PCI DSS 4.0: What opportunities does it present for merchants?

Love it or hate it, PCI DSS (Payment Card Industry Data Security Standard) compliance is a fact of life for all merchants accepting credit or debit card payments. But, with PCI DSS 4.0 coming into effect on 1 April 2024, that fact will change: paving the way for increased customer trust, reduced fraud, and even more secure treatment of cardholder data.
In this article, we’ll explore the newest face of PCI compliance: looking first at how to achieve it before unpacking the key challenges it poses to merchants. Then, we’ll dive deep into the thrilling opportunities PCI 4.0 can offer – and how Checkout.com can help you seize them to avoid fees and penalties and set your business apart from the competition.

How to prepare for – and achieve – PCI compliance

To become PCI compliant (which you’ll need to be if your business processes card payments), you’ll need to master three key tenets:

• Understanding the 12 PCI requirements
• Using a compliant PSP (payment service provider)
• Choosing the right validation (either defined or customized)

We’ll explain what these all mean below.

Understand PCI requirements

Like PCI’s previous iteration, v3.2.1 – and the versions before that – PCI 4.0 sets out 12 requirements for merchants to achieve compliance. These involve:

1. Establishing and maintaining network security controls
2. Updating vendor-supplied default settings, such as usernames and passwords
3. Protecting stored account and cardholder data
4. Encrypting cardholder data in the payment process
5. Improving and updating your malware protection
6. Keeping your apps up to date
7. Limiting availability to cardholder data within your organization
8. Identifying and authenticating all users with access to cardholder data
9. Restricting physical access to cardholder data
10. Logging and monitoring all system access
11. Testing the security of your networks and systems
12. Prioritizing information security

To learn more about PCI 4.0 requirements and how this latest version builds on the established 12 rules, explore our guide to PCI DSS 4 – what merchants need to know.

Use a compliant payment service provider (PSP)

PCI compliance has, traditionally, been a tricky, time-consuming process for merchants – especially those who aren’t interested in the administrative or technical parts of accepting online payments and just want the convenience and seamlessness they offer.

One example? PCI SAQs (Self-Assessment Questionnaires). To start the process of becoming PCI compliant, you’ll need not only to fill one of these questionnaires out (the longest has 329 questions) but also figure out which form (there are nine) applies to your business.

Untangling the complexity of SAQs is just one of the ways the right payment service provider (or PSP; the companies, like Checkout.com, that process digital payments on your business’s behalf) can help you achieve – and maintain – a PCI-compliant approach.

Checkout.com is Level 1 PCI DSS compliant, the highest possible. What this means for you is that when you process certain payment methods with us, we can shift the responsibility for PCI compliance from your shoulders to ours. With a hosted payment gateway, for example, your customers can make a purchase from your ecommerce store but on a payment page housed on our servers – the same goes for payment links and frames.

In this scenario, your business never comes into contact with the cardholder’s sensitive payment information – relieving you of the bulk of your PCI burden, and meaning you’ll most likely only have to fill in the shortest and easiest SAQ. (That’s SAQ A, with just 22 questions.)

Plus, when you opt for a reliable, reputable PSP like Checkout.com, you’re not just getting us – you’re drawing on the power of our connections, too. We have, for example, partnered with SecurityMetrics – a leading merchant data solutions security provider and certified Qualified Security Assessor (QSA) – to help you renew and validate your PCI certification.

Having a QSA on board from the outset is an excellent idea – especially because it’s these organizations who’ll be evaluating your PCI compliance come validation time.

Choose the right validation (defined or customized)

To become PCI compliant, your business’s security setup will need to be validated by an external organization (the QSA we mentioned above) to ensure you’re meeting the 12 PCI requirements (which are also mentioned above.)

To prepare your business for this process in previous PCI versions, you’d most likely have taken the defined approach. This is the traditional method for implementing and validating PCI’s dozen key requirements and follows the established industry standards and best practices the PCI SSC (Payment Card Industry Security Standards Council) lays out.

