What the New PCI DSS changes mean for your Data Protection mandated legal requirements

The recent shift to Payment Card Industry Data Security Standard 4.0 (PCI DSS) has major implications for merchants, processors, acquirers, issuers and any other businesses that handle card payment data.

The new changes came into effect on April 1st 2024, with additional more complex requirements mandated April 1st 2025, the aim to keep pace with evolving security demands, best practice and validation methods. 

Although PCI DSS itself isn’t technically a legal requirement, it is signposted by the ICO, Information Commissioners  as the industry standard required to meet legal requirements mandated under the Data Protection Act. Businesses still face hefty financial penalties and reputational damage if they fail to demonstrate preventative measures in the event of a data breach or company audit.  

With that in mind, let's delve into what these changes are, why they're important and how to ensure your business has all bases covered. 

What is PCI DSS? 

PCI DSS is a data protection framework which keeps credit card information secure. Its main purpose is to safeguard cardholder information and reduce the threat of credit card fraud.  

The guidelines are considered an industry standard for any business involved in processing or storing cardholder data. PCI DSS is also applicable to companies who have outsourced their payment card operations to a third-party provider. 

The guidelines are managed by the Payment Card Industry Security Standards Council (PCI SSC), in close collaboration with major credit card providers such as American Express, MasterCard and Visa, among others.  

PCI DSS v4.0 – Understanding the changes 

The latest version of PCI DSS legislation introduces more rigorous security controls which intend to ramp up protection of cardholder data. Here’s a rundown of the main changes you need to be aware of: 

• Authentication protocols – Multi-factor authentication (MFA) has been expanded to include remote access, in addition to accessing the cardholder data environment. 
• Password management – Businesses are now required to conform to a mandatory password length and complexity, tighter restrictions on login attempts and regular password changes. 
• Enhanced security training – PCI DSS v4.0 requires companies to conduct a security awareness training review each year. There is also additional focus on managing threats such as phishing and social engineering attacks.  
• Compliance questionnaire update – The previous compliance questionnaire has received a comprehensive update and now features nine levels of compliance to ensure businesses are evaluating their security measures in greater detail.   

Ensuring compliance with PCI DSS v4.0 

Staying compliant with PCI DSS requires careful planning. Following these steps is a good starting point for almost every business to which the standard applies: 

1. Confirm your status – PCI DSS requirements vary based on the number of transactions your business processes annually. First you need to determine your merchant level, from 1 to 4, to understand the specific requirements applicable to your business.   
2. Assess your risks and vulnerabilities – Conduct a thorough risk analysis of your business's environment, including networks, systems, and applications that handle payment card data. Identify vulnerabilities or gaps that need to be addressed.   
3. Update security policies – Aligning your security policies with the new standards is essential. This means taking time to update encryption methods, authentication processes, and monitoring systems.  
4. Deliver effective training – All employees must be trained under the new provisions and made to understand the importance of maintaining strict protocols when it comes to handling card data.  
5. Leverage technology – A robust payment processing software will greatly enhance your security while simplifying compliance. This can reduce the administrative burden of the compliance questionnaire and ensure that your business is protected.  
6. Consider expert support – PCI DSS compliance can be a complicated process, which is why many businesses choose to outsource the responsibility to a specialist third-party assessor to validate their compliance with PCI DSS. This frees up internal time and resources to focus on other aspects of running the business.  
7. Submit accurate compliance reports – Once you have achieved compliance, it’s important to file accurate reports and documentation to your acquiring bank or payment processor to demonstrate your compliance status.   
8. Commit to full-scale reviews every 12 months – The new standard requires all companies to document and confirm the scope of their PCI DSS compliance at least once every 12 months.