PCI DSS 4.0 for businesses handling card payments

PCI DSS 4.0, published by the PCI Security Standards Council, became fully enforceable on 31 March 2025, replacing 3.2.1. The standard applies to any organization that stores, processes, or transmits cardholder data — merchants, payment processors, gateways, and service providers. Azerbaijani banks acquiring under Visa or Mastercard rules are required by the Central Bank of Azerbaijan to enforce PCI DSS on their merchant chains.

Version 4.0 brings 64 new requirements. Notable additions include continuous authenticated scanning of public-facing applications (Requirement 11.6), targeted risk analyses for any flexibility in control implementation, and stronger password policies — minimum length increases from 7 to 12 characters with complexity, and multi-factor authentication is now mandatory for all access into the cardholder data environment, not just remote and admin access. Phishing-resistant MFA such as FIDO2 hardware keys is recommended for administrators.

Merchant levels determine the validation method. Level 1 (over 6 million Visa transactions per year) requires an annual on-site assessment by a Qualified Security Assessor and quarterly external scans by an Approved Scanning Vendor. Level 2 to 4 merchants typically self-assess via a Self-Assessment Questionnaire matched to their flow — SAQ A for fully outsourced e-commerce, SAQ A-EP for partly outsourced, SAQ D for everything else.

The most expensive part of compliance is scope. Tokenization, point-to-point encryption certified by the council, and hosted iframe checkout pages dramatically reduce the cardholder data environment and therefore the audit footprint. Many Baku e-commerce sites moved to hosted gateways from MilliKart, AzeriCard, or Stripe Connect to fall under SAQ A. If you cannot avoid storing card data, segment ruthlessly with VLANs and host firewalls, log every access, and rotate encryption keys at least annually.