PCI DSS 4.0.1 Compliance: What Every Business Must Do by 2025
The Payment Card Industry Data Security Standard (PCI DSS) is a generally accepted set of procedures and policies aimed at improving the security of debit, credit, and other card transactions and protecting cardholders from the misuse of their personal data. PCI DSS was created to reduce fraudulent activities in organizations that handle payment card information and to prevent cybersecurity breaches.
PCI DSS is not a legal or regulatory requirement. However, it is a set of contractual obligations for organizations that process and store debit, credit, or other payment transactions. These organizations are required to meet PCI DSS standards to create and maintain a secure environment for their customers.
Security standards that protect sensitive information continue to evolve as the payment industry advances. In 2024, PCI DSS version 4.0.1 was released. This version includes important updates that clarify key business requirements ahead of the March 2025 deadline for implementing best practices. Understanding these requirements is essential to ensure that your organization maintains high security standards while successfully navigating compliance.
The Payment Card Industry Security Standards Council (PCI SSC) is responsible for developing and managing PCI DSS. Version 4.0.1 is designed to meet the changing security needs of the payment industry, promote stronger protection, offer more flexibility, and improve procedures for businesses by allowing multiple ways to meet their security goals.
This version is better equipped to address emerging technologies and threats compared to the previous version, PCI DSS v3.2.1. A key improvement in the latest version is its ongoing focus on security and proactive threat detection, rather than relying solely on periodic checklists.
Difference Between PCI DD v4 and v4.0.1:
PCI DSS v4 introduced major changes but PCI DSS v4.0.1 do minor changes. Let’s do the comparative analysis.
| Category | PCI DSS 4.0 | PCI DSS 4.0.1 |
|---|---|---|
| Release Date | March 2022 | October 2023 |
| Purpose | Major update replacing 3.2.1, modernized for new threats | Minor revision with corrections, clarifications |
| Structure | Introduced new format and control layout | Same structure as 4.0, no major layout changes |
| Customized Approach | Introduced for flexibility in control implementation | Clarified expectations for customized approach |
| Multi-Factor Authentication | Strengthened MFA requirements across environments | Clarified text to avoid confusion in MFA control wording |
| Password Requirements | Changed complexity and expiration rules | No major changes; minor wording corrections |
| New Requirements | 60+ new requirements introduced (many future-dated) | No new requirements, just clearer descriptions |
| Implementation Deadlines | March 2025 for most new 4.0 requirements | Deadline unchanged |
| Error Corrections | N/A | Fixed typos, inconsistencies, and incorrect references |
| Clarifications | N/A | Improved language for better understanding |
| Impact | High – changes in scope, approach, and control details | Low – meant to support smoother adoption of 4.0 |
Key points about v4.0.1:
- No new requirements: The update focuses on clarifying existing standards.
- Effective date: Organizations must comply with future-dated requirements by March 31, 2025.
- Supporting documents: Updated templates for Reports on Compliance (ROC), Attestations of Compliance (AOC), and Self-Assessment Questionnaires (SAQs) are expected to be published in Q3 2024
What is the PCI DSS compliance levels?
The number of transactions a company has determines its level of compliance. Merchants have four levels, while service providers have two.
Merchants: Organizations that accept credit cards for a service or product.
Service Providers: On behalf of merchants, organizations process, transmit, or store card information.
An organization can fall into both categories.
The levels assigned to the merchants depend on the number of transactions they do per year.
Level 1:
Businesses that process 6 million transactions annually for any of the major card brands that follow PCI DSS, such as JCB, MasterCard, Discover, American Express, and Visa, are typically classified as Level 1 merchants. However, PCI card brands may also place a merchant into Level 1 even if they do not reach the 6 million transaction threshold. This decision depends on the payment brand, particularly if they identify specific risk factors and determine that the company should be treated as a Level 1 merchant based on merit.
Major Requirement in Level 1
An organization classified as Level 1 under PCI DSS must undergo a formal assessment conducted by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). The result of this assessment is documented in a Report on Compliance (ROC), which serves as official validation that the organization meets all PCI DSS requirements.
Level 2:
Businesses that process between 1 and 6 million payment card transactions annually are typically classified as Level 2 merchants under PCI DSS. These are often mid-sized retailers. Instead of undergoing a full audit like Level 1 merchants, they are generally required to complete a Self-Assessment Questionnaire (SAQ).
The SAQ is a standardized self-evaluation tool used to assess whether a business is complying with the PCI DSS security requirements. It helps identify gaps in how the company handles cardholder data and guides them toward full compliance.
