PCI DSS 4.0 is Here – What You Need to Do to Stay Compliant

If your business takes card payments, chances are you’re familiar with PCI DSS. But if you’re handling compliance processes by yourself, you may not be aware of recent updates, and what it means for your business. Here, Evolve takes you through what’s new in PCI DSS, and how we can help you navigate an easy path to compliance.

PCI compliance refers to the Payment Card Industry Data Security Standard (PCI DSS), which applies to any company that takes card payments. It’s a set of security standards designed to ensure all companies that accept, process, store, or transmit card information securely and protect cardholder information from theft, hacking, data breaches and other security threats.

Failing to comply with PCI standards can result in hefty fines, damage to reputation, and even legal consequences. Whether you’re a large corporation or a small business, it’s important to take PCI compliance seriously.

So, what do you need to do to become – and stay – compliant?

PCI DSS is applied to organisations based on the number and type of card transactions they make each year.

PCI DSS Level 1 ensures the highest level of security for businesses that store, transmit, or process credit card data. A Level 1 merchant is defined as processing at least 1 million JCB card transactions, 2.5 million American Express transactions, or 6 million Visa, Mastercard and Discover transactions per year.

Following an on-site audit, PCI Level 1 merchants and service providers must obtain an annual Compliance Report from a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) to comply with PCI DSS.

But merchants have an extra layer of responsibility when it comes to PCI compliance; they are responsible for ensuring their cards, payments, and internet service providers (ISPs) are compliant to ensure the security of their cardholder environments against data breaches.

The latest PCI DSS version 4.0 became mandatory on 1 April 2024. The previous version, PCI DSS 3.2.1. was retired on 31 March 2024, so all card-accepting organisations need to be compliant with PCI DSS 4.0 from now on.

Version 4.0 has been launched to account for the massive changes in technology, cybersecurity and the way payments are made over the past few years. You only need to look at how COVID-19 accelerated the shift to contactless payments and how e-commerce changed the way people pay. Around the world, millions of brick-and-mortar or cash-only businesses had to go online and accept cards virtually overnight.

Changes that are mandatory as of 1 April 2024 include:
· Companies must define and document the scope of their cardholder data environment annually and after any significant changes are made.
· Any files companies use to create their network infrastructure must be secured.
· Companies must have documented requirements that are shared between their organisation and any third-party service providers they have relationships with.
But 51 new requirements will be mandatory from April 1 2025. Here, we’ve identified the ones likely to require more work or significant changes to your card acceptance infrastructure.
· It will no longer be acceptable to use disk or partition level encryption for any encrypted data that companies store.
· Stored hashes of PANs will need to be cryptographically keyed hashes, and companies will be required to produce an inventory of all the cryptography used to protect cardholder data. Companies will also be required to perform an annual risk assessment of all their uses of cryptography.
· Any JavaScript in web payment pages must be actively managed and must respond to any unauthorised changes.
· Companies will be required to use technology designed to detect and prevent phishing attacks.
· Multifactor authentication will be required for all users who can access the cardholder data environment, not just those who have remote or administrative access.
· Companies must maintain an inventory of hardware and software, but from 1 April 2025, they must also conduct risk assessments of any assets approaching their end-of-life and replace them where appropriate.

Let Evolve manage your PCI DSS 4.0 compliance

Traditionally, ensuring PCI compliance is the responsibility of the business. Companies must undergo frequent internal and external security assessments by authorised independent audit institutions to obtain PCI DSS Level 1 certification, including detailed on-site audits every year.

Achieving and maintaining PCI DSS compliance can involve enormous operational and technical investments, especially for businesses that don’t have payment infrastructures as part of their core operations. For a business operating in multiple sites, like Fuel Forecourts or Retailers, it can be a logistical nightmare to assess every POS terminal or gateway and the processes that accept card payments.

With so many reports, audits and administrative burdens to handle, many companies will be concerned about the amount of money and time it will take to ensure compliance. But there is an easier, cheaper and more efficient way to get PCI-compliant – letting Evolve do the work for you.

Founded in 2005 and serving more than 9,500 sites globally in the Retail, Hospitality and Fuel Forecourt industries, Evolve is a fully Managed Service Provider (MSP) operating in 12 countries, offering customers reliable, secure and Level 1-certified PCI DSS SD-WAN solutions. SD-WAN stands for Software-Defined Wide Area Network, a type of networking technology that enables businesses to manage the connections between their different locations, such as offices, data centres, and remote workers.

The only PCI DSS Level 1-certified PCI-compliant SD Wan device in the world is Mako’s SD Wan device. As a Mako platinum partner, Evolve provides customised SD-WAN solutions with PCI Level 1 certification for payment security. By combining Mako’s devices with Evolve’s friendly, knowledgeable and multilingual 24/7 support team, you can be assured that your call will always be answered by someone within two minutes.

Also, instead of slogging through the 240-question assessment document, for every location, IP address and terminal to get PCI-certified, Evolve will answer them for you. Of those 240 questions, 210 of them – or 90% – are answered by Evolve’s PCI compliance capabilities, so its customers don’t have to worry about them. The team can also guide you on the journey to achieving complete PCI audit compliance – something no other provider can offer.

With the combination of Evolve and Mako, and its annually assessed attestation of compliance, businesses gain an unbeatable PCI compliance suite that no other provider has. That’s hugely important because, as evidenced by PCI DSS 4.0 above, criteria and requirements can frequently change. 

Contact Evolve to find out more about how the team can help you manage your PCI DSS compliance requirements. You can also check out this case study on how Hydes Brewery achieved effortless PCI DSS compliance thanks to Evolve.