The defined approach is essentially a structured, standardized framework for helping your business achieve PCI compliance. It’s tried, it’s tested; stick closely to it, and you’ll be fine.

What PCI DSS 4.0 did, however, was introduce a bit more wriggle room for businesses – especially larger ones with more complex operational demands and processes.

This is the customized approach, and – instead of following a defined set of granular rules to the letter – allows you to design bespoke security controls to better align with your technical and commercial needs. The customized approach offers flexibility; and – because it allows you to address any specific security risks or vulnerabilities more directly – can make your organization even more secure and PCI compliant than with the defined approach.

Here at Checkout.com, we know that no two organizations are the same, and nor should their approaches to achieving PCI compliance be. That’s why we’ll work with you to help your business take a customized route to achieving your business’s PCI compliant needs.

Overcoming challenges presented by PCI 4.0

PCI 4.0’s introduction is a positive change which presents some exciting opportunities.

But change does, of course, go hand in hand with challenges (even if the words are similar!). So, with PCI 4.0 being essentially brand-new, what kind of teething difficulties can we expect?

• More demanding standards: PCI 4.0 ushers in stricter, more detailed requirements. And, while larger organizations will have the resources and technical know-how needed to meet them, it’s small and medium-sized businesses – namely, those without specialized payment security teams to hand – who may struggle.
• The question of custom: PCI 4.0’s customized approach to validation is excellent news for businesses looking for a more flexible relationship with PCI’s 12 rules. However, the effort involved in developing these tailor-made security strategies – which, as an extra requirement, call for specific details about your business’s existing security vulnerabilities.
• Tougher security protocols: By mandating the use of multi-factor authentication (MFA) to access cardholder data environments (CDE) and imposing more stringent encryption requirements, PCI 4.0 may require you to update aspects of your systems and training.
• Greater emphasis on risk management: PCI 4.0 calls for a heightened focus on risk assessment, management, and mitigation, with continuous monitoring required. (Which, as a result, places more demands on your business’s time and team.)
• More rigorous staff training: Under PCI 4.0, you’ll be required to provide up-to-date cyber security awareness training every year for your team to keep them informed about the latest online fraud and cybercrime trends. This is expensive: not least for smaller businesses working on shoestring budgets.
• More documentation: PCI 4.0 requires more documentation than its predecessor, especially around reporting. This can put pressure on the administrative capabilities of small and large businesses alike.
• Technical adaptations: Modernizing your IT infrastructure to respond to new, stringent security measures can create a technical mess, especially for older legacy systems. 

Ultimately, PCI 4.0 extends the scope of the previous version to include more systems and processes: meaning that, as of April 1, 2024, you’ll require more resources, more effort, and more maintenance to stay compliant. You can also expect your fair share of transitional challenges as you get to grips with the changes PCI 4.0 is bringing to the table.

For a recap of what these updates are, this Summary of Changes document – published by the PCI SSC itself – provides a comprehensive, if rather inaccessible, rundown.

PCI SAQ A: Changes and challenges

PCI SAQ A, you’ll remember, is the shortest, simplest PCI self-assessment questionnaire.

It’s the one you’ll fill out when you have the least involvement with the cardholder data you process – for instance, when you work with a PSP like Checkout.com to process your payments.

However, the changes PCI 4.0 introduces will have a bearing on SAQ A. So, we’ve rounded up a short list of the key challenges you may face if you fill out an SAQ A form for PCI compliance:

• Better password security: PCI 4.0 puts more emphasis on strong passwords and watertight authentication methods. While this won’t affect you directly, given you don’t process credit or debit card information on your own systems, you’ll still need to ensure the companies you work with have robust security practices.
• Clearer rules: PCI 4.0 will make it easier for your business to understand what it needs to do to be PCI compliant – however, this might change whether you can use SAQ A.
• Need for more proof: With the extra documentation PCI 4.0 demands, you may have to provide more evidence to prove you’re following the rules – which, if you’re an SAQ A user, means ensuring your and your PSP’s paperwork is in order.

