Customer Service
Available 24/7
866-310-3345
On April 1, 2024, the PCI Security Standards Council launched PCI DSS 4.0* – a comprehensive step forward in continuous improvement, flexibility, and enhancements to payment industry security. These standards reflect the collaboration and feedback of more than 200 organizations in the payment industry while keeping up with changes in technology, fraud risks*, and transparency expectations. PCI DSS 4.0 introduced essential updates to enhance security, addressing the continuously evolving threats and technological advancements in payment processing. Recently, the PCI Security Standards Council* released version 4.0.1 to continue adapting to security trends and incorporating expert feedback.
This release introduced several Best Practices that are now coming due, emphasizing key areas in eCommerce. Where applicable, businesses must implement these requirements by March 31, 2025 – and they don’t have to go it alone. Your payments provider is a key partner in building up your payment security practices and technology.
Mirian Hubbard, Director, North America Merchant PCI Programs & Security Solutions, explains, “With the pace of innovation, it’s crucial to work with an acquirer who not only stays informed but can also provide solutions and expertise to help businesses navigate the ever-changing payments security landscape.”
Consider these three areas for taking action to ensure compliance:
Establish a robust vulnerability management program to enhance payment acceptance security
Businesses of all sizes must take payment security risks seriously and establish processes to monitor for vulnerabilities in their operations – POS systems, online stores, third-party integrations, and more. It is critical to regularly monitor for potential security breaches and quickly fix any gaps that could lead to a cyberattack or loss of customer data. For example:
Beyond monitoring, businesses must continuously document changes and take stock of their payment data flows in preparation for the annual self-assessment questionnaire (SAQ)*. The updated PCI DSS requirements include additional nuanced changes in the SAQ that we can help you understand with the help of our third-party security vendor, VikingCloud, through our online PCI validation portal. We provide the tools for merchants to easily understand security requirements, continuously improve payment processes, and validate compliance.
Prioritize employee training on security practices
The new PCI DSS requirements underscore the importance of treating payment security as a shared responsibility across your entire company – and with any outside vendors that you work with. Compliance with these requirements is much more than just implementing the right technical solutions – you must also invest in training and resources for your employees* to confidently manage security practices and safeguards. From multi-factor authentication and strong passwords to protecting point-of-sale devices, your employees should feel empowered to protect your organization from cyber risks and in-person threats. Building a culture of security and continuous improvement will go a long way to protect your customer’s payments data and ensure compliance with PCI DSS requirements.
Stay informed on evolving threats and responsibilities
Keeping pace with a complex and evolving threat landscape is critical to maintaining PCI DSS compliance. Clear roles in vulnerability management are essential, especially for ecommerce merchants using third-party service providers (TPSPs) for hosted payment pages. By staying proactive, organizations can clarify these responsibilities and work closely with providers to address vulnerabilities. In keeping with a culture of continuous improvement, it is critical to constantly monitor current events and industry trends for emerging threats to your payment data. In our rapidly changing digital world, fraudsters continually innovate new ways to skim cardholder data*, breach organizational systems*, and manipulate employees with social engineering tactics*; by keeping track of new threats, your organization can bolster defences and work with your payments provider to enhance systems.
As the deadline for compliance with new requirements approaches in 2025, organizations that prioritize proactive steps today will be well-prepared for future PCI DSS challenges. By staying informed and vigilant, you will be prepared to meet payment security requirements and protect your customers from evolving external threats.
* By selecting this link, you will leave Elavon content and enter a third-party website. Elavon is not responsible for the content of, or products and services provided by this third party, nor does it guarantee the system availability or accuracy of information contained in the site. This website is not controlled by Elavon. Please note that the third-party website may have privacy and information security policies that differ from those of Elavon.