Author: Verizon Payment Security Practice
Date published: March 28, 2025
PCI security compliance is the practice of following data security requirements established in the Payment Card Industry Data Security Standard (PCI DSS) and other related applicable PCI security standards. The PCI DSS has specified objectives and minimum requirements for businesses to follow to help mitigate risks associated with the storage, transmission and processing of payment card account data.
This brief guide breaks down some of the key points you need to know, including how changes in the updated PCI data security standard, versions 4.0 and 4.0.1, impact specific industries. It offers guidance on how to choose and prioritize your security compliance goals and objectives. It also offers a compliance checklist to help you and your customers track compliance with applicable PCI standards.
PCI security compliance is the practice of following global data security standards established in the PCI DSS and other applicable PCI security standards. It provides minimum baseline control requirements for businesses to follow to help mitigate risks associated with sensitive data. Here are key questions you should ask about these security requirements, including what’s new in PCI DSS v4.0.
Introduced in 2004, the PCI DSS (as updated, the ‘Standard’) is a set of data security control requirements formulated by the PCI Security Standards Council (SSC)—led by major payment card networks to help protect sensitive data throughout the life cycle of payment card transactions. It applies to all environments—everywhere payment card data is transmitted, processed or stored. The Standard defines the minimum baseline set of requirements businesses must follow to help mitigate the risk of sensitive data—such as credit and debit card numbers—falling into the hands of threat actors. These requirements also help to harden websites and applications that transmit, process or store card payment data to help protect it against cyberattacks.
The PCI DSS requires nearly every business that receives, accepts, can access and handle (store, process and transmit) credit or debit card account data—and organizations that can affect the security of such data—to be contractually obligated to adhere to the PCI security regulation. The PCI DSS scope refers to all the systems, people, documents and processes that can affect or interact with payment card account data security.
PCI DSS version 4.0 is arguably the most significant update since the initial release of PCI DSS version 1.0 in December 2004. The updates to the requirements in version 4.0 are intended to improve how compliance is measured on an ongoing basis to better track how well organizations meet the Standard’s requirements. Since its release in March 2022, organizations globally began focusing on the 13 new requirements introduced in v4.0 of the Standard that became effective in March 2024, and the 51 future-dated requirements that needed to be in place on March 31, 2025. In December 2024, the Standard underwent a minor update to version 4.0.1.
An overhaul of the PCI DSS, from v3.2.1 to the v4.0 release, is a major update. The update was much needed to reflect many of the changes that occurred in the realm of cybersecurity since the 2013 debut of the last major version of the PCI DSS (version 3.0). Although the PCI SSC has made some updates to the Standard, it did not undertake a full reassessment and redesign of its security requirements until it developed PCI DSS v4.0.
Much has changed on the cybersecurity front since 2013. Many workloads have moved from on-premises environments to the cloud, where they face new types of network security challenges. New forms of payments emerged as well as the evolution of the methods threat actors use, such as phishing, smishing, spoofing, ransomware and pretexting. Security best practices have also evolved over the past decade, with techniques such as multi-factor authentication (MFA) becoming standard. Updates to the PCI DSS take these and many other modern cybersecurity threats into account when defining best practices for securing card payments.
You can find the complete list of changes in PCI DSS v4.0 and v4.0.1 on the PCI Security Standards Council website. Here's a summary of some of the key new requirements that will affect businesses across virtually all sectors and verticals:
Although earlier versions of PCI DSS required basic measures to prevent unauthorized access to sensitive information, PCI DSS v4.0 imposes stricter requirements. Some updates are described below. For example, disk-level or partition-level encryption is now required for all removable electronic media and is also required for any other cardholder data that is not otherwise rendered unreadable in another manner.