Despite the challenges, it’s worth restating that PCI 4.0 is a good thing. It is, after all, a product of 6,000 pieces of feedback from more than 2,000 organizations – so it’s been formulated with the input of merchants for merchants to ensure a safer, more sustainable way of safeguarding your customer’s data. (And, by proxy, your business’s reputation and bottom line.)

But preparing for PCI 4.0 compliance isn’t a ‘set and forget’ process. It’ll require ongoing optimization and regular tweaks, plus a clear, open line of communication with your PSP.

If you don’t have a PSP – or aren’t fully convinced they’re the right one – get in touch with our team of payment experts here at Checkout.com today for a no-obligation conversation about how we can meet your organization’s PCI compliance needs.

PCI 4.0: Opportunities for merchants

Steve Jobs once famously said: “Innovation is the ability to change as an opportunity – not a threat.” So are you ready to innovate and learn more about the top 6 exciting possibilities PCI 4.0 presents for your business in 2024?

If so, read on.

More data security for your cardholders; less data breaches for you

PCI 4.0 introduces several key measures to help you protect your customers’ sensitive payment information. Among the changes mandated are:

• Multi-factor authentication to access cardholder data environments
• Longer, more complex passwords for your systems
• Regular and robust cybersecurity awareness training
• Malware detection software for USBs, external hard drives, and other removable media

These changes help you meet several PCI requirements: especially the ones specifying that you limit, identify, and authenticate users with access to your CDE. However, these new PCI 4.0-imposed security measures also have a much more tangible, immediate benefit for your organization – minimizing the risk of data breaches.

A staggering 88% of all data breaches are caused by human error: most commonly through phishing schemes, where an unwitting employee clicks on a malicious link in an email or SMS, and compromises the business’s whole security setup in the process.

Well, PCI 4.0 helps keep you one step ahead of the hackers by mandating yearly cybersecurity awareness training – informing your staff about the latest phishing and social engineering techniques to mitigate the impact of breaches on your business. Considering that the average financial cost of a data breach to organizations in 2023 was $4.45 million – and that, for some companies, the reputational hit could be even worse – PCI 4.0 could stand to save you a lot.

Customer trust

PCI compliance has always been an important trust signal for customers.

Like the blue tick on a company’s social media account or the padlock symbol that tells you a website is safe to access, PCI demonstrates to your customers that you’re committed to processing their card payment data in a compliant, secure way.

First, this builds trust; later, it breeds loyalty; further down the track, it equates to a repeat – or even lifetime – customer with positive, long-lasting perceptions about your business.

With PCI 4.0, then – which ramps up the security requirements around cardholder data processing – why not go the extra mile to build consumer trust by sharing your compliance activities with your customer base?

You could, for instance, write a blog or two about the changes, and what they mean for the customer. You could create video content of your staff on cybersecurity awareness training, and even share these newfound learnings as tips on your website – helping to keep your audience safe from phishing and social engineering attacks, too. By encouraging them to learn more – not only about the principles of PCI 4.0, but what it means for them in practice – you’ll be showing them how much you respect and value them. (Their data and their custom.)

Differentiation in the market

In a crowded space of competitors – often all vying for the same, ever-shrinking pool of customers – proper PCI 4.0 implementation can be a vital market differentiator.

Acting quickly to adhere to (and advertise your commitment to) PCI 4.0 requirements will set you apart from similar businesses that don’t prioritize or even meet that level of compliance.

This can, of course, help you win new customers and retain your existing ones. But it can also gain you new partnerships and collaborations, too – especially with the myriad organizations who, as of 1 April 2024, will require full PCI 4.0 compliance as a prerequisite to do business. This way, achieving and maintaining PCI 4.0 compliance can open your business up to fresh revenue streams, markets, customers, and business allies.

Avoid fees and penalties

Above, we discussed how financially damaging the indirect consequences of PCI non-compliance (data breaches to the tune of millions, for example) can be. But failing to meet your new obligations under PCI 4.0 comes with its own set of penalties, too.

