PCI DSS 4.0 complete guide and steps

The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines that ensures the safety of card transactions globally. Created by the PCI Security Standards Council, its goal is to protect against data theft and fraud in debit and credit card transactions.

The latest version of the PCI standard, PCI DSS 4.0, changes the criteria while emphasizing ongoing security and introducing new compliance methods. It replaces the PCI DSS version 3.2.1 (May 2018) to strategically address emerging threats and technologies, offers innovative approaches to tackle growing threats, and secures other elements in the payment ecosystem.

PCI DSS 4.0 applies to all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD), or could impact the security of the cardholder data environment (CDE). This includes all payment card account processing entities such as merchants, processors, acquirers, issuers, and other service providers.

So likely, you too.

C/side’s free tier makes you compliant and safe. Our paid tiers increase the flexibility and safety of your site against attacks that this new regulation is trying to battle.

Let’s start with what’s new:

You now need to monitor 3rd party scripts

Here’s what you need to know:

• PCI DSS 4.0 (specifically requirement 6.4.3) mandates all vendors to authorize each script on payment pages, maintain an inventory of all scripts, and ensure their integrity. Requirement 11.6 emphasizes the need to detect and respond to unauthorized modifications on payment pages, including changes to HTTP headers and page contents.
• Organizations must check these configurations at least once every seven days or as determined by their risk analysis assessment.
• The PCI DSS 4.0 update requires organizations to maintain an inventory of all system components relevant to PCI DSS, including bespoke and custom software but also 3rd party scripts.
• Moreover, PCI DSS 4.0 also encourages a shift from annual audits to continuous security monitoring, involving regular reviews and updates of system components and software.

As mentioned, c/side’s free tier does all of this. We show you which scripts are executing what and you can manage what you want to block exactly.

Our paid tiers increase the security when something goes wrong. It offers custom and automated blocking features, other ways to get notifications, and log exports to name a few.

The 6 Foundational Principles and 12 requirements of PCI DSS 4.0

PCI DSS 4.0 is built on six foundational principles aimed at fostering a secure environment for people making (and those facilitating) online transactions:

1. Construct and uphold a secure network for Cart Holder Data (CHD).
2. Safeguard stored or transmitted Cardholder data (CHD).
3. Sustain a program for managing vulnerabilities, incorporating security policies and testing.
4. Enforce strict access control measures based on business necessity.
5. Continuously monitor and test networks for vulnerabilities.
6. Develop and maintain a comprehensive information security policy, educating employees on their role in CHD protection.

All good things which should be in place to create a safer environment for people browsing the web!

Then, there are 12 requirements to be compliant.

Keep in mind, that some of these were already included in previous PCI DSS versions, so most of you should already have or at least have started on. If you use existing frameworks for your site (tools like Shopify, Webflow, or boilerplates and libraries, check if they include those features.

That being said, here they are:

1. Install and maintain network security controls. Merchants are required to ensure a secure network using Network Security Controls (NSCs) like firewalls, routers, and robust cloud access measures. These controls should manage traffic based on predefined rules, with the aim of protecting the Cardholder Data Environment (CDE) under the PCI DSS standard.
2. Apply secure configurations to all system components. PCI DSS v4.0 introduces new requirements for roles and responsibilities in securing wireless network configurations. Implementing these configurations can minimize potential attack surfaces and the likelihood of system compromise.
   • Configure firewalls in the right way
   • Change default passwords and other default settings
   • Remove unused software and/or services and/or accounts
3. Protect Stored Account Data (SAD). Businesses must implement protection methods such as encryption, truncation, masking, and hashing to protect Sensitive Authentication Data (SAD) and minimize risk.
   • Avoid storing Sensitive Authentication Data (SAD) unless necessary.
   • Truncate cardholder data if the full Primary Account Number (PAN) isn't required.
   • Do not send unprotected PANs via end-user messaging technologies, such as email or instant messaging.

Sensitive Authentication Data (SAD) encryption is not required when data is in volatile memory like RAM, but should be removed once its business purpose is complete. If SAD storage becomes persistent, all PCI DSS 4.0 requirements, including encryption, apply.

1. Use strong cryptography to protect cardholder data during transmission over public networks. This ensures the confidentiality, integrity, and non-repudiation of the data. All PAN transmissions must be encrypted to prevent data compromise.

• Encrypting the data before transmission
• Encrypting the session over which the data is transmitted

Further, the business must evaluate its network security parameters against applicable PCI DSS 4.0 requirements if the network stores, processes, or transmits CHD.

1. Protect all systems and networks from malicious software. PCI DSS 4.0 replaces anti-virus software with anti-malware software. A seemingly semantic change, but it now requires entities to implement anti-malware solutions to secure their systems from current and evolving malware threats. Like:

   • Viruses
   • Worms
   • Trojans
   • Spyware
   • Ransomware
   • Malicious code, scripts, links

   We want to remind you again that c/side lists and secures any 3rd party script you use. If they should get compromised, either on your own website(s) or globally, you are protected.

2. Create and maintain secure systems and software. Businesses must apply software patches to all system components to prevent account data exploitation, with PCI DSS 4.0 requiring Software Lifecycle processes and secure coding for custom software. Code repositories storing application code or data affecting account data security, are in scope for PCI DSS 4.0 assessments.

3. Limit access to system components and cardholder data based on the business's need to know. This requirement mandates businesses to implement controls ensuring critical data access is limited to authorized personnel only, based on need-to-know and job responsibilities, thereby preventing unauthorized access.

4. Identify users and authenticate access to system components. This mandates unique user identification and authentication for system component access. This ensures accountability and traceability for actions, and applies to all accounts, including POS, admin, system, and application accounts.