Access control mechanisms, which help protect applications that process payments from threat actors, are also stricter under PCI DSS v4.0 and v4.0.1. With the release of v4.0, the implementation and maintenance of multi-factor authentication (MFA) is now mandatory across all systems that process or manage cardholder data, and organizations must update passwords within a defined period that aligns with their targeted risk analysis. Passwords are to be changed periodically (at the frequency defined in the entity’s targeted risk analysis) and upon suspicion or confirmation of compromise. Passwords and passphrases are to be constructed with sufficient complexity appropriate for how frequently the entity changes them.
Under PCI DSS v4.0 and v4.0.1, organizations subject to PCI DSS compliance must designate individuals who are responsible for overseeing the implementation of compliance practices. They also must define the specific role of each individual. This means that rather than treating PCI DSS compliance as a generic set of responsibilities to be borne by the business, companies now need to determine precisely who is responsible for what when it comes to meeting compliance requirements.
Prior to PCI DSS v4.0, the standard provided only a list of defined security requirements. v4.0 introduced the option for organizations to implement security controls in a way that meets the intent of the standard. This is referred to as the "customized approach." Organizations can validate their compliance against both the defined and customized approach. Learn more about PCI security compliance and PCI DSS.
The new and updated PCI security compliance requirements may impact your organization in different ways, depending on your industry. Look through some of the important requirements specific to various industries—from online retail to the public sector.
PCI security compliance obligations, including the changes described above, apply to all businesses that have a contractual business-to-business obligation to adhere to the PCI security regulations. Organizations that transmit, store and/or process PCI-branded payment card account data—as well as organizations that can affect the security of payment card account data—usually have a contractual obligation to comply with the industry regulation. Depending on your industry, the updated and new PCI security compliance may impact your organization in additional ways. Here's a look at how the PCI DSS impacts industries across several key sectors.
If you are an online retailer, you are probably familiar with PCI security compliance, given that it is virtually impossible to operate an e-commerce site without accepting card payments. However, the stricter security requirements of PCI DSS v4.0 and v4.0.1 mean that you may need to implement new types of controls and protections.
For example, Requirement 6.4.3 mandates that businesses secure and manage any scripts that run in web browsers during online payment—including a rule designed to mitigate cross-site scripting (XSS) attacks. Similarly, Requirements 7.2.5 and 7.2.5.1 impose new requirements related to managing access privileges within software that process payments. Retailers whose software platforms lack sophisticated, granular access control systems may need to update their access frameworks to meet these requirements.
Many quick-service restaurants and hotels have turned to self-service kiosks in recent years to allow customers to order and pay for services—a change partly born from the demand for contactless service during the pandemic, and partly from customers' desire for convenient, on-demand payment solutions.
In many cases, self-service kiosks are powered by standalone devices that connect to payment networks over the internet. Because these devices allow customers to pay by card, businesses in the hospitality industry must ensure they adhere to PCI DSS v4.0 and v4.0.1 requirements that affect device security. For example, they must implement requirement 2.1.1, which mandates changing devices' default wireless settings.
They must also secure the networks that self-service devices use to interface with payment processing platforms. For instance, they'll need to ensure they adhere to Requirement 4.2.1, which requires keeping network certificates current. Read more here about how Verizon can help with restaurant PCI security compliance.
For banks and other businesses in the finance industry, more stringent risk analysis requirements (such as those defined in Requirements 5.2.3.1 and 9.5.1.2.1) may need the adoption of a well-defined timeline for testing these requirements in order to be PCI compliant. This applies to assessing risks both in internal systems and in any external software that helps customers process payments. Banks also face mandates related to protecting endpoints, cloud resources, remote workers and any other systems connected to payment processing.
Although PCI compliance is not unique to the finance industry, it is likely to prove complex in the case of finance given the breadth and depth of the systems used to support a financial institution's needs. Read more about how Verizon can help you prepare for PCI DSS requirements for financial services organizations.
No matter your industry, you can take critical steps and best practices now to help ensure you are meeting the new PCI security compliance mandates. Familiarize yourself with the following questions about PCI security compliance in the age of the PCI DSS v4.0x.
