Digital Transactions Authoritative, insightful and timely information for payments professionals
The deadline may have passed, but it’s not too late to upgrade to PCI DSS 4.0.
In an era where data breaches are increasingly common, protecting customers’ payment information is more critical than ever. As cyberattacks continue to rise, businesses that handle sensitive customer data, particularly credit card information, are prime targets.
Enter the Payment Card Industry Data Security Standard (PCI DSS), a set of requirements to safeguard payment card data. The latest iteration of these standards, PCI DSS 4.0, was released in 2022, bringing significant updates to modern security threats.
The deadline for full compliance fell in March, so whether businesses have achieved compliance or not, it’s essential to understand what PCI DSS 4.0 means, why it matters, and how noncompliance can put your business at risk—from a security and financial perspective.
Companies that fail to meet PCI DSS requirements can face fines ranging from $5,000 to $100,000 per month, depending on the severity and duration of noncompliance. These penalties, alongside potential legal consequences and reputational damage, make compliance a critical priority for businesses handling payment data.
Here are some key questions and answers that may help you understand both what the standard is all about and how crucial it is to comply.
What is PCI DSS 4.0?
PCI DSS (Payment Card Industry Data Security Standard) is a set of requirements to protect cardholder data. It is enforced by major credit card companies, including Visa, MasterCard, and American Express, and all businesses that handle credit card transactions must comply with its requirements.
The latest version of the standard is PCI DSS 4.0, first released three years ago. It includes updated security requirements to address evolving cyber threats. It matters as it provides a comprehensive framework to ensure businesses have taken the necessary steps to protect sensitive customer information.
With payment card data being an attractive target for cybercriminals, businesses that accept credit cards must implement the appropriate security measures to minimize the risk of data breaches. Failing to meet PCI DSS standards results not only results in costly fines and penalties, it also makes your business a prime target for hackers.
How to Achieve Compliance?
Becoming PCI DSS 4.0 compliant is an ongoing process, not a one-time fix. The framework is built on 12 core requirements to secure payment card information. These include requirements to install and maintain firewalls, encrypt cardholder data, implement robust access controls, and regularly test security systems for vulnerabilities.
But one of the most important aspects of PCI DSS 4.0 is the emphasis on self-assessments. The self-assessment questionnaire (SAQ) is a tool businesses can use to evaluate their compliance. It’s important to note that PCI DSS 4.0 includes a revised SAQ that requires businesses to provide more detailed reporting on their security protocols.
While these updated SAQs were formerly considered best practices, they became mandatory on March 31. That means businesses must begin reviewing and updating their SAQs to avoid noncompliance.
Another key update in PCI DSS 4.0 is stricter cardholder data policies. Businesses must implement multi-factor authentication (MFA) for all users that access payment card data. This added layer of security is essential to ensure only authorized personnel can view or process sensitive customer information.
The Risks of Noncompliance
Failing to comply with PCI DSS 4.0 does not just expose your business to security risks—it poses serious financial and reputational consequences. While PCI DSS compliance is not mandated by law, noncompliance can lead to significant costs, including fines, data-breach liabilities, and reputational damage.
If your business is not compliant with PCI DSS 4.0 and suffers a data breach, you could be held financially responsible for reissuing credit cards, covering fraudulent charges, and hiring forensic investigators to determine the scope of the breach.
Also, the monthly fines for noncompliance range from $20 to $5,000 or more, depending on the severity of the noncompliance or data breach. These fines can add up fast, further hurting your business’s bottom line. Noncompliance can also lead to reputational damage, causing customers to lose trust in your business and hurting profitability.
PCI DSS 4.0 also places a greater emphasis on regular monitoring and testing of security systems. If your business does not keep up with these required security updates, it risks noncompliance and the growing threat of cyberattacks. In 2023, the health-care industry alone saw a staggering 128% increase in cyberattacks in the United States, underscoring the growing urgency for businesses to stay vigilant with respect to payment security.
The cost of a data breach is higher than most businesses may think. In fact, the average breach cost businesses $4.88 million last year, up 10% from 2023. However, the financial implications of a breach extend far beyond the immediate costs of breach containment and notification. The latest report from IBM revealed that 70% of organizations that experienced a data breach reported significant disruptions to their operations, further amplifying the incident’s cost.
Make no mistake. The costs are severe for businesses failing to comply with PCI DSS and then suffering a breach. Card issuers may hold non-compliant businesses responsible for covering all costs associated with the breach, including fraudulent charges and the re-issuance of credit cards. Many businesses also incur the cost of hiring forensic investigators to determine the full extent of the breach.
One of the most alarming breach statistics is the length of time it takes businesses to detect and contain them. According to IBM, it takes an average of 194 days to identify a breach and an additional 64 days to contain it. So, for more than half of a year, businesses may be unknowingly exposed to the consequences of a data breach. This while the breach escalates as hackers access more sensitive data.
By becoming PCI DSS-compliant and implementing best practices for data security, businesses can detect breaches earlier and minimize the damage. And compliance can quickly identify and respond to potential security threats.
What are the Benefits?
But the benefits of PCI DSS compliance extend far beyond avoiding fines and penalties. Businesses that prioritize payment security through compliance with PCI DSS 4.0 can improve their reputation, build customer trust, and reduce the risk of costly breaches.
Merchant Advocate estimates, based on internal data, that 72% of businesses are overcharged by their processors. In 2023 alone, U.S. merchants spent $172 billion on processing fees, a 7.5% increase over the previous year. PCI DSS compliance ensures businesses optimize their payment systems and reduce unnecessary fees while improving their bottom line.
To prepare for PCI DSS 4.0 compliance, businesses should begin by reviewing the updated standards and determining how they apply to their operations. Businesses should then update their self-assessment questionnaires and strengthen their security measures, such as implementing encryption software, firewalls, and multi-factor authentication.
Regular monitoring and testing of security systems are also essential for staying compliant and identifying potential vulnerabilities before they are exploited. Businesses should also work with payment processors and consultants to optimize their payment-processing systems and reduce unnecessary fees.
If your business fails to comply with PCI DSS 4.0, the risks are clear: you’re opening the door to cyberattacks, costly fines, and potential financial and reputational damage.
Cyberattacks are becoming more sophisticated, and businesses that fail to meet the latest security standards are at risk of becoming the next target. Noncompliance also increases your liability in the event of a data breach, leaving your business vulnerable to significant financial and reputational damage.
The transition to PCI DSS 4.0 may seem daunting, but it is essential for protecting your business and your customers. The March 2025 deadline has passed, so now is the time to act if you haven’t already. By ensuring compliance and fortifying your security measures, you can minimize your risks and safeguard your business against the ever-growing threat of cybercrime.
—Eric Cohen is chief executive at Merchant Advocate
