ICYMI: Check PCI DSS compliance to avoid fines | McDermott

Steer clear of fines: Check your PCI DSS compliance

Overview


Regardless of where you are in the world, if your organisation has not yet achieved compliance with the Payment Card Industry Data Security Standard (PCI DSS) 4.0.1, prompt action is critical to avoid fines, penalties, and assessments.

In Depth


As of 1 April 2025, all merchants and third‑party service providers (TPSPs) involved in processing credit or debit card payments must fully adhere to the enhanced security requirements outlined in PCI DSS 4.0.1. PCI DSS applies globally and regardless of where the entity is located. The transition to the new PCI DSS 4.0 controls requires new policies, processes, and technology solutions for card transaction protection.

PCI DSS 4.0 was developed to reduce card fraud through more robust security and policy standards. During the full rollout of PCI DSS 4.0, the PCI Security Standards Council updated PCI DSS 4.0 to PCI DSS 4.0.1. The 1 April date ended various grace periods tied to the staged roll‑out of PCI DSS 4.0/4.0.1. Requirements previously tagged as “best practice” are now mandatory and must be implemented and tested.

Requirements previously tagged as “best practice” are now mandatory.

Understanding PCI DSS and Its Applicability

PCI DSS is a comprehensive set of security standards designed to ensure that all entities processing, storing, or transmitting payment‑card data maintain a secure environment. PCI DSS applies universally to all merchants and TPSPs, regardless of payment channel (e‑commerce, call center, in‑store terminal, etc.). Even third parties that can affect the security of card processing must comply.

PCI DSS is a Global Standard

PCI DSS obligations originate with the international payment‑card brands, including Visa, Mastercard, American Express, Discover, and JCB. Each brand embeds PCI DSS compliance in its network operating regulations and contractually passes those obligations to acquiring banks. Acquirers then flow the same requirements down to merchants and TPSPs through their merchant agreements and service contracts. Because these card-brand rules apply worldwide, any organisation that stores, processes, or transmits cardholder data for the card brands must comply with PCI DSS, no matter where it is located. This effectively makes PCI DSS a de facto global baseline for payment‑card security.

This effectively makes PCI DSS a de facto global baseline for payment‑card security.

PCI DSS Compliance with International Regulations and Guidelines

Several jurisdictions explicitly reference or incorporate PCI DSS within their own statutory or regulatory frameworks. Organisations operating globally should track these references to ensure PCI DSS compliance.

Japan

The 2016 revision to the Installment Sales Act instructed merchants to avoid storing card data and to meet PCI DSS as a recognised fraud‑prevention measure. The Security Guideline for Credit Cards (designated under JISA Article 35‑16) was overhauled in March 2025 (Version 6.0). It includes reference to PCI DSS 4.0 and 4.0.1 and provides guidance to businesses to verify and comply with PCI DSS requirements, depending on each business’ type and system/network configuration.

India

The Reserve Bank of India Master Direction on Digital Payment Security Controls (18 February 2021) tells regulated entities to follow payment‑card standards, including PCI DSS and the PCI Payment Application Data Security Standard (PA-DSS) when securing card channels.

Singapore

The Monetary Authority of Singapore includes guidance to follow PCI DSS as a benchmark that financial institutions should align with when handling cardholder data.

United Kingdom

The UK Gambling Commission may accept existing PCI DSS audits as evidence that licensees meet required security controls.

Saudi Arabia

The Saudi Central Bank’s Cyber Security Framework states that it is built on global standards, including PCI DSS, and mandates PCI DSS compliance for member organisations.

United States

Several states have written PCI DSS directly into their consumer-data statutes or offer liability safe harbors tied to PCI DSS compliance. The following is a small sample.

Nevada obliges any “data collector” that accepts payment cards to follow the then-current version of PCI DSS for those transactions. NRS 603A.215.

Minnesota implements some of the PCI DSS storage prohibitions by banning retention of card security code data, PIN, or full track data beyond 48 hours after authorisation. The Plastic Card Security Act, Minn. Stat. § 325E.64.

Washington requires large retailers and processors to reimburse financial institutions after a card-data breach unless the entity’s PCI DSS compliance had been validated within the prior year, effectively incorporating PCI DSS as a safe harbour. RCW 19.255.020.

Even where PCI DSS is not written into law, regulators often point to it as the baseline. Multinational merchants and service providers should treat PCI DSS 4.0 as a minimum wherever card data is present, and then build local add‑on requirements on top of PCI DSS.

Even where PCI DSS is not written into law, regulators often point to it as the baseline.

Key Obligations Under PCI DSS 4.0.1

PCI DSS 4.0.1 introduces significant changes, including longer and more detailed Self-Assessment Questionnaire forms.

One major difference is the increased focus on targeted risk analysis and organisational maturity. Additionally, the new version introduces a customised approach to PCI assessments, allowing businesses to implement alternative technical and administrative controls that address the customised approach.

As the enforcement date is already in effect, organisations must ensure now that they have implemented critical requirements, such as

  • Defining the scope of the PCI DSS: This must be done annually (or every six months for TPSPs) and include defining and documenting the assessment scope; identifying all system components, people, and processes that handle card data; and recording all roles and responsibilities.
  • Controlling payment page scripts: All client-side payment page scripts must be controlled to block unauthorised changes.
  • Automating technical solutions: Automated tools must be deployed for public facing web applications to detect and prevent web-based attacks.
  • Monitoring TPSPs and responding to incidents: Monitoring procedures must be strengthened in accordance with PCI DSS requirements, and documentation is required from TPSPs to verify compliance and support incident response.
  • Undertaking targeted risk analyses: These are required to address specific vulnerabilities in the card data environment.
  • Enhancing encryption requirements: Stronger encryption protections must be applied (as specified in PCI DSS), especially where whole disk encryption is used.

Bear in mind that outsourcing card functions does not remove PCI duties — this is a common misconception for merchants who outsource card processing functions. Merchants that outsource processing must still complete an annual Self-Assessment Questionnaire and Attestation of Compliance.

Impact on Third-Party Vendors and Service Providers

PCI DSS 4.0.1 raises expectations for the security of TPSPs. Besides updating several of the controls required to comply with the PCI DSS, organisations must conduct due diligence, embed compliance clauses in contracts, obtain third party Attestations of Compliance and review vendor security practices regularly.

Noncompliance Risks

Noncompliance can lead to financial penalties, legal exposure, and reputational harm. It can also lead to fines, higher interchange fees, or even termination of the ability to accept card payments.

PCI DSS compliance requires cross departmental co-operation; legal, compliance, procurement, vendor management, and IT security teams all have vital roles to play. Entities subject to PCI DSS 4.0 should run a gap analysis, update security policies, implement required controls, and train staff to align with PCI DSS 4.0.1.