Eddie Mahdi

PCI DSS 4.0: What Does Your Business Need to Do Before 31 March 2025?

As a business owner, whether large or small, you know that there’s always an array of compliance requirements and standards that you must regularly adhere to in order to continue operating and serving your customers.

This is especially true when it comes to technology and operating a business online. With so many potential threats to both you and your customers, these compliance and security standards help to keep us all safe when transacting in the modern digital world.

Of course, one of the most important standards that we have is the Payment Card Industry Data Security Standard (PCI DSS).

For your business to be able to safely take card payments from customers, you need to demonstrate each year that you have taken the necessary steps to comply with the security standards and requirements set out in the PCI DSS.

With this, you may be aware that in 2022, PCI DSS was updated from version 3.2.1 to version 4.0. While a significant transition period was put in place to give all businesses a chance to become compliant, that period is now over – and there are now less than 12 months until full compliance with all new requirements set out in this update must be adhered to.

  • So what does this mean for your business?
  • And what exactly do you need to do to ensure that your business is compliant by this point?

In this article, we’re going to answer these questions to help you understand your obligations and ensure that your business and customers’ data remains secure throughout all card transactions.

Let’s start at the beginning.

Recap: What is PCI DSS and why do we need it?

The PCI Security Standards Council (PCI SSC) is a global forum that brings together payment industry stakeholders to develop and drive the adoption of data security standards and resources for safe payments worldwide.

As part of this, the PCI SSC sets the standard for secure payments around the world to protect all parties involved in these transactions across the entire payment ecosystem.

These data security standards, known as PCI DSS, outline the requirements and obligations that businesses like yours must adhere to in order to be officially considered PCI compliant.


Who needs to be compliant with PCI DSS?

According to the PCI SSC, PCI DSS compliance applies to all entities that store, process and/or transmit cardholder data. The compliance covers technical and operational system components included in or connected to cardholder data, meaning if you’re a merchant, service provider or financial institution that accepts or processes payment cards, you must comply with PCI DSS.

Not only does being compliant with PCI DSS help to protect both your business and your customers’ data, but it also demonstrates to payment processors and other stakeholders that you have adopted the measures outlined in the security standards and are serious about protecting all parties to the transaction.


What changed from PCI DSS 3.2.1 to PCI DSS 4.0?

In March 2022, the PCI SSC announced a major update.

This update, known as PCI DSS 4.0, recently replaced the retired PCI DSS 3.2.1 in March 2024 to become the new standard in payment card data security for businesses like yours.

Essentially, this major update to PCI DSS was the introduction of several new requirements that businesses like yours must comply with.

In addition, the PCI Self-Assessment Questionnaire also received an overhaul, and several new questions have also been added to help promote better security standards and bolster the procedures set out for compliance validation across all businesses.

For a full breakdown of these new requirements and changes, you can download the PCI DSS Summary of Changes: v3.2.1 to v4.0.

However, while the transition from PCI DSS 3.2.1 to PCI DSS 4.0 has now finished, many of the new requirements that were announced do not officially come into effect as compulsory until 31 March 2025.

While these requirements are still considered best practice right now, this gives your business a longer opportunity to adopt these requirements and improve your operations to ensure that you can comply with each of these new requirements by that time.


So, what does your business need to do before 31 March 2025?

Once the transition period is over, your business will no longer be able to validate your compliance under the standards set out in PCI DSS v3.2.1, and you’ll now have to show that you’re compliant with PCI DSS 4.0 moving forward.

If you have already done this, you may have found that there were some requirements that you had not yet implemented at the time of your validation. If so, you will have to ensure that you implement these by 31 March 2025 – the point where they will be reclassified from “best practice” to “mandatory”.

Of course, if you’ve yet to validate your business with the new PCI DSS 4.0, then you will come across these additional requirements when you come to do so.

It is recommended that you begin the validation process as early as possible to ensure that you are fully compliant by the set date.

Failure to comply with these new requirements and security standards could result in having fines imposed by payment processors, and potentially even having your ability to accept card payments revoked until your business does comply.

If you’ve got any questions or concerns about complying with PCI DSS 4.0, a Managed IT provider like Centrix can help ensure that your business can become fully compliant as soon as possible.


Centrix are the experts in helping businesses become compliant with PCI DSS 4.0.

We understand that adapting to significant PCI security standards updates can be overwhelming.

That’s why our team at Centrix is always ready – we help small businesses up to large corporate organisations succeed by managing, supporting and protecting critical IT infrastructure.

Backed by our extensive knowledge and expertise, Centrix is here to support your organisation with comprehensive solutions, as well as IT Connectivity and Collaboration Service Packages, Cloud IT, Cybersecurity Protection, Managed IT Services and other IT Solutions.

We also help businesses like yours to understand your obligations around PCI DSS 4.0 and work to achieve full compliance with all requirements by 31 March 2025.

To learn more, book an IT Health Check or contact us today.



Schedule a free consultation with a Centrix expert to ensure your data is safe and secure. No obligation – just peace of mind.

    Leave a Reply

    Your email address will not be published. Required fields are marked *