Currently, PCI non-compliance comes at a cost of between $5,000 and $100,000 per month until the issue is addressed. Your PSP may also cut ties with you, resulting in your inability to accept credit or debit cards or accept payments online and via digital wallets such as Google Pay and Apple Pay. On top of this, you may be liable for fraud charges or even – if your business is found to be in breach of wider laws and regulations – government sanctions.

This is all bad for your wallet and your reputation – not least because customers tend not to like doing business with companies that aren’t committed to protecting their data.

To avoid these fees, penalties, and worse, ensure your organization is PCI compliant before the 1 April 2024 deadline kicks in. If you’re still not there yet, don’t panic – Checkout.com can help.

Lower fraud risk

One of the goals of PCI compliance has always been to lower your organization’s risk of falling prey to the many types of payment fraud.

PCI 4.0, though, takes this even further. For example, it expands, on the traditional PCI requirement (#6), mandating that your business not only keeps its applications updated and maintained but all software involved in the payments process. This helps prevent certain web-based attacks, and stop cybercriminals from tricking their way around your defenses.

Also, the bolstered rules PCI 4.0 ushers in around physical and digital access control: that is, who has access to need-to-know systems and information, and how much access they have. This helps arm your business against social engineering and phishing attacks because, even if a fraudster does manage to deceive one of your team members into giving up their credentials, the chance of that employee having access to the most sensitive of cardholder data is slim.

Finally, PCI 4.0 compliance lowers your fraud risk by specifying that you algorithmically encrypt, and scan, cardholder data – when it’s both in use and in storage.

One such method, which we support at Checkout.com, is tokenization. Essentially, it involves replacing the actual customer data (such as the PAN: primary account number) with randomly generated alphanumeric chains called ‘tokens.’ Should a hacker or fraudster gain access to these tokens – which have no value or meaning outside of the PCI 4.0-compliant system – there’s no way of using them to derive the original cardholder data, which is safe.

To learn more, explore our guide to fraud detection and prevention in payments.

Globally accepted

PCI DSS is recognized and required around the world by all the major credit card brands.

What this means for you, as a merchant, is that all the PCI DSS opportunities we’ve discussed above aren’t limited to your own country, your own market, or even your own customer base as it exists now. When we say PCI 4.0 can boost consumer trust, that means all consumers – wherever in the world they’re based. When we say PCI 4.0 can lower your fraud risk, that goes for all transactions – even if they take place across borders. And, when we say PCI 4.0 can differentiate you in the market, you can be sure we don’t mean the domestic market alone.

With access to overseas customers, international expansion, and secure cross-border ecommerce all possible thanks to PCI 4.0’s global recognition, there’s a lot to be excited about.

How does Checkout.com validate PCI compliance?

At Checkout.com, your data security – and, therefore, the data of your customers and cardholders – is our top priority. It’s why we’re certified to the highest PCI DSS level and how we ensure secure, compliant payment operations for you – regardless of your PCI level.

When you process payments with us, you’ll be able to do so not only in 150 currencies or 29 payment methods but in a way that renders you completely PCI compliant. We’ll host your payment pages on our servers, tokenize your payment data for you, and work with the banks to handle the whole transaction: from the moment it’s authorized to the moment the funds appear in your business’s account. Your PCI responsibilities? Just 22 straightforward questions.

To aid your business’s seamless transition to PCI DSS 4.0, we’re making our partner, SecurityMetrics, your partner. They’ll work closely with you to help you get to grips with how the new requirements affect your business – not anyone else’s. That means all support, guidance, and costs involved will be customized to fit your precise, unique needs.

As for the changes to SAQ A, Security Metrics has added guidance notes to the questionnaire to decode what’s new for you. And, if you’ve already filled out an SAQ A with SecurityMetrics before, even better – the questions from last year will automatically map to this year’s form.

So, if you don’t feel like navigating the changes of PCI DSS 4.0 alone – but you do feel like taking advantage of its opportunities – get in touch with Checkout.com’s team of compliance experts today to explore how we, and the team at SecurityMetrics, can meet your PCI needs.