With the seemingly never-ending updates to B2B contracts for compliance with new (and amended) comprehensive state privacy laws, the U.S. Department of Justice’s bulk data transfer rule, and artificial intelligence (AI) integrations, it’s no wonder that PCI DSS 4.0 likely hasn’t hit any Top 10 lists for 2025. That doesn’t mean compliance with the Payment Card Industry Data Security Standard (PCI DSS) is any less important than other requirements – in fact, it could be more important if a business wants to continue to receive payment via credit or debit card!
What is PCI DSS?
PCI DSS sets out a security framework for processing debit and credit cards. Payment processors and businesses that accept payment cards are required by the card brands, such as Visa and MasterCard, to follow these technical requirements. At a very high level, they require businesses to maintain secure network controls, protect stored cardholder data, employ a vulnerability management program, implement access control measures, monitor and test networks, and execute organizational policies and procedures. With 400 pages setting out the standard—not including additional explanation for implementation—it’s no wonder many businesses historically relied on payment processors for compliance with PCI DSS.
PCI DSS 4.0.1 Compliance
The PCI DSS 4.0.1 updates, in effect as of April 1, 2025, likely snuck up like a sneaker wave on smaller businesses. While smaller businesses rarely hire a qualified security assessor (QSA) to perform an assessment, all businesses—even entities that use payment card processors and do not store card numbers—still need to complete an annual PCI Self-Assessment Questionnaire (SAQ) and document an Attestation of Compliance (AOC).
For compliance with PCI DSS, a business needs to ensure appropriate protection of its cardholder data environment (CDE). This means that a business needs to understand how the payment processor connects to its point-of-sale device or other system that detects when a payment has been made. Which SAQ form a business should complete depends on how the connection between a business and its payment processor is established, which could be in a physical location or through an online form. The type of connection will also determine what steps a business needs to take to appropriately segregate the CDE from other network devices and servers and protect the transmission of data between the business and the payment processor. An annual risk assessment is the first step a business should take to determine how to complete a SAQ and document an AOC.
If you have additional questions, feel free to contact a member of our privacy & data security team.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
