Countdown to PCI DSS 4.0: Don't Let Compliance Keep You Up at Night

As organizations race to meet the March 2025 deadline for PCI DSS 4.0 compliance, discover the major challenges around multi-factor authentication and third-party scripts, and learn why removing cardholder data from your environment might be the simplest solution.

PCI DSS v4.0 was introduced in March 2024, the first major update to PCI regulations for more than ten years, and there has since been an additional revision – PCI 4.0.1 – released in June 2024 to clarify some of the requirements. In all, 64 new requirements were introduced, all aimed at enhancing the security of payment card transactions. Of these, 51 were future-dated so that organizations would have time to do the work necessary to ensure compliance. You can access a complete list of these requirements on the PCI Security Standards Council website.

The final compliance deadline for these changes is March 31 2025 which is now just around the corner. Meeting this deadline is critical for organizations to maintain compliance and avoid potential penalties. Most organizations should now be well down the path towards compliance but we know that there are some more challenging requirements that, for many organizations, have proved to be more complex to implement and in this blog we focus on those.

Multi-factor authentication is now required for any cardholder data access

One of the significant changes in PCI DSS v4.0 is the mandatory implementation of multi-factor authentication (MFA) for accessing any part of the cardholder data environment (CDE). Previously considered best practice, this becomes a mandatory requirement from March 31 2025, for any organization that stores or processes cardholder data.

For organizations still handling cardholder data internally, this requirement poses challenges beyond simply updating policies or changing documentation. Implementing MFA requires technical adjustments and alterations to workflows, which could impact employees accessing the data. Time and effort will be needed to establish and communicate new processes to ensure smooth adoption across the organization.

However, organizations leveraging secure payment solutions like Eckoh CallGuard can bypass this challenge entirely because they do not store any sensitive cardholder data within their environment. By ensuring no cardholder data enters the network or contact center, these organizations completely eliminate the need for MFA for CDE access, simplifying their processes significantly.

Securing third-party payment page scripts

A significant update in the regulations concerns the security of third-party scripts running on payment pages. Organizations must now authenticate and authorize all third-party scripts on their checkout pages, maintain an inventory of these scripts, and document their purpose. Additionally, mechanisms must be in place to alert security teams if unauthorized scripts are introduced.

This change aims to safeguard against attacks like formjacking, web skimming, and e-skimming, which exploit vulnerabilities in legitimate payment pages to steal sensitive card data.

To comply, businesses have two main options. One is to eliminate all non-essential third-party scripts from payment pages, ensuring only necessary scripts remain, along with clear documentation and justifications for their presence.

Alternatively, organizations can work with a Payment Service Provider (PSP) to host payment pages externally, redirecting customers to a secure third-party environment for card data entry. While effective, the latter option may compromise the seamless customer experience many businesses aim to provide.

Updates to SAQ and RoC templates

For organizations completing Self-Assessment Questionnaires (SAQs) or Reports on Compliance (RoC), PCI DSS v4.0 introduces changes to the templates. Notably, organizations are now required to conduct formal risk assessments for any changes made to their environment, such as installing new firewalls. While this may not seem as daunting as some other requirements, it does add additional layers of effort and cost to compliance efforts.

Of course, organizations using Eckoh’s CallGuard solution can avoid these complexities entirely. By fully removing cardholder data from their systems, businesses can de-scope completely from PCI DSS, eliminating the need to complete many of the more complex compliance, reporting and auditing requirements.

The best way to secure cardholder data? Don’t store it in the first place.

Achieving and maintaining PCI compliance is a continuous process that often demands significant resources. Organizations that store cardholder data within their networks or contact center environments face ongoing risks and responsibilities, including ensuring data security and meeting stringent compliance requirements.

However, since the introduction of secure payment solutions like Eckoh’s CallGuard, businesses have had the option to simplify their approach to PCI compliance substantially. Tools such as CallGuard ensure that cardholder data never enters their systems, meaning organizations can effectively eliminate the risks and costs associated with holding that data.

We know from our own research that consumers increasingly expect secure and seamless payment experiences, whether over the phone, via email, through live chat, or SMS. This means that providing secure payment options across these channels not only enhances compliance, whilst reducing cost and risk, but also builds trust with customers.

This is why both the PCI Security Standards Council and Qualified Security Assessors (QSAs) recommend de-scoping as the most effective way to achieve PCI compliance. De-scoping eliminates the need for extensive compliance measures by removing sensitive data from the organization’s environment altogether.

With the March 2025 PCI DSS compliance deadline fast approaching, now is the time to act. Meeting the new requirements doesn’t have to be an arduous process. Solutions like CallGuard offer a simple and effective way to address compliance challenges while enhancing both security and customer trust.

By adopting a secure payment solution that removes sensitive data from your environment, you can focus on delivering exceptional customer experiences without the constant burden of compliance. Reach out today to learn how CallGuard can help your organization achieve and maintain PCI DSS compliance effortlessly.