PCI DSS v4.0
PCI DSS v4.0 is the global standard for securing payment card data, requiring organizations to implement controls across networks, access, and monitoring.
PCI DSS v4.0 is the global standard for securing payment card data, requiring organizations to implement controls across networks, access, and monitoring.
Continue your mission
The Payment Card Industry Data Security Standard (PCI DSS) version 4.0, released in March 2022 with mandatory compliance by March 2025, is a global standard for securing payment card data. Developed by the PCI Security Standards Council founded by Visa, Mastercard, American Express, Discover, and JCB, PCI DSS applies to any organization that stores, processes, or transmits cardholder data. Version 4.0 introduced a customized approach allowing organizations to meet security objectives through alternative controls, alongside the traditional defined approach of prescriptive requirements.
PCI DSS v4.0 is organized into 12 principal requirements grouped under six goals: build and maintain a secure network (firewalls, no vendor defaults), protect cardholder data (encryption at rest and in transit), maintain a vulnerability management program (anti-malware, secure development), implement strong access control measures (least privilege, unique IDs, physical access), regularly monitor and test networks (logging, penetration testing), and maintain an information security policy. New in v4.0 are requirements for multi-factor authentication for all access to the cardholder data environment, targeted risk analysis to define frequency of recurring activities, and enhanced requirements for e-commerce and phishing protections. Validation levels range from Self-Assessment Questionnaires for smaller merchants to on-site assessments by Qualified Security Assessors for Level 1 merchants processing over six million transactions annually.
Non-compliance with PCI DSS can result in fines from $5,000 to $100,000 per month from payment brands, increased transaction fees, and ultimately the loss of the ability to process card payments. Data breaches involving cardholder data trigger costly forensic investigations, notification requirements, and potential lawsuits. For organizations handling payment data, PCI DSS compliance is not optional. It is a contractual obligation enforced by acquirers and payment brands.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.