Kyanite Blue
Compliance & Regulation

PCI DSS v4.0 for UK Payment Firms: What Has Changed and What You Must Do

PCI DSS v4.0 became the only valid version of the standard in March 2024, with PCI DSS v3.2.1 formally retired. For UK payment processors, acquirers, e-commerce merchants, and fintech firms handling cardholder data, v4.0 introduces material changes that go well beyond a re-numbering exercise. New requirements around multi-factor authentication, phishing-resistant controls, and the customised approach to compliance give firms more flexibility — and more accountability. FCA-regulated payment institutions must now satisfy both FCA operational resilience requirements and PCI DSS simultaneously.

PCI DSS v3.2.1 was retired in March 2024 — v4.0 is now the only valid version, with additional future-dated requirements taking effect in March 2025.

What Has Changed in PCI DSS v4.0

The headline changes in v4.0 that affect UK payment firms most directly:

  • Requirement 8: MFA is now required for all access to the cardholder data environment — not just remote access. Phishing-resistant MFA (FIDO2/passkeys) strongly favoured
  • Requirement 11: Targeted risk analysis is required to justify scan frequencies — firms must document their rationale for testing schedules
  • Requirement 12: Roles and responsibilities for each PCI DSS requirement must be assigned and documented explicitly
  • Customised approach: Firms can now implement alternative controls that meet the intent of requirements — but must document the evidence trail rigorously
  • E-commerce: New requirements for protection of payment pages against client-side attacks (Requirement 6.4.3 and 11.6.1) — mandatory from March 2025
  • Continuous monitoring: Log management and alerting requirements tightened; automated log review now expected rather than manual sampling

Where FCA Obligations and PCI DSS Intersect

UK payment institutions regulated by the FCA under the Payment Services Regulations 2017 face overlapping obligations. FCA SYSC rules require proportionate security controls; PS21/3 requires resilience testing against plausible disruption scenarios. PCI DSS adds a third layer with prescriptive technical requirements. In practice, a firm that is genuinely PCI DSS compliant will satisfy most FCA technical security expectations — but FCA compliance additionally requires board-level accountability, documented incident response, and supply chain risk management that PCI DSS alone does not mandate.

The Controls Payment Firms Must Have in Place

For any firm processing, storing, or transmitting cardholder data, the core PCI DSS v4.0 controls that present the greatest implementation challenge:

  • Network segmentation: Cardholder data environment must be isolated — confirmed via penetration test
  • Vulnerability management: Quarterly internal and external scans; critical vulnerabilities remediated within defined timeframes
  • MFA everywhere: All administrative access to systems that touch cardholder data — no exceptions
  • Encryption: Strong cryptography for all cardholder data at rest and in transit — TLS 1.2 minimum, TLS 1.3 preferred
  • Third-party service providers: Maintain a list of all TPSPs, confirm their PCI DSS compliance annually
  • Incident response plan: Documented, tested, assigned — with PCI DSS-specific response procedures

How Coro Helps Payment Firms Maintain PCI DSS Controls

Coro's unified security platform addresses the endpoint, email, and identity controls that PCI DSS v4.0 requires across your workforce. MFA enforcement, endpoint compliance monitoring, email threat protection, and user behaviour analytics are all managed from a single console — with the audit logs that your Qualified Security Assessor (QSA) will need to review. For firms that lack the in-house resource to maintain PCI DSS controls continuously, Coro's automation significantly reduces the operational burden without reducing the control quality.

Frequently Asked Questions

Does PCI DSS apply to us if we use a third-party payment processor?

Potentially yes, but your scope may be significantly reduced. If you redirect customers to a hosted payment page operated by your processor and never handle cardholder data directly, your PCI DSS obligations may be limited to completing an SAQ A self-assessment questionnaire. However, if you have any access to cardholder data — even for support or chargeback purposes — your scope is broader. A scoping exercise is the essential first step.

What is the difference between the defined approach and the customised approach in v4.0?

The defined approach requires implementing the specific controls listed in each PCI DSS requirement — essentially the same as v3.2.1. The customised approach allows firms to implement alternative controls that achieve the same security objective, with a documented evidence trail justifying the alternative. The customised approach offers flexibility for innovative or cloud-native architectures, but requires significantly more documentation and is subject to greater QSA scrutiny.

Review your PCI DSS v4.0 readiness

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides