Preparing for PCI DSS 4.0: What Organizations Need to Know

Belgrade, Serbia - September 25, 2025

Understanding the new standard and building resilience into payment environments

The Payment Card Industry Data Security Standard (PCI DSS) has long been the benchmark for protecting cardholder data. With version 4.0, the standard undergoes its most significant update in over a decade. Organizations that store, process, or transmit card data must now adapt to new requirements that emphasize continuous security, stronger authentication, and risk-based validation.

One of the biggest changes in PCI DSS 4.0 is the introduction of customized approaches. Instead of prescriptive technical controls, organizations can implement alternative measures if they achieve equivalent security outcomes. While this adds flexibility, it also requires more rigorous documentation and validation, increasing the importance of expert guidance during assessments.

Stronger authentication requirements are another highlight. Multi-factor authentication (MFA) is now required for all access to cardholder data environments, not just remote access. Password policies have also been updated to align with modern best practices, such as longer passphrases and adaptive authentication.

Continuous monitoring has been elevated from a best practice to a requirement. Organizations must demonstrate that logging, alerting, and vulnerability scanning occur regularly, and that anomalies are investigated promptly. This shift reflects the reality that compliance cannot be a once-a-year audit exercise but must become part of everyday operations.

"PCI DSS 4.0 raises the bar by making compliance continuous. Our joint approach ensures organizations not only pass audits but stay secure every day," said Frederick Roth, Chief Information Security Officer at CypSec.

Infosec Assessors Group (IAG) helps businesses navigate these changes by conducting readiness assessments and gap analyses. Their experts clarify which requirements apply to each environment, prioritize remediation steps, and prepare organizations for smoother audits. For many firms, this proactive approach reduces both compliance risk and operational disruption.

CypSec complements IAG's assessments with automation. Its policy-as-code framework enforces PCI DSS 4.0 controls continuously, such as encryption, logging, and access restrictions. Embedding compliance into daily workflows allows organizations to avoid last-minute scrambles before audits and instead maintain compliance as a natural outcome of secure operations.

Preparing for PCI DSS 4.0 strengthens trust with customers, partners, and regulators. Organizations that can demonstrate resilience against card data breaches not only avoid fines but also protect their brand reputation and business continuity.

Through their partnership, Infosec Assessors Group and CypSec provide organizations with a practical pathway to PCI DSS 4.0 readiness. Combining expert guidance with automated governance ensures that compliance requirements are met consistently and that payment environments remain secure against evolving threats.

About Infosec Assessors Group: Infosec Assessors Group (IAG) is a Serbian cybersecurity consultancy specializing in PCI DSS, ISO standards, penetration testing, and risk management. For more information, visit infosecassessors.com.

About CypSec: CypSec delivers enterprise risk management, Policy-as-Code, and compliance automation solutions. Together with IAG, it helps organizations adapt to PCI DSS 4.0 and strengthen payment security. For more information, visit cypsec.de.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.