Are you and your merchants ready for PCI DSS 4.0?

PCI Compliance - Merchants and Payment Service Provider updates

On March 31st, 2024, the PCI Security Standards Council, with input from the payments industry, will release  PCI DSS v4.0. From fortified encryption measures to more stringent password protocols and increased accountability, this update marks a significant stride towards safeguarding cardholder data. 

POPcodes understands the challenges the progressively complicated task of proving and maintaining PCI compliance brings both Merchants and their Service Providers. And, while we’re not QSA’s, we’ve captured an overview of the most impactful changes and have ideas that we hope will help get you and your merchants ready.  The biggest of which is a formalization of roles and responsibilities in virtually every category. 

Here’s a summary of changes for payment service providers (PSPs) and merchants, as well as tips for PSPs helping their merchants navigate these changes effectively. 

Changes for payment service providers and merchants

  1. Documentation: PCI DSS scope must be documented and a statement of compliance by the responsible party must be formally recorded every six months, to align with rapidly evolving environments. Documentation of cryptographic cipher suites, protocols, hardware, and software technologies must be reviewed and updated annually.

  2. Passwords: Password policies now must require password updates every 90 days unless multi-factor authentication is enabled. The minimum password length is increased from 8 to 12 characters, and interactive logins, including hard-coding passwords into scripts, systems, or files is prohibited. 

  3. Penetration Testing & Consumer Support: Service providers must support customers when they conduct external penetration testing and validate control separation in customer environments through penetration testing. Scripts that run in the consumers’ browsers must be authorized, justified, and maintain integrity. 
  1. Different Cryptographic Keys & Inventory Maintenance: Production and test environments must have different cryptographic keys. The inventory of trusted keys and certificates must be kept up to date. An inventory of bespoke and custom software must be maintained for vulnerability and patch management.

Overview of Changes for Merchants

Merchants must also adapt to the evolving changes in the payments landscape. Here are some of the requirements expected for merchants regarding PCI DSS 4.0.

  1.     Security Awareness: Security awareness programs must  be reviewed and updated at least once every 12 months. Security awareness training must equip personnel with the latest security protocols, such as acceptable use of end user technologies or potential impacts on Cardholder Data Environment (CDE). 
  2.     Encryption Standards: Upgrade hashing and encryption mechanisms for Primary Account Numbers (PAN). Define incident response procedures and initiate them promptly upon detecting abnormal PAN storage. 
  3.     Phishing Protection: Implement mechanisms to detect and protect against phishing attacks targeting personnel. 
  4.     Scans: Defining the frequency of scans for inspections, malware scans, and evaluations of systems as well as automating some processes. Manage all applicable vulnerabilities found during scans.

While these are only some of the changes occurring for merchants and payments service providers, you can get a more detailed breakdown of the changes here. Although not all requirements need to be completed by the end of March 2024 this doesn’t mean you shouldn’t get started now. PSPs need to drive awareness and assist merchants in moving towards compliance.

What are some of the consequences of not staying up to date? 

A few worth mentioning are regulatory fines and penalties, which could be substantial as well as the potential for serious data breaches and operational disruptions. Additionally, you could lose your payment processing privileges. Payment service providers need to assist merchants during this transition. But what can you do to assist merchants and ensure they are compliant?

How PSPs Can Assist Merchants?

Empowering merchants to navigate these changes effectively helps. PSPs can do this by keeping merchants informed and sending them resources. Here’s how PSPs can inform merchants effectively.

Drive awareness to Merchants and Associates: Expand your reach to stakeholders by utilizing smart, in-store payment infrastructure. Solutions such as POPcodes Direct-to-Merchant (D2M) communication platform allows you to streamline communication in real-time. You can utilize D2M to send operational campaigns or real-time notifications to inform merchants of PCI 4.0’s release. Send an operational campaign and have merchants fill out this questionnaire. Or send a notification to inform them of the upcoming changes.

Email / Statement Updates: Reach out to merchants via email, outlining upcoming changes and immediate action items. Just ensure your merchants have you marked as a trusted sender to avoid being put into the spam folder. Send helpful links such as this document answering common FAQs or this link which will guide them to the document library.

Payment service providers play a pivotal role in guiding merchants through the maze of regulatory changes. By keeping merchants informed, PSPs can increase merchant retention and foster long-term loyalty. 

Communication between merchants and PSPs is more vital than ever. POPcodes can inform all your merchants at once with operational campaigns or real-time notifications. To learn more about how POPcodes can assist you in enhancing your communication with merchants, click here.


Did you enjoy this content? Don’t stop now, learn how you can increase merchant satisfaction in this blog.




Co-Author: Kelsi Olstad