PCI DSS standard: what will change in 2025?

The Payment Card Industry Data Security Standard (PCI DSS) is an essential security standard for organisations that process and store cardholder data. The standard helps companies protect data, reduce fraud and minimise the risk of data breaches.
With the continued growth of digital payments, securing card data is more important than ever. By 2025, PCI DSS 4.0 fully in force, with stricter requirements for cybersecurity and data protection.
SimpledCard is also, as spend management solution, PCI DSS-certified. In this article, we explain what PCI DSS means, what changes there are, and how to ensure your organisation stays compliant.

What is the PCI-DSS?

PCI DSS was established by Mastercard, VISA, American Express, JCB and Diners. It is an independent, international security standard to protect cardholders' data in digital payment transactions.
Organisations' compliance with PCI DSS is monitored by the Payment Card Industry Security Standards Council (PCI SSC). Its aim is to secure credit cards and debit cards against data theft and fraud. 
The PCI SSC implemented several technical and operational guidelines for this. We will come back to this later in this article. 
The PCI SSC has no legal authority and therefore cannot enforce organisations' compliance with the standard. But in order to process credit card and debit card transactions online, PCI DSS certification is a must.

What requirements do you need to meet for PCI DSS

A PCI DSS certification ensures the security of card data in your organisation. You get the certification by meeting the requirements of the PCI SSC.
The requirements include a number of best practices, such as: 
❯ Installing firewalls;
❯ Transferring data encrypted;
❯ Using anti-virus software ;
❯ Restrict access to cardholder data;
❯ Control access to network resources.
The certificate shows that your company has passed an intensive audit, and that you demonstrably take strict measures to protect cardholders' data. 
If you are compliant as an organisation, then you show customers that they can make secure transactions with you. Moreover, the fines you face for non-compliance are a good reason to take data security seriously. 
PCI certification is seen as the best way to secure sensitive data. This helps you build long-term, trusting relationships with customers.  

What are the main changes in PCI DSS 4.0?

With the introduction of PCI DSS 4.0 at 31 March 2024 and mandatory compliance from 31 March 2025, additional security requirements are imposed. These are the most notable changes:

Stronger password requirements

• Minimum of 12 characters (was 7 characters).
• Passwords should contain unique combinations of numbers, letters and special characters.
• Accounts without Multi-Factor Authentication (MFA) must change their password every 90 days.

Additional protection for accounts and systems

• Passwords of system accounts must be at least 15 characters long.
• Hardcoded passwords in scripts or applications are prohibited.
• Stricter rules for API keys and encryption of sensitive data.

Authenticated vulnerability scans

• Companies must now perform authenticated scans, which gives a more detailed insight into vulnerabilities.

Better detection of malware and cyber attacks

• Organisations need to be able to detect malware communications, such as DNS tunnelling and Command & Control attacks.
• Stricter requirements for Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).

PCI certification is seen as the best way to secure sensitive data. This helps you build long-term, trusting relationships with customers.  

How do you get PCI DSS certification?

The PCI SSC has 12 requirements for processing cardholder data and maintaining a secure network. They are divided into six objectives and all weigh equally. So you have to meet all the requirements to get PCI DSS certification. 
❯ Build and maintain a secure network
1.Install and maintain a firewall configuration to protect cardholder data.
2. Do not use default values for system passwords and other security parameters provided by the vendor.
❯ Protect cardholder data
3. Protect stored cardholder data.
4. Encryption of cardholder data transmission over open, public networks.
❯ Implement a vulnerability management programme
5. Use anti-virus software or programmes and update them regularly.
6. Develop and maintain secure systems and applications.
❯ Use strong access measures
7. Limit access to cardholder data.
8. Assign a unique ID to each person with access to the computer.
9. Limiting physical access to cardholder data.
❯ Monitor and test networks regularly
10. Track and monitor all access to network resources and cardholder data.
11. Regular testing of security systems and processes.
❯ Maintain an information security policy
12. Maintain a policy governing information security for all staff
To keep the certificate, you have to comply with it every year. If you fail to do so, organisations can expect hefty fines. 
If you are PCI-compliant, the chances of a data breach due to a cyber-attack are low. Should your business still face this, card schemes can significantly reduce your PCI fines - they may even be waived. However, you must prove that you have done everything possible to be PCI DSS compliant. 

SimpledCard and the PCI DSS security standard

As a certified company, SimpledCard meets the industry's highest security standards. We do this by, among other things:
✅ Stronger passwords: Minimum 12 characters, including numbers, letters and special characters.
✅ Multi-Factor Authentication (MFA) for all internal and external accounts.
✅ No default passwords or preset user names.
✅ Regular vulnerability scans and audits.
✅ Encryption of cardholder data to store and send them securely.
✅ Continuous software updates and security-awareness training for our staff.
With SimpledCard, you are assured of a secure payment solution, without worrying about compliance.
Any questions based on this article? Feel free to contact our team of financial experts and they will answer all your questions about PCI-DSS, PCI-DSS certification and/or other issues. 

FAQ

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard and is a global security standard that ensures cardholder data is processed and stored securely by companies that accept payments.

Why is PCI DSS important?

The PCI DSS data security standard helps organisations prevent data breaches, fraud and cyber attacks. Companies that comply with PCI DSS requirements demonstrate that they process credit card data securely.

Which companies need to be PCI DSS compliant?

All companies that process, store or transmit credit card payments must comply with PCI DSS certification. This applies to both large enterprises and small online shops.

What are the main changes in PCI DSS 4.0?

With the advent of PCI DSS 4.0, companies are required to:

• Stronger passwords to use (minimum 12 characters).
• Multi-Factor Authentication (MFA) apply for access to cardholder data.
• Regular vulnerability scans and penetration tests execute.
• Security measures against malware improve.

How do I get PCI DSS certification?

To become PCI DSS-compliant, your organisation must meet 12 security requirements spread across six pillars. These include the use of firewalls, encryption, access control and monitoring.

How long is a PCI DSS certification valid?

A PCI DSS certification is valid for one year. Organisations must re-meet the requirements annually to maintain their certification.

What happens if you are not PCI DSS compliant?

Companies that do not comply with the PCI DSS data security standard risk high fines, liability for data breaches and even the loss of their ability to accept credit card payments.

What are PCI DSS companies?

PCI DSS companies are those that comply with the PCI DSS standard, demonstrating that they process cardholder data securely. SimpledCard is an example of a PCI DSS-certified company.

How does SimpledCard help with PCI DSS compliance?

SimpledCard meets all the requirements of PCI DSS 4.0 by:

• Using strong encryption and secure networks.
• Regular vulnerability scans and audits.
• Implementation of Multi-Factor Authentication (MFA).
• Limiting access to cardholder data.

What is the difference between PCI DSS and other security standards?

PCI DSS focuses specifically on payment data security. Other standards, such as ISO 27001, are broader and cover general information security.

How can I check if my business is PCI DSS compliant?

You can have your compliance status assessed by a certified PCI DSS auditor (Qualified Security Assessor, QSA) or complete a Self-Assessment Questionnaire (SAQ) yourself if you process less than 6 million transactions per year.

Do I need to be PCI DSS compliant if I use a PSP (Payment Service Provider)?

Yes, even if you use a payment provider like Stripe, Adyen or Mollie, you need to make sure your business is PCI DSS-compliant, especially if you store or process credit card data.