On April 1, 2024, the PCI Security Standards Council launched PCI DSS 4.0* – a comprehensive step forward in continuous improvement, flexibility, and enhancements to payment industry security. These standards reflect the collaboration and feedback of more than 200 organizations in the payment industry while keeping up with changes in technology, fraud risks*, and transparency expectations. PCI DSS 4.0 introduced essential updates to enhance security, addressing the continuously evolving threats and technological advancements in payment processing. Recently, the PCI Security Standards Council* released version 4.0.1 to continue adapting to security trends and incorporating expert feedback.

This release introduced several Best Practices that are now coming due, emphasizing key areas in eCommerce. Where applicable, businesses must implement these requirements by March 31, 2025 – and they don’t have to go it alone. Your payments provider is a key partner in building up your payment security practices and technology.

Mirian Hubbard, Director, North America Merchant PCI Programs & Security Solutions, explains, “With the pace of innovation, it’s crucial to work with an acquirer who not only stays informed but can also provide solutions and expertise to help businesses navigate the ever-changing payments security landscape.”

Consider these three areas for taking action to ensure compliance:

Establish a robust vulnerability management program to enhance payment acceptance security

Businesses of all sizes must take payment security risks seriously and establish processes to monitor for vulnerabilities in their operations – POS systems, online stores, third-party integrations, and more. It is critical to regularly monitor for potential security breaches and quickly fix any gaps that could lead to a cyberattack or loss of customer data. For example: 

 

  • Merchants should enforce secure configurations on web servers, with strict control over vendor default accounts and passwords to prevent unauthorized access.
  • Checkout pages on ecommerce websites should only contain authorized scripts, supported by an inventory to maintain script integrity and mitigate iFrame risks. (Requirement 6.4.3)*
  • Online retail sites must have back-end safeguards like tamper-detection mechanisms to alert personnel to unauthorized changes on payment pages with weekly monitoring. (Requirement 11.6.1)*

    • Beyond monitoring, businesses must continuously document changes and take stock of their payment data flows in preparation for the annual self-assessment questionnaire (SAQ)*. The updated PCI DSS requirements include additional nuanced changes in the SAQ that we can help you understand with the help of our third-party security vendor, VikingCloud, through our online PCI validation portal. We provide the tools for merchants to easily understand security requirements, continuously improve payment processes, and validate compliance.

     

    Prioritize employee training on security practices

    The new PCI DSS requirements underscore the importance of treating payment security as a shared responsibility across your entire company – and with any outside vendors that you work with. Compliance with these requirements is much more than just implementing the right technical solutions – you must also invest in training and resources for your employees* to confidently manage security practices and safeguards. From multi-factor authentication and strong passwords to protecting point-of-sale devices, your employees should feel empowered to protect your organization from cyber risks and in-person threats. Building a culture of security and continuous improvement will go a long way to protect your customer’s payments data and ensure compliance with PCI DSS requirements.

    Stay informed on evolving threats and responsibilities

    Keeping pace with a complex and evolving threat landscape is critical to maintaining PCI DSS compliance. Clear roles in vulnerability management are essential, especially for ecommerce merchants using third-party service providers (TPSPs) for hosted payment pages. By staying proactive, organizations can clarify these responsibilities and work closely with providers to address vulnerabilities. In keeping with a culture of continuous improvement, it is critical to constantly monitor current events and industry trends for emerging threats to your payment data. In our rapidly changing digital world, fraudsters continually innovate new ways to skim cardholder data*, breach organizational systems*, and manipulate employees with social engineering tactics*; by keeping track of new threats, your organization can bolster defenses and work with your payments provider to enhance systems.

    As the deadline for compliance with new requirements approaches in 2025, organizations that prioritize proactive steps today will be well-prepared for future PCI DSS challenges. By staying informed and vigilant, you will be prepared to meet payment security requirements and protect your customers from evolving external threats. 

    * By selecting this link, you will leave Elavon content and enter a third-party website. Elavon is not responsible for the content of, or products and services provided by this third party, nor does it guarantee the system availability or accuracy of information contained in the site. This website is not controlled by Elavon. Please note that the third-party website may have privacy and information security policies that differ from those of Elavon. 

    Tags:

    Security

    Share:

    Copy Link To Clipboard
    Success

    Request a call back

    We want to hear from you. If you are interested in setting up a new merchant account with us, please contact us through the form below and we'll call between the hours of 9:00 AM and 7:00 PM EST, Monday-Friday. If you require assistance with an existing account, please call our customer service line 24/7/365.

    This contact form is for US customers only. If you are looking for one of our other locations, please visit elavon.com/country-selector.html to find your country or region.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    By providing us with an email address you are expressly consenting to receiving email communications – including but not limited to marketing material/advertising, promotions, sales campaigns, and questioner/research surveys. By providing us with a telephone number for a cellular phone or other wireless device, including a number that you later convert to a cellular number, you are expressly consenting to receiving communications – including but not limited to prerecorded or artificial voice message calls, text messages, and calls made by an automatic telephone dialing system – from us and our affiliates and agents at that number. This express consent applies to each such telephone number that you provide to us now or in the future and permits such calls for non-marketing purposes. Calls and messages may incur access fees from your cellular provider. We accept relay calls. Your privacy is important to us. By clicking “submit” you agree to our terms and conditions.

    Sales

    Available Mon. – Fri.
    9:00 AM - 7:00 PM EST
    1-866-671-1583

    Customer Support

    Available 24/7
    1-800-725-1243

    Home
    Resources
    WorksWith Elavon
    About Elavon
    News
    Privacy policy
    Your business
    Community & DEI
    Accessibility
    Industries
    Developers
    Sitemap
    Solutions
    Careers
    Your privacy choices privacy choices
    Partners
    Customer Service
    Available 24/7
    1-800-725-1243

    CenPOS customer support
    1-877-630-7960

    Sales - M-F/9am-7pm/EST
    1-866-671-1583
    Request a Callback
    © 2024 Elavon Inc.
    end of main