PCI DSS 4.0: Everything You Need to Know to Protect Cardholder Data and Stay Compliant
The Payment Card Industry Data Security Standard (PCI DSS) is the global security standard for any organisation that stores, processes, or transmits payment card data. Developed and maintained by the PCI Security Standards Council (PCI SSC), PCI DSS version 4.0 — released in March 2022 with a mandatory compliance date of March 2025 — represents the most significant update to the standard in over a decade. Whether you are a small merchant accepting card payments or a large payment processor handling billions of transactions, PCI DSS compliance is a contractual and regulatory obligation.
The 12 PCI DSS Requirements
PCI DSS 4.0 organises requirements into 12 high-level categories across six goals:
Build and Maintain a Secure Network and Systems:
- Install and maintain network security controls (firewalls, segmentation)
- Apply secure configurations to all system components
Protect Account Data: 3. Protect stored account data 4. Protect cardholder data with strong cryptography during transmission
Maintain a Vulnerability Management Program: 5. Protect all systems and networks from malicious software 6. Develop and maintain secure systems and software
Implement Strong Access Control Measures: 7. Restrict access to system components and cardholder data by business need to know 8. Identify users and authenticate access to system components 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks: 10. Log and monitor all access to system components and cardholder data 11. Test security of systems and networks regularly
Maintain an Information Security Policy: 12. Support information security with organisational policies and programs
Scoping: The Most Important PCI DSS Decision
PCI DSS scope — the Cardholder Data Environment (CDE) — includes all system components that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), as well as systems that could affect the security of these components.
Scope reduction is the most powerful PCI DSS cost-reduction strategy. Techniques include:
Tokenisation: Replacing actual card numbers with tokens in your systems — the token has no value outside the tokenisation system, effectively removing most of your systems from PCI scope.
Point-to-Point Encryption (P2PE): Using a P2PE solution from a PCI-listed P2PE solution provider. Card data is encrypted from the point of interaction (card reader) and never enters your systems in plaintext — potentially removing your entire CDE from scope for SAQ P2PE.
Network segmentation: Properly segmenting the CDE from the rest of your network using firewalls and network controls. Systems outside the segmented CDE are out of scope — reducing the total number of systems in scope and simplifying the assessment.
SAQ Types: Finding the Right Assessment Path
Merchants who don't store, process, or transmit cardholder data electronically may be eligible for a Self-Assessment Questionnaire (SAQ) rather than a full QSA assessment:
SAQ A: Card-not-present merchants who have fully outsourced all cardholder data functions to PCI-compliant third parties. Fewest requirements.
SAQ A-EP: E-commerce merchants who don't directly receive cardholder data but whose website could impact the security of the payment transaction.
SAQ B: Merchants using only imprint machines or standalone, dial-out terminals — no electronic storage of cardholder data.
SAQ B-IP: Merchants using IP-connected payment terminals — standalone, PTS-approved payment terminals that do not store CHD.
SAQ C: Merchants whose payment application systems are connected to the internet.
SAQ C-VT: Merchants who process cardholder data only through isolated virtual terminals on personal computers connected to the internet.
SAQ D — Merchants: Merchants who don't fit any of the above categories.
SAQ D — Service Providers: All service providers eligible to complete a self-assessment.
Key PCI DSS 4.0 Changes from v3.2.1
Customised approach: PCI DSS 4.0 introduces a Customised Approach as an alternative to the defined approach — allowing organisations to implement alternative controls that meet the stated objective of each requirement, subject to validation by a QSA. This provides flexibility for innovative security implementations.
Multi-factor authentication expansion: MFA is now required for all access to the CDE, not just remote access. This significantly expands MFA requirements for many organisations.
Phishing-resistant MFA: New requirements address phishing-resistant authentication (e.g., FIDO2) for privileged access scenarios.
Payment page scripts: New requirements for monitoring and controlling scripts loaded on payment pages — addressing Magecart-style attacks that inject malicious JavaScript into payment pages to steal card data.
Targeted risk analyses: Many requirements now include a targeted risk analysis to justify the frequency of activities — organisations must document and justify intervals for activities like vulnerability scans and penetration tests based on their risk profile.
New timeline requirements for critical vulnerabilities: Critical vulnerabilities must now be addressed within one month of discovery.
Why Organisations Choose Savadub
Deep GRC Expertise
Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.
Engineers, Not Just Consultants
We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.
Global and African Regulatory Coverage
We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.
Internal and External Audit Capability
We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.
End-to-End Engagement
From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.
Industries We Serve
Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage
Deliverables You Receive
Working with Savadub, every engagement delivers a concrete set of outputs:
- Gap Assessment Report — prioritised findings with effort estimates and risk ratings
- Compliance Roadmap — milestone-based plan from current state to certification or attestation
- Risk Register — organisational risk register with treatment plans
- Policy Pack — all required policies authored, reviewed, and approved
- Technical Control Implementation Evidence — configurations, screenshots, and audit trails
- Internal Audit Report — independent assessment of control effectiveness
- Audit Evidence Repository — organised, auditor-ready evidence collection
- Executive Summary Presentation — board and leadership-ready compliance status
- Remediation Tracker — structured tracking of open findings and closure evidence
- Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance
Get Started with Savadub
Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.
Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.
Contact us:
- Email: grc@savadub.com
- Phone: +234 816 734 2201
- WhatsApp: +234 903 234 8435
- Website: www.savadub.com