With the release of PCI DSS version 4.0, there are now 9 different types of SAQs, each tailored to specific ways a business might handle payment information. For example, some SAQs apply to businesses that do not store cardholder data, while others are for those that use e-commerce platforms or third-party payment processors.
Level 3:
Businesses that process between 20,000 and 1 million e-commerce transactions annually are typically classified as Level 3 merchants under PCI DSS. This level often includes small to mid-sized online retailers.
Like Level 2 merchants, they are required to complete a Self-Assessment Questionnaire (SAQ) each year to verify their compliance with PCI DSS requirements. The specific SAQ they must use depends on how they process, store, or transmit cardholder data.
Level 4:
Merchants that process fewer than 20,000 e-commerce transactions annually are generally classified as Level 4 under PCI DSS. According to Visa's criteria, even some merchants processing up to 1 million total Visa transactions per year may also fall into Level 4, depending on their risk profile and how they accept payments.
Level 4 merchants are required to complete a Self-Assessment Questionnaire (SAQ) to evaluate whether they meet PCI DSS compliance requirements. This self-evaluation helps ensure that even smaller businesses are taking the necessary steps to protect cardholder data.
Important Note:
While the PCI DSS merchant levels provide general guidelines based on transaction volume, the actual level assigned to a merchant can vary. Payment brands (like Visa or MasterCard), acquiring banks, and service providers may assign a higher level based on factors such as risk, past breaches, or how transactions are processed (e.g., in-store vs. e-commerce). Merchants should always check with their acquiring bank or payment processor to confirm their specific compliance requirements.
What is a PCI Qualified Security Assessor (QSA)?
A Qualified Security Assessor (QSA) is an individual certified by the Payment Card Industry Security Standards Council (PCI SSC) to perform PCI DSS compliance assessments and consulting services. While the term "QSA" can refer to both individuals and companies, the PCI SSC often distinguishes companies as QSACs (Qualified Security Assessor Companies) to avoid confusion.
Focusing on the individual role, according to the PCI SSC, a Qualified Security Assessor is someone who meets the following key requirements:
Have a background in information security through formal education or professional experience.
Complete the official QSA training program provided by the PCI Security Standards Council (PCI SSC).
Be employed by a PCI SSC-approved Qualified Security Assessor Company (QSAC).
Be authorized to conduct PCI DSS assessments focused on the protection of cardholder data.
What does a PCI Qualified Security Assessor do?
A PCI QSA evaluates organizations that handle credit card data to ensure they meet the security standards defined by the Payment Card Industry Data Security Standard (PCI DSS). This includes assessing how businesses store, process, and transmit cardholder data, and verifying whether their security controls align with PCI DSS requirements.
QSA companies, known as QSACs (Qualified Security Assessor Companies), are independent security firms certified by the PCI Security Standards Council (PCI SSC) to perform these assessments and validate an organization’s compliance.
What is PCI Qualified Security Assessors Looking for During an Audit?
As mentioned earlier, only Level 1 merchants under PCI DSS are required to undergo a formal assessment conducted by a Qualified Security Assessor (QSA). Merchants classified as Level 2, 3, or 4 typically meet their compliance obligations by completing an annual Self-Assessment Questionnaire (SAQ) instead of a full audit.
For Level 1 merchants, the annual QSA-led assessment functions as an internal audit that evaluates the effectiveness of the company’s information security controls. This involves a thorough review and testing of all security measures surrounding the Cardholder Data Environment (CDE) to ensure full compliance with PCI DSS requirements.As part of the PCI DSS assessment, a QSA typically evaluates the following key areas within the Cardholder Data Environment (CDE):
**Network segmentation **– Ensuring that the CDE is properly isolated from other parts of the network to reduce scope and risk.
Point-of-sale (POS) systems – Verifying the security of devices and software used to capture card payments.
**Data encryption **– Confirming that cardholder data is encrypted during transmission and storage.
Access controls – Reviewing who has access to the CDE and whether access is limited to only those who need it.
Payment processing applications – Assessing the security of software that handles card transactions.
Data storage practices – Identifying where and how cardholder data is stored and ensuring it complies with PCI DSS guidelines.
The number of PCI DSS requirements is 12 and 281 directives, so your initial audit may take a long time to complete: maybe 2 years. It's not compulsory that every requirement applies to every company. It is possible that your company may not need to comply with 281 requirements, which reduces the time to complete the audit.
PCI DSS Audit Objectives and Process?
It is led by QSA and examines how your company handles information about customer payments in accordance with the requirements mentioned in PCI DSS.
