A critical deadline of March 31, 2025 is upcoming for the full implementation of the new requirements contained in the Payment Card Industry Data Security Standard (PCI DSS) version 4.0. This update introduces significant changes that will impact organizations handling payment card data, and review of the requirements to determine current compliance and changes need to comply with the new requirements is recommended to protect your organization from the evolving threats related to handling sensitive client data.

Key Points

  1. Deadline: March 31, 2025
  2. Who Must Comply: All organizations that store, process, or transmit payment card data. PCI DSS v4.0.1     requirements are more robust across all client sizes.
  3. Importance: Enhanced security measures to protect against evolving cyber threats. Criminal elements continue to exploit security weaknesses, requiring an evolving and more robust PCI DSS security standard.

What's New in PCI DSS 4.0:

  1. Customized Implementation: Introduction of a customized approach (CA) allowing organizations to implement alternative controls to meet security objectives.
  2. Authentication Requirements: Stronger multi-factor authentication (MFA) requirements for all accounts with access to cardholder data including non-admin consoles.
  3. Encryption: Enhanced encryption standards for transmitted and stored cardholder data.
  4. Security Software: Endpoint protection now needs continuous updates and patches for critical security software.
  5. E-commerce and Website Security: New requirements for securing e-commerce payment page scripts. New requirements for ensuring only known scripts are operating on websites.  
  6. Risk Analysis and TRAs (Targeted Risk Assessments): Increased emphasis on risk assessments and documentation of security controls to prevent risk events.
  7. Third Party Service Providers: Additional compliance requirements for service providers to support customer PCI DSS compliance.

Goals of PCI DSS 4.0

  1. Promote security as a continuous process.
  2. Enhance validation methods and procedures.
  3. Add flexibility for different methodologies to achieve security objectives.
  4. Reinforce security-by-design principles in software development.

Why This Matters

The update to PCI DSS compliance requirements represents a significant shift in approach to payment card security. Non-compliance can result in severe consequences, including:

  1. Financial penalties
  2. Increased transaction fees
  3. Reputational damage
  4. Loss of ability to process card payments
  5. Potential legal liabilities in case of data breaches

Given the complexity of these new requirements and the potential risks of non-compliance, we strongly recommend seeking professional guidance to ensure your organization is fully prepared for the transition to PCI DSS 4.0.1

How We Can Help

Womble Bond Dickinson and its advisory subsidiary Prescentus are uniquely positioned to assist you in navigating these new requirements. Our team can provide these services to assist with your PCI DSS compliance:

  1. Comprehensive compliance assessments
  2. Risk analysis and mitigation planning
  3. Implementation strategy development
  4. Legal guidance on potential liabilities and contractual obligations
  5. Ongoing support and monitoring to ensure continued compliance

We encourage you to reach out to our team for a detailed consultation on how these changes may impact your organization and how we can assist in ensuring your compliance with PCI DSS 4.0.1

Howard W. Herndon is a Partner with Womble Bond Dickinson (US) LLP in the firm’s Fintech Practice. He focuses his practice on the electronic transaction industry. For over two decades, he has represented public and private payments companies in significant industry transactions ranging from US $100 million to over US $1 billion. He is also a Managing Director and Founder of Prescentus, a subsidiary of Womble Bond Dickinson (US) LLP that offers full-service strategic business guidance for Fintech companies.

John Romer is a veteran fintech professional with a broad knowledge of payment processing across many industry segments. He brings extensive experience advising retailers, restaurants and other merchants, as well as card networks, acquirers/processors, and related payment vendors.