Big changes are coming to payment security rules. If your business takes credit cards, you need to know about PCI DSS 4.0. The deadline is March 31, 2025. That’s when 51 new rules become required instead of just suggested.
These aren’t small tweaks. They’re major security updates that will change how you protect customer payment data. The biggest change? Multi-factor authentication will be required for everyone who accesses payment systems, not just IT admins.
Don’t wait until the last minute. Companies that miss this deadline could face fines up to $100,000 per month. Plus, you might lose the ability to process credit cards entirely.
What Is PCI DSS 4.0?
PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as the rulebook for keeping credit card data safe. Version 4.0 is the biggest update in over 10 years.
The Payment Card Industry Security Standards Council released PCI DSS 4.0 in March 2022. But many rules were marked as “best practice” until now. After March 31, 2025, these new requirements are effective and must be fully considered as part of a PCI DSS assessment.
Who needs to follow these rules? Any business that stores, processes, or sends credit card information. This includes online stores, retail shops, restaurants, and service providers.
The Big Three Changes You Can’t Ignore
Multi-Factor Authentication for Everyone
The old rules only required MFA for system administrators. PCI DSS v4.0 now mandates that MFA must be used for all accounts that have access to the cardholder data, not just administrators.
This means every employee who touches payment systems needs two-step verification. It could be a phone app, text message, or security token. The key is having two different ways to prove who you are.
Why the change? Passwords alone aren’t enough anymore. Compromised passwords are still the top threat from bad actors and MFA is considered the best tool for preventing authorized attacks.
Authenticated Vulnerability Scans
Old scanning methods looked at your systems from the outside. Under PCI DSS 4.0, requirement 11.3.1.2 introduces the need for authenticated internal vulnerability scans, marking a departure from the widely practiced unauthenticated scans.
Authenticated scans log into your systems and check them from the inside. This finds more problems but requires more setup. You’ll need to create secure scanning accounts and manage passwords safely.
These deeper scans will likely find issues you didn’t know existed. Be ready to fix what they discover.
Payment Page Script Security
Online stores face new rules about JavaScript code on checkout pages. Requirement 6.4.3 requires management of all payment page scripts that are loaded and executed in the consumer’s browser, and Requirement 11.6.1 requires entities to have a change- and tamper-detection mechanism.
Hackers love to inject malicious code into payment pages. This lets them steal credit card numbers as customers type them in. The new rules require you to:
- Keep a list of every script on your payment pages
- Make sure each script is approved and needed
- Watch for unauthorized changes to your checkout pages
Why These Changes Matter Now
Credit card fraud keeps growing. These attacks typically target scripts loaded on the payment pages, where they can capture and exfiltrate sensitive data. The old security rules weren’t keeping up with new attack methods.
E-commerce skimming attacks have become especially common. Criminals inject code into shopping websites that steals payment data without anyone noticing. These attacks can run for months before being discovered.
The new rules target these modern threats directly. They’re designed to stop attacks that the old standards missed.
What Happens If You Don’t Comply?
Missing the March 2025 deadline isn’t just a slap on the wrist. Noncompliance can result in significant financial penalties, legal ramifications, and damage to your organization’s reputation.
The penalties can be severe:
- Monthly fines from $5,000 to $100,000
- Higher credit card processing fees
- Loss of ability to accept cards
- Legal costs if customer data gets stolen
- Damage to your business reputation
In today’s cyber-savvy world, consumers are demanding that businesses protect their payment information. A security breach can destroy customer trust that took years to build.
How to Get Ready Before March 2025
Start with a Gap Analysis
First, figure out what you need to change. Look at your current security setup and compare it to the new requirements. Two separate gap analyses should be performed: One for the list of requirements that need to be complied with by 1 April 2024. Another for the list of requirements that need to be complied with by 1st April 2025.
Plan Your MFA Rollout
Multi-factor authentication affects the most people. Start by listing everyone who accesses payment systems. Then choose an MFA solution that works for your team. Popular options include:
- Smartphone apps like Google Authenticator
- Text message codes
- Hardware security keys
- Push notifications
Test your chosen solution with a small group first. Work out any problems before rolling it out company-wide.
Upgrade Your Scanning
Move from basic vulnerability scans to authenticated ones. This means setting up secure accounts that scanning tools can use to log into your systems.
Plan for more findings. Authenticated scanning provides a deep, wide sweep of systems and controls, meaning it can provide valuable insights in order for you to improve security robustness. You’ll likely discover vulnerabilities you didn’t know existed.
Secure Your Payment Pages
If you run an online store, audit all the code on your checkout pages. The new requirement 6.4.3 requires all JavaScript on the payment page to be recorded in an inventory, be explicitly approved, and have a record kept of why the script is necessary.
Make a list of every script. Ask these questions:
- Why is this script needed?
- Who approved it?
- Is it from a trusted source?
- Can we remove it?
Set up monitoring to alert you if checkout pages change unexpectedly.
Getting Professional Help
These changes are complex. PCI DSS 4.0 is not solely a technology standard confined to the IT department. It encompasses a variety of risks associated with people, processes, and technology.
Consider hiring a Qualified Security Assessor (QSA). These certified professionals understand the new requirements and can guide your compliance efforts. They’ll help you avoid costly mistakes and ensure you’re fully compliant by the deadline.
The Bottom Line
March 31, 2025 will be here before you know it. There are only eight months left for merchants to plan and prepare for the changes in PCI DSS v4.x. Companies that start now have the best chance of smooth implementation.
The new rules aren’t just about avoiding fines. They’re about protecting your customers and your business from increasingly sophisticated attacks. Early adopters often find that stronger security gives them a competitive advantage.
Don’t let PCI DSS 4.0 compliance catch you off guard. Start planning today, and you’ll be ready when the deadline arrives.
Ready to start your PCI DSS 4.0 compliance journey? Contact a qualified security professional today to assess your current setup and create a plan that works for your business.
