PCI DSS 4.0 Regulation Framework Requirements

PCI DSS 4.0 requirements

Payment card industry (PCI) compliance is vital to the security and success of any business that takes credit card payments from customers. Failure to comply results in considerable losses of money and customer trust. 

To achieve compliance, businesses must meet a set of data security standards (DSS), a framework that outlines the steps necessary to protect customers’ data. PCI DSS applies to all organizations that collect, store, and transmit credit card information. 

Maintaining full compliance was recently complicated by the fact that PCI DSS was updated, with version 4.0 issued on March 31, 2022. It is the first significant overhaul of the system since 2014 and will remain in place until 2024, so understanding the requirements is urgent. 

Requirements for PCI DSS Compliance

PreEmptive icons 5 1

PCI DSS is founded on 12 requirements that merchants must meet in order to be considered compliant. 

  • Installation and maintenance of network security controls 
  • Application of secure configurations to all system components
  • Protection of stored account data
  • Use of strong cryptography to transmit cardholder data over public networks 
  • Protection of systems and networks from malicious software
  • Development and maintenance of secure systems and applications
  • Restricted access to cardholder data 
  • Identification and authentication of users to access system components
  • Restricted physical access to cardholder data
  • Monitoring and logs of all access to network resources and cardholder data
  • Regular testing of security systems and processes
  • Establishment and maintenance of a policy to address information security

While these requirements may seem overwhelming, getting started is at least fairly straightforward. First, businesses must determine their PCI DSS merchant level. The level depends on the number of annual Visa transactions. For example, a merchant that processes over six million transactions is a level one merchant while a business that only processes one million is a level four. It is also possible for a merchant’s level to be elevated after a security breach. 

After determining the appropriate level, merchants need to fill out a self-assessment questionnaire from the PCI Security Standards Council website. This will help determine how well a company is complying with the regulations. 

At this point, businesses should build secure networks based on the questionnaire answers. Finally, they complete an attestation of compliance (AOC) to verify that they have met the necessary standards. 

Changes to PCI DSS 4.0

PreEmptive icons copy 1

As a whole, the goal of the updates for version 4.0 of PCI DSS was to make the standards more flexible and accommodate different data and payment security strategies. The changes also help to stay on top of new threats and changes in technology. 

For example, the standards no longer refer exclusively to firewalls and routers. Instead, they reference network security controls to acknowledge the use of security measures outside of firewalls. 

Additionally, the PCI DSS scope is broader and now includes service providers who might impact the cardholder data environment (CDE), even if they are not directly processing the data. Likewise, rather than focusing on specific technologies, the scope for PCI DSS now includes any and all systems that have the potential to affect account data.

One other important shift to note is that encryption is not enough to ensure a business or any of its systems is compliant. The scope of compliance might be more limited if the system or entity is unable to decrypt data and doesn’t perform any encryption activities, but there is no total exemption from the standards on this basis.

Consequences for Failed Compliance 

PreEmptive icons 6 1

Although PCI DSS compliance might seem burdensome and expensive, the consequences for failed compliance are severe. In addition to lawsuits and losses in profits, businesses with PCI DSS violations face significant fines ranging anywhere from $5,000 to $100,000 per month. These fines are passed down the line from card brands to payment processors, generally landing in the laps of the merchants. 

On top of the financial costs are losses to reputation, canceled partnerships with banks and other businesses, and suspension from processing transactions. Security failures and breaches in the past have shown just how serious the impact can be.


One of the best-known examples of an enormous data failure is Target. In 2013, Target lost data for 40 million credit card numbers. Investigators found that, although the company had an excellent tool for malware detection, critical warnings were ignored for a number of weeks. 

As a result of their failure to comply, Target had to face one of the most tangible consequences: enormous financial losses. This came in the form of $18.5 million in settlements for affected customers in the United States and more than $202 million in legal fees. 

Because of its size, Target survived its data breach, but the financial security of small businesses is reliant on avoiding these kinds of events. The cost of implementing the necessary security measures pales in comparison to the potential losses of failed compliance. 

Warner Music Group 

A lesser-known but more recent example is Warner Music Group, which was unknowingly under siege for three months in 2020. From April to August, attackers gained access to the data of customers. 

The affected data included names, email addresses, billing addresses, credit card numbers, and CVC and CVV codes. As a result, Warner sent a notification to all customers stating that their personal information might have been captured in the breach. 

One of the immediate financial impacts on Warner was the cost of their offer of 12 months of free identity monitoring. However, the damage is unlikely to stop there. Ongoing class-action lawsuits have not yet been settled, and one of the major points of contention from the claimants is that the company failed to notice that its data was being attacked for such a long period of time. 

Supporting Security and Compliance

PreEmptive icons 7 1

PCI DSS compliance is critical for businesses and the results of failed compliance are long-lasting and costly. One of the requirements for compliance is using outside sources to assess vulnerabilities in app security. 

Businesses can ensure that they meet this requirement by including payment app security from the outset. Automated security controls from PreEmptive can identify threats and help merchants meet these and other evolving regulations. 

PreEmptive is a leader in app hardening and shielding that defends against attacks on multiple platforms. This helps assure compliance and keeps private customer data out of the hands of malicious hackers.

The past has shown that application security is a worthwhile investment. PreEmptive’s products offer app hardening solutions for any merchant or business in need of the strongest and most reliable security.