there are four levels of PCI standards. The level you fall into will depend on how many card transactions you process each year:
The latest update to PCI DSS introduces 51 new security requirements (in addition to the original 13, all of which become mandatory as of 31 March 2025. These changes are designed to tackle evolving cyber threats, with a strong focus on encryption, access controls, vulnerability management, phishing prevention, and e-commerce security.
For a detailed breakdown of all 51 additional requirements, refer to the official documentation: PCI DSS v4.0.1.
These changes significantly raise the bar for security, making it essential for businesses to start adapting now rather than scrambling before the compliance deadline.
Any merchants or service providers who are using or accepting payments by card must comply with PCI.
The PCI guidelines state:
‘The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.’
You’ll only be exempt if you’re a cash-based business, and don’t take card transactions.
Once you’ve understood the level you fall into and the standards you’ll need to comply with, you should undertake a self assessment to see whether your business is adhering to PCI DSS requirements. With a self assessment in place, you’ll be able to see where your weaknesses lie and where you can improve.
The PCI Security Standards website has many useful guides to help you better understand PCI compliance and how to perform a self assessment, including a self-assessment questionnaire: https://www.pcisecuritystandards.org/merchants/.
You should also establish who in your organisation is responsible for overseeing this project, having an individual or team responsible for managing your compliance means it won’t be overlooked.
Ben van Enckevort, Chief Technology Officer at Metomic, says:
New PCI DSS v4.01 regulations are set to tighten payment data security, with additional requirements becoming mandatory from 1st April 2025.
These updates aren’t just routine changes—they reflect the need for organisations to strengthen their defences against evolving cyber threats and gaps in security controls.
Key areas of focus include:
As cyber threats grow more sophisticated, these updates proactively close security gaps before they turn into breaches.
The transitions to PCI DSS v4.0 bring significant changes to data security standards, including:
For a more detailed and granular breakdown of the requirements your organisation will need to follow, please check the official Payment Card Industry Data Security Standard version 4.0 guidance.
As your organisation transitions to PCI DSS v4.0, you may have questions about assessment validity, and the compliance of your service provider.
These include payment processors, hosting providers, managed service providers (MSPs) and any third party that handles payment information on your behalf.
It’s crucial to get clarity on any issues you may be facing to ensure a smooth transition.
These questions could include:
Effective communication and collaboration with your service provider will be the key to a smooth transition process.
Appoint a dedicated individual or team to oversee PCI DSS compliance. Without clear accountability, meeting these new requirements will become significantly more challenging.
Use the PCI Self-Assessment Questionnaire to help you cover all the necessary steps.
PCI DSS compliance is now more demanding than ever. Start making these changes now to avoid last-minute compliance challenges before the March 2025 deadline.
For a full list of all 51 new requirements, refer to the official PCI DSS v4.0 documentation: PCI DSS v4.0.1.
You could end up paying fines that range from $5k to $100k per month to the payment card providers. How much you pay will depend on the level you fall into and the circumstances behind the non-compliance.
For instance, companies that are in the Level 1 category will likely pay out a lot more than those in the Level 4 category. Fines are also dependant on the severity of breaches - if data was breached and it took a long time to fix the issue, you could end up with a heavier fine.
For example, in 2017, British Airways was fined $229 million for a data breach that affected 500,000 customers.
You’ll also lose the trust of your customers who are expecting you to protect their sensitive data. Reputational damage could hurt you long-term, even after you’ve paid the monetary penalties. If your clients find that you’ve put their data at risk, they’re likely to take their business elsewhere.
The transition to PCI DSS v4.0 is a critical step for organisations that in any way deal with payment data and security, and by April 31st 2025, your organisation needs to be ready to comply with the 51 requirements of the new standard.
Understanding the key changes, updating SAQs for compliance, and addressing any common questions will be integral to the success of this process.
By effectively implementing all of these measures, you can stay compliant with industry standards and strengthen your overall security posture around payment data and security.
Download our guide to see how Metomic can help businesses achieve PCI DSS compliance by providing visibility, access controls, data location identification, and employee training on handling sensitive data in SaaS applications.