The three primary goals of the audit are as follows:
Find any security gaps and check if the company follows the latest PCI rules.
List the issues and suggest ways to fix them.
Make sure all problems are addressed.
The QSA reviews your systems to see if you meet the 12 core PCI DSS requirements, either directly or with approved alternatives (called compensating controls). After the audit, the QSA prepares a Report on Compliance (ROC) to confirm your company’s compliance.
6 Steps of PCI Audit:
There are six steps involved in a PCI audit, in case if your company qualifies for a QSA audit.
1. Define Your Scope
When identifying the scope of your PCI assessment, you should consider processes, people and technologies that could affect the safety of cardholder information.
In this step, it is important to know what is in your company's scope. Examine all the locations and flows of cardholder data and the systems that are connected to cardholder data; if they are compromised, they could affect the integrity of that data.
The PCI scope should be reevaluated annually to ensure its accuracy. Detailed documentation of how the PCI scope was identified will assist your auditor in determining whether scoping was done correctly.
2. Look For a Qualified Security Assessor (QSA)
These are the only assessors who can perform a PCI audit. Later, we will explain how to find the QSA for your audit.
Many organizations outsource their auditors to a QSA. If your company has its own internal auditor, make sure that the QSA has completed PCI SSC training and is certified as an Internal Security Assessor (ISA). ISAs can also conduct annual PCI audits.
3. Manage a Gap Analysis
If you are completing PCI DSS compliance for the first time, it is advisable to conduct an initial gap analysis to make your compliance journey easier.
A gap analysis assists service providers and merchants in understanding their latest compliance status before an extensive PCI audit is assigned.
Like an official audit, an ISA, QSA, or other experienced person leads the gap analysis to make a report that mentions findings, permitting you as a company to proactively cover gaps in your security controls to potentially make the audit process more efficient and faster.
4. Complete a QSA-led Assessment
After the gap analysis, the next step is for your QSA to conduct a thorough assessment. This assessment includes:
- Evaluating documentation provided by a company
- Verifying that required security controls are in place
- Interviewing with the relevant team members
- Checking physical security controls
5. Address Security Issues
Once the assessment has been completed, QSA will provide a documented list of findings and permit you to resolve any missing controls or vulnerabilities to receive the Report on Compliance (ROC).
When your QSA addresses and checks all the non-conformance they will send a final ROC for you to check. Once it is approved, your ROC will signify to clients and stakeholders that you are PCI compliant.
6. Monitor PCI Security Standards Continuously
So, approved ROC is not the final step of your PCI compliance journey. Organizations that are required to complete QSA-led audits will need to do so annually. You are responsible for continuously monitoring security controls between audits, which ensures that all PCI standards are being fulfilled. If anything in your business changes, your PCI scopes will also evolve; you will need to update that as well.
Continuous PCI compliance might be stressful. So, some tips and tools to help you in making the process a little bit simple, like:
- Do ASV scanning
- Utilise automatic evidence collection
- Monitor internal controls and your systems continuously
- Fill out and store merchant risk assessments
How Do You Find a QSA for Your Audit?
Finding the right Qualified Security Assessor (QSA) is a key step in preparing for your PCI DSS audit. The PCI Security Standards Council (PCI SSC) website offers a searchable, up-to-date list of approved QSA companies (QSACs) and their certified assessors.
You can filter the list by region, market focus, supported languages, and industry experience. Since each company’s environment is different, it's important to choose a QSA with relevant experience in your specific industry.
Once you’ve narrowed down your options, review the profiles of individual assessors to find someone with the right expertise. Don’t hesitate to contact the companies directly to ask questions about the QSA’s background, certifications, or industry knowledge.
To help refine your search further:
- Ask for testimonials or client referrals.
- Look for companies with a high renewal rate (ideally 50% or higher).
- Choose a QSA partner that aligns with your business goals and can clearly explain the audit process.
What If You Fail a PCI Audit?
PCI audit is not about pass or fail test. You can think PCI as an opportunity to examine the effectiveness of the current security controls of your company and make them stronger than before. In case your QSA identifies vulnerabilities in your current cardholder data practices then you may have failed in that section of the audit. In such case, your QSA will give you guide to assist you make the required changes to achieve PCI compliance.
It is best to find problems during audit, assess these issue during this phase can save you from the larger non-compliance problems. It might be reputation and financial consequences.
Looking for a Trusted QSA Partner?
RedSecLabs is a trusted provider of PCI DSS consulting and audit services, helping businesses of all sizes achieve and maintain compliance. Their team of experts supports clients through every step of the process — from gap analysis to certification.