As our payment technology landscape evolves, so do the tactics of today’s threat actors. For merchants and service providers, protecting consumers from credit card fraud is a moving target. We’re taking a look at the evolution of payment card industry (PCI) compliance standards, including the newest requirements that went into effect in March 2025.
What is PCI compliance?
In 2004, with eCommerce and credit card fraud reaching disruptive levels, five major payment card brands – American Express, Discover Financial Services, JCB International, MasterCard and Visa – came together to form the PCI Security Standards Council. They developed the Payment Card Industry Data Security Standard (PCI DSS) with the goal of creating a more secure payment ecosystem.
While compliance doesn’t guarantee security, it provides a structured foundation to mitigate risk and protect cardholder data. Today, every business that handles, processes, stores or transmits payment card information must comply with the PCI DSS.
There are 12 PCI compliance requirements, organized into six categories:
Build and maintain a secure network and systems
- Install and maintain network security controls.
- Apply secure configurations to all system components.
Protect account data
- Protect stored account data.
- Protect cardholder data with strong cryptography during transmission over open, public networks.
Maintain a vulnerability management program
- Protect all systems and networks from malicious software.
- Develop and maintain secure systems and software.
Implement strong access control measures
- Restrict access to cardholder data by business need-to-know.
- Identify users and authenticate access to system components.
- Restrict physical access to cardholder data.
Regularly monitor and test networks
- Log and monitor all access to system components and cardholder data.
- Test security of systems and networks regularly.
Maintain an information security policy
- Support information security with organizational policies and programs.
The evolution of PCI standards
In order to stay relevant, the PCI DSS must continuously evolve. The security council periodically updates the requirements to reflect advancements in both digital payments innovation and the threat landscape.
Here’s a timeline of that evolution, from 2004 until today, by the Merchant Risk Council:
December 2004: PCI DSS 1.0 is released
September 2006: Version 1.1 adds requirements for web-facing application firewalls and professional code reviews
October 2008: Version 1.2 introduces new antivirus and wireless network defense requirements
August 2009: Version 1.2.1 provides clarity and consistency updates
October 2010: Version 2.0 adds data encryption guidelines and user access restrictions
November 2013: Version 3.0 addresses emerging security concerns, cloud technologies, and penetration testing
April 2015: Version 3.1 offers short-term updates for upcoming 3.2 compliance
April 2016: Version 3.2 introduces multi-factor authentication guidelines and more
May 2018: Version 3.2.1 provides clarifications and standard requirement changes
March 2022: Version 4.0 is released with significant updates
March 2025: Version 4.0 is officially in effect
Meeting PCI compliance
Meeting PCI compliance isn’t a one-size-fits-all playbook. Businesses fall into one of four compliance levels based on annual transaction volume:
- Level 1: More than 6 million transactions per year
- Level 2: 1 to 6 million transactions per year
- Level 3: 20,000 to 1 million transactions per year
- Level 4: Fewer than 20,000 transactions per year
For level 1-classified businesses to demonstrate compliance with the standards, they must develop an annual Report on Compliance (ROC) performed by a Qualified Security Assessor (QSA), work with an Approved Scanning Vendor (ASV) to conduct quarterly network scans, complete an Attestation of Compliance (AOC) form and perform annual penetration testing and regular internal vulnerability scans.
Businesses that are levels 2 or 3 must complete an annual Self-Assessment Questionnaire (SAQ), an AOC form and conduct quarterly network scans by an ASV. Level 4 businesses must do the same, except they are exempt from completing the AOC form.
Failing to meet PCI standards can be financially devastating. Fines range from $5,000 per month for early offenses to $100,000 per month for persistent non-compliance. And, that doesn’t include the potential costs of data breaches, which also include loss of customer trust and damage to your brand reputation.
What’s New in PCI DSS 4.0?
PCI DSS 4.0 was introduced in March 2022, giving merchants and service providers a full two years to familiarize themselves with the changes, update reporting templates and forms and implement changes to comply with the requirements. This version addresses four main objectives – keep pace with the changing payment industry, promote continuous security, provide flexibility in maintaining payment security and improve validation methods and procedures.
PCI DSS 4.0 marks a shift in how merchants and businesses should view and meet PCI compliance in three significant ways.
Phased implementation
Unlike past releases, version 4.0 introduced a phased timeline. Implementing this version’s complex technical changes, especially around encryption, authentication and software development practices, would require some significant resource planning and budgeting.
The phased approach followed this timeline:
- March 2024: Implementation of critical security controls
- June 2024: Role documentation, encryption, software security and authentication controls (Phase 1)
- September 2024: Asset inventory, TLS implementation, security assessments and logging enhancements (Phase 2)
- December 2024: System hardening, data retention, key management and vulnerability management (Phase 3)
- March 2025: All DSS 4.0 requirements fully implemented
Implementation flexibility
In years past, there was little room for interpretation in how merchants and businesses could demonstrate compliance to the PCI standards. New in version 4.0, organizations can now develop their own security controls that meet specific requirements, rather than following the prescribed methods exactly as written.
While an outcomes-based approach gives businesses more flexibility, it also adds more responsibility and rigor – businesses must provide significantly more documentation in order to justify their compliance to QSAs.
Expanded testing requirements
PCI DSS 4.0 looks at compliance as an ongoing responsibility vs. meeting requirements at a moment in time. Instead of just regular testing at defined calendar dates, businesses must conduct more rigorous and frequent security testing, especially after any significant changes to their environment.
Version 4.0 also introduces targeted risk assessments for specific requirements and enhanced penetration testing of both application and network layer security. Overall, the focus is now on measuring effectiveness of measures – not just whether or not they’re in place.
Embracing the new approach to PCI compliance
The shift from point-in-time compliance to continuous security monitoring represents a huge change in how businesses must approach payment security. While maintaining compliance in this way may seem overwhelming, the flexibility introduced in version 4.0 acknowledges that security solutions aren’t one-size-fits-all. Aurora has a number of solutions that can help you strengthen your payment security processes.
Disclaimer: This guide is for informational purposes and does not constitute legal or PCI QSAC advice.
