If your business handles credit card data, PCI DSS compliance isn’t optional—it’s critical. From retailers and e-commerce platforms to service providers and financial institutions, securing credit card data is critical to customer trust and preventing fraud.

But what exactly is PCI DSS? Why does it matter? And what’s changed? In this blog, we’ll answer the most common PCI-related questions and explain how you can simplify compliance with expert help from Integrity360.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. It’s a global framework of security requirements designed to protect cardholder data and reduce payment fraud. The standard is maintained by the PCI Security Standards Council (SSC), which was founded by the 5 major card brands including Visa, Mastercard, American Express, JCB and Discover.

Any organisation that stores, processes or transmits cardholder data or may have an impact on the security of cardholder data must comply with the PCI DSS, regardless of size or industry. That includes merchants, service providers, issuers and acquirers..

Why PCI DSS matters

Non-compliance with PCI DSS can result in serious consequences—non-compliance fines and penalties, increased transaction fees, reputational damage, and even the loss of your ability to process or accept card payments. But compliance isn’t just about avoiding penalties.

The standard promotes a culture of security, encouraging businesses to build resilience against security breaches and cyber threats. Benefits of being PCI DSS compliant include:

• Reduced risk of cardholder data compromise
• Demonstrable trustworthiness to customers and partners
• Streamlines processes, cuts costs and fortifies security
• Improved security and compliance posture

PCI DSS version 4.0.1

PCI DSS version 4.0 came into force in March 2025, where it replaced version 3.2.1. This major update reflects the evolution of payment technologies and the threat landscape. Since then, a limited revision4.0.1 of the standard came into effect in June 2025 incorporating all the lessons learnt since the publication of the standard 2 years prior.

Here are the most important changes introduced:

1. New requirements

A total of 64 new requirements have been added. Thirteen were effective immediately upon v4.0.1’s release, while the remaining 51 are now mandatory as of 31 March 2025. These cover areas including but not limited to:

• Multi-factor authentication (MFA) expansion
• Enhanced password security
• Enhanced security awareness training
• Targeted risk analyses
• Monitoring of payment page scripts for e-commerce sites

2. Defined vs customised approaches

Version 4. introduced a new ‘Customised Approach’ to compliance, allowing organisations with mature risk management frameworks to demonstrate security controls in alternative ways. This complements the existing ‘Defined Approach’ and provides flexibility in how requirements are met.

Businesses can now mix both approaches within the same Assessment and Report on Compliance (RoC), applying the most appropriate methodology to different systems, processes or technologies.

3. Increased focus on risk management

Risk management is no longer just a control—it’s now a core competency. PCI DSS v4.0.1 expects organisations to perform Targeted Risk Analyses in areas such as authentication, user management, and vulnerability management. These analyses help tailor security measures to real-world risk levels.

4. Updated reporting template

The Report on Compliance (RoC) template has increased in size and complexity, growing from 192 pages to 354 pages.

it reflects the increased complexity, technology and procedural requirements, in response to the ever more complex and sophisticated threat and cybersecurity landscape.

5. Changes to SAQs

Self-Assessment Questionnaires (SAQs) have been updated to reflect the changes in the standard. Organisations using SAQs to validate compliance should ensure they’re using the latest versions and understand the new expectations, particularly around risk and the increased level of details for reporting.

How to achieve PCI DSS compliance

Achieving and maintaining PCI DSS compliance is a continuous process, not a one-off project. It typically involves three key stages:

1. Scope analysis review

Identify all systems, networks and processes that interact with cardholder data. This defines the boundaries of your PCI DSS responsibilities (and cost) of compliance efforts.

2. Gap analysis

Compare your current controls and processes against PCI DSS requirements to identify where you fall short. A detailed gap analysis highlights areas needing remediation and forms the basis for your remediation roadmap.

3. Formal assessment of compliance

This is the final step, where you demonstrate adherence to the standard. Depending on your level (based on annual transaction volume and entity classification – Merchant/Service Provider), this could involve the completion of a Self-Assessment Questionnaire (SAQ) or an onsite compliance validation assessment performed by a Qualified Security Assessor (QSA).

How Integrity360 can help

We are the most chosen QSA among European PCI DSS Validated Service Providers according to Visa's and Mastercard's lists—Integrity360 delivers end-to-end PCI DSS services, including:

• PCI Compliance Validation: Thorough reviews to assess and verify compliance.
• Trusted Advisory Services: Expert guidance through the entire compliance lifecycle.
• Remediation Support: Hands-on help addressing non-compliance gaps.
• Customised Workshops: Half-day sessions to walk you through the v4.0.1 changes.
• Ongoing Support: Risk assessments, continuous improvement plans, and advisory services.

If you’re new to PCI we make the process clear, achievable, and tailored to your business.

PCI DSS myths debunked

Let’s address a few common misconceptions:

• “I use a compliant service provider—so I’m exempt.”
  Wrong. You’re still responsible for ensuring your provider is compliant, for any residual controls under your responsibility and/or impact on the security of cardholder data you may have.
• “We passed last year’s assessment—job done.”
  PCI DSS is a continuous process. Annual assessments are required, but maintaining controls year-round is essential.
• “Compliant means secure.”
  Not entirely. Compliance is a baseline. It reduces risk, but no standard can fully eliminate the chance of a breach.

If you’re looking for support in navigating these changes or need help achieving compliance, Integrity360 is here to guide you every step of the way.