The ability of organizations to maintain sustainable PCI DSS compliance requires the demonstration to consistently, rapidly detect and correct controls that are not in place.
Compliance levels are trending downward in sustainability compared to previous years, suggesting that organizations are becoming less compliant. The compliance control gap—meaning the difference between the measured state of compliance and 100% compliance—was 4.5% in 2023, compared to 3.2% in the prior year, according to the Verizon 2024 Payment Security Report (PSR).
Another notable trend is that some of the PCI DSS 12 key requirements that organizations struggle with the most—such as Requirement 11, which mandates that businesses perform security testing—are areas of focus in PCI DSS v4.0 and v4.0.1, which includes new requirements related to testing. Likely, the requirements that businesses struggled with in earlier PCI DSS versions will continue to prove challenging as PCI DSS v4.0x is fully rolled out.
Keeping your business PCI security compliant starts with understanding the PCI DSS compliance requirements, and the investment needed to develop and maintain a sustainable security strategy and program. You need to have an accurate understanding of how the compliance scope and requirements impact the specific payment systems and technologies your organization uses. From there, you need to implement protections capable of addressing compliance mandates. Read more here about how to keep your business PCI security compliant.
Evaluate the new and updated rPCI DSS requirements, and determine how they impact your business. Make sure you implement the security controls necessary to meet the new requirements.
The Verizon Payment Security Practice recommends the following general PCI DSS v4.0x transition roadmap:
Learn more about how to prepare for the new PCI security compliance changes in the 2024 Payment Security Report which draws on current trends combined with the experience gained from 20 years of Payment Security Report research including critical success factors and design approaches for Payment Card Industry (PCI) security programs.
Failure to meet PCI security requirements could result in your business suffering an incident or data security breach, which, in turn, may lead to potential consequences such as:
Noncompliance fines are discretionary, and each participating card brand individually applies its own criteria for enforcing PCI security compliance. For example, a small organization that suffers a compliance issue lasting just a few weeks may only be fined a few thousand dollars. But if you are knowingly non-compliant for many months and process tens of thousands in payments per month, fines of $50,000 or more are not unusual.
Given the complexity of PCI DSS compliance, having an expert on your side can be critical to ensuring your business interprets and implements PCI security requirements effectively.
Verizon can help. Drawing on extensive experience helping companies secure digital payments, Verizon offers a PCI DSS assessment that provides businesses with access to professional compliance assessors, who identify critical gaps (if applicable) and provide guidance on remediating the gaps.
When it comes to navigating the complexities of PCI DSS compliance, you are not alone. Learn more about how Verizon can help strengthen your security and manage your compliance using industry standards and best practices.
Finally here are some common questions about PCI security compliance in the age of the PCI DSS v4.0x.
Businesses that interact (receive, access, store, process and/or transmit) payment card account data are likely to have one or multiple contractual obligations to all applicable PCI DSS v4.0.1 requirements. This aspect of PCI DSS compliance has not changed from earlier versions of the PCI DSS, which has always applied to any organization that receives and handles payment card account data. Note, however, that PCI DSS v4.0.1 may impact businesses in certain sectors or industries in special ways, as discussed in PCI DSS industry impacts above.
Verizon is here to help businesses navigate the complexities surrounding modern PCI security compliance. Official information about PCI DSS compliance and PCI DSS v4.x is available from the Document Library of the PCI Security Standards Council. Businesses can review the most recent version of the Verizon Data Breach Investigations Report (DBIR) to learn about key trends. Security and compliance teams can also download the 2023 Payment Security Report insights white paper on the value of advanced PCI security program management design and the 2024 Payment Security Report for information on essential PCI security program measurements, metrics and performance evaluation to improve security and compliance outcomes.
The author of this content is a paid contributor for Verizon.
Call sales
888-789-1223
Chat with us
Start live chat
Have us contact you
Request a call
Get updates
Sign up for insights
Already have an account? Log inExplore support