5. Restrict physical access to cardholder data. Merchants and businesses must limit physical access to systems handling cardholder data (CHD) to prevent breaches or loss of cardholder privacy.

6. Log and monitor all access to system components and cardholder data. PCI DSS 4.0 Requirement 10 emphasizes the importance of audit logs and user activity tracking in the Cardholder Data Environment (CDE) and system components. This allows for audit trails, tracking, alerting, and analysis in case of a system compromise, and applies to all user activities.

7. Test system and network security often. Businesses are required to regularly test all system components, processes, and custom software to ensure controls can adequately handle the evolving threat landscape, as per PCI DSS.

8. Support Information Security (IS) with organizational policies and programs. According to the final requirement, all businesses must implement an information security policy. This policy should inform personnel about the sensitivity of payment card data and their responsibility to protect it

What if you’re not compliant?

Most changes only are active from March 31st 2025, with some already being required from March 31st 2024. So there really is little time. You best get on this now, otherwise there are possible repercussions:

• Card processors often pass PCI compliance and non-compliance fees to merchants, with many providers. However, payment of these fees does not guarantee PCI DSS 4.0 compliance, and merchants must still complete the annual SAQ and meet other requirements to maintain compliance.
• Businesses failing to comply with PCI DSS 4.0 may face a monthly non-compliance penalty from the card processor. In severe cases, non-compliance can theoretically lead to termination of the merchant's account.

Is the PCI DSS 4.0 actual law?

Although the PCI SSC has no legal authority to enforce compliance, any business that accepts or processes credit or debit cards must adhere to these standards, irrespective of their business type or location because the major credit card companies require compliance as a condition for processing their card transactions.

The PCI body was formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. on September 7 2006, with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.

This means that if you (or a card processor you use like Stripe, PayPal, Adyen, Paddle, …) accept any of these cards, you must adhere to this new standard of PCI DSS 4.0. Otherwise, you run a risk of those repercussions mentioned above or even being shut off from accepting payments.

How to ensure you’re compliant

Here’s what you need to do step by step:

1. Determine your PCI level. PCI compliance requirements are determined by the number of transactions processed annually.

   The PCI DSS compliance is divided into four levels, determined by the number of card transactions a business processes annually. These levels dictate the steps a company must take to achieve and maintain compliance.

   PCI DSS Level	# of Transactions / Year	Action for Business
   1	6 million or more	• Undergo an annual internal audit • Undergo a quarterly PCI scan by an Approved Scanning Vendor (ASV)
   2	1 million to 6 million	• Complete a yearly assessment using a self-assessment questionnaire (SAQ) • A quarterly PCI scan may be required
   3	20,000 – 1 million	• Complete an annual evaluation using a SAQ • A quarterly PCI scan may be required
   4	Less than 20,000	• Complete a yearly evaluation using a SAQ • A quarterly PCI scan may be required

2. Draw your CHD flows. Identify the movement of Cardholder data (CHD) through your applications, systems, and personnel.

3. Complete your SAQ. The Self-Assessment Questionnaire (SAQ) validates if a business meets all 12 requirements for PCI compliance (see the 12 requirements above).

4. Complete your AOC. The ****Attestation of Compliance (AOC) is a document that provides a guide to achieving PCI compliance, ensuring all necessary steps are completed.

5. Complete a vulnerability scan. Based on the Self-Assessment Questionnaire (SAQ) results, you have the option to either conduct the scan yourself or hire an Approved Scanning Vendor (ASV).

6. Complete and submit documents. Submit the Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AOC), and Approved Scanning Vendor (ASV) reports to the credit card brands you support or plan to support.

7. Monitor compliance regularly. And this, you can do this by using c/side. Our free tier makes you compliant and puts the safety barriers up. Our paid tiers give you more flexibility and even more safety.

Some quickfire Q&A to set the record straight

1. How can I ensure my third-party scripts are compliant with PCI DSS 4.0? The PCI DSS 4.0 update mandates organizations to keep an inventory of all system components relevant to PCI DSS, including custom software and third-party scripts. It also promotes a transition from yearly audits to continuous security monitoring with frequent reviews and updates of system components and software.

   Again, we can help in this regard. Our free tier makes your site compliant and safe, our paid tiers increase flexibility and safety.

2. When does PCI DSS v4.0 come into effect? PCI DSS v4.0, effective from March 31, 2024, introduces these 64 new requirements. While some are effective immediately, most will not be effective until March 31, 2025, providing organizations with a transition period of one year to implement the more challenging requirements. Requirements regarding 3rd party scripts come into effect in March 2025.

3. What’s the impact of PCI DSS 4.0 on small businesses or startups? PCI DSS 4.0 introduces changes affecting all entities handling cardholder data, with potential challenges for small businesses and startups due to resource limitations. Take a look above at the PCI levels.

4. Are there penalties for Non-Compliance with PCI DSS 4.0? Non-compliance with PCI DSS 4.0 can result in penalties such as fines, increased transaction fees, and even revocation of card processing abilities. Compliance is mandatory for all entities handling cardholder data, and failure to comply can lead to significant financial and reputational damage. Therefore, understanding and maintaining compliance with these requirements is crucial for all organizations processing payment card transactions.

5. What are the best practices for continuous security monitoring under PCI DSS 4.0? Under PCI DSS 4.0, continuous security monitoring can be enhanced by implementing network segmentation, favoring automation over traditional sampling methods, and adopting a zero-trust mindset. This includes daily verification of all network devices and using automated tools for continuous risk detection and prioritization.

   C/side was built to make sure those specific third-party script related PCI DSS 4.0 requirements are met.