The March 31 deadline to comply with the updated Payment Card Industry Data Security Standard (PCI DSS) has now passed. From now onwards, firms that handle payment card data including financial institutions, merchants, payment service providers and billers, must comply with the new requirements outlined in PCI DSS v4.0.1. 

The update to PCI DSS includes a need to boost security and ensure continuous compliance, rather than just performing annual box-ticking exercises. So, now the update to global information security rules is in place, what do firms need to know? 

What’s Changed 

The rules haven’t changed significantly, but they do reflect an updated view of security as a continuous effort, experts say. The latest iteration of the standard, PCI DSS v4.0.1, represents a shift towards “a more proactive and adaptive security posture”, says Justin Cattermole, principal consultant at AMR CyberSecurity. 

“Unlike earlier versions, which often enabled organisations to approach compliance as a box-ticking exercise, the updated standard requires businesses to embed security into their operations comprehensively.” 

This includes meeting enhanced authentication protocols, deploying robust encryption standards, and implementing continuous monitoring mechanisms to stay ahead of evolving threats, says Cattermole. 

One key change is the introduction of the Targeted Risk Analysis or “TRA”, says Paul Brennecker, head of information security at 3B Data Security. “This approach requires entities to undertake a risk assessment based on the applicable PCI DSS requirements and will dictate how often an organisation performs a particular control.” 

The update also sees the introduction of more flexible security controls. This means organisations can design customised controls if they meet objectives and are backed by a formal risk analysis, says John Waller, cybersecurity practice lead at Black Duck.  

While no specific controls have been eliminated, the new version of PCI DSS “effectively deprecates static security models” in favour of “risk-informed, flexible implementation”, says Waller. “Outdated password complexity rules such as rotation every 90 days have been replaced with NIST-inspired guidance focusing on passphrases and secure storage.” 

At the same time, a new version of the Self-Assessment Questionnaire has been introduced.  

As part of the changes, merchants must actively manage all their service providers and ensure they are taking responsibility for implementing the required checks and controls, says Wayne Campbell, head of pre-sales at Access PaySuite, part of The Access Group. “This involves mapping out how card payments flow through the business, identifying where the payment process starts and ends, and ensuring that the relevant controls outlined in the standards are applied across their entire payment ecosystem.” 

Meanwhile, there is a heightened emphasis on merchants monitoring JavaScript, especially within web pages. “Since many websites rely on third-party service providers for JavaScript code to power various functions, the updated PCI DSS now requires merchants to monitor, maintain and report on all JavaScript – even when it falls outside their direct control,” Campbell explains. 

Implementation Challenges  

The update has been welcomed by the security industry, but there are challenges for some firms implementing the updated standards. Smaller organisations are finding resource constraints a barrier, while larger businesses often face complexities associated with scale and consistency, says Cattermole. The added responsibility of ensuring third-party vendors meet compliance standards is “further complicating matters”, he says. 

Smaller businesses are likely to face challenges in managing third-party service providers, concurs Campbell. “They often rely on external companies for website management, hosting and CRM services, but may lack the technical expertise to make sure these providers meet PCI DSS standards. Without in-house IT or cybersecurity teams, it can be especially difficult.” 

A key challenge will be the need to monitor JavaScript sourced from third-parties to ensure compliance, says Campbell. “This may pose another significant hurdle for smaller firms that lack in-house technical resources. Merchants will also need to have a solid understanding of the updated Self-Assessment Questionnaires, ensuring they use the correct one, as incorrect submissions can invalidate compliance.” 

Steps to Compliance  

It might seem complex, but there are some simple steps you can take now to make sure you are complying with the regulation. Experts recommend conducting gap analyses, updating security policies and training staff. 

If you haven’t done so already, start with a clear gap analysis, says Brennecker. “Identify and understand where your existing controls no longer meet the standard. From there, the focus should be on stronger governance and making sure controls are working as intended, with clear evidence to back it up.” 

To meet the “intent and spirit” of PCI DSS v4.0.1, organisations must prioritise cyber resilience, says Ian Robinson, chief software architect at Titania. He advises implementing configuration monitoring to support continuous compliance; enforcing zero-trust segmentation; adopting risk-based remediation; and delivering evidence-based reporting. 

It's important to accept that compliance is not a one-time exercise. Compliance with PCI DSS v4.0.1 is “an ongoing effort”, says Stew Parkin, global CTO at Assured Data Protection. Regular internal audits, monitoring and “adapting to evolving security threats” will be key in meeting the requirements, he says. 

PCI DSS emphasises the need for continuous improvement and proactive risk management, making it “vital” to engage teams across the organisation, says Cattermole. “From educating employees about security best practices to embedding compliance into everyday workflows, these measures ensure security becomes a shared responsibility.”  

Staff education on data security is “vital”, agrees Campbell. For businesses with limited resources, utilising PCI DSS tutorials or appointing an Internal Security Assessor – a designated employee responsible for evaluating and validating adherence to the standard – can be highly beneficial in maintaining compliance, he adds. 

It might be an effort at first, but in the end, making these changes will be worth it for an overall security boost, experts say. Ultimately, PCI DSS v4.0.1 sets “a new baseline” for what “good” looks like in payment security, says Brennecker. “It’s no longer just about ticking boxes. The standard is there to help businesses build stronger, more resilient security.” 

Kate O'Flaherty Cybersecurity and privacy journalist