We first published this article in 2022 with reminders for complying with PCI DSS efforts. However, as the deadline looms closer, many companies have yet to fully embrace and prepare for the new standards. Below are the original recommendations we shared.
If your company accepts payments from credit cards, you must be fully compliant with Payment Card Industry (PCI) Security Standards.
And the rules have changed.
With updated PCI DSS v4.0.1 requirements, merchants have more responsibility in credit card processing, and you can face hefty liabilities for noncompliance. PCI DSS v3.2.1 officially retired on March 31, 2024, and after March 31, 2025, organizations must fully meet the new requirements. Here are a few things to remember to keep your company up to date with your PCI Security Standards responsibilities.
1. Consider Your Company’s Data Storage Regulations
As technology advances, security methods must advance too. The payment industry is certainly no exception.
The new PCI DSS v4.0.1 requirements have penalties, and many states have laws regarding data breaches regarding where cardholder data is stored by companies. Depending on where and how you accept credit cards, you may be subject to many of these storage regulations.
If your company then fails to maintain and implement a PCI-compliance plan, you may face state prosecution along with other lawsuits. So, it’s important to not only know exactly which regulations your company must abide by, but also what your plan is for meeting those responsibilities. Knowing what’s required is the first step toward compliance.
The new PCI DSS v4.0.1 states that businesses must show continued development of security methods in order to meet the payment industry’s needs. This includes implementing more stringent password requirements, abiding by new phishing and ecommerce standards and multi-factor authentication requirements.
2. Assess Your Data Security
The time you invest now to fix any holes in your data security system could save you in the long term from the penalties your company may suffer if you ever experience a data breach. A simple way to get started identifying any gaps in your systems or processes is to complete a self-assessment.
After you’ve identified the regulations your company is bound to, dig deeper to see how your company is doing when it comes to the policies you have in place—and how you’re doing when it comes to actually following those policies. Any errors you come across in your review will provide you with the best starting point for improving your processes.
Additionally, ongoing security measures should be in place to promote security as a continued process within your organization. Once you’ve assessed your organization’s security, you may want to consider implementing best practices, such as assigning responsibilities for each requirement.
3. Select a Qualified Security Assessor
Many companies use Qualified Security Assessors to help them maintain their PCI compliance. However, it’s important to be selective when seeking help.
A Qualified Security Assessor should assist you in making the best decisions regarding your PCI responsibilities, so it’s important to select someone who fully understands your business and how it needs to interact with the PCI standards.
An assessor should be responsible for staying up to date on the latest version of PCI Security Standards, the latest state regulations and thoroughly understanding the appropriate security measures needed to help you become and stay compliant.
Before you partner with a Qualified Security Assessor, remember to thoroughly vet your options and make a selection that will ultimately benefit your organization.
4. Know Your Communication Responsibilities in the Event of a Breach
Did you know that your business must inform credit card companies of data breaches, no matter how small they are?
Without providing proper notification of breaches, credit card companies may revoke your business’s access to their services. Credit card companies, and the individual(s) they represent, can even file a lawsuit against your company.
Because you’ll want to know who you should contact and how you’ll do it long before it may be necessary, it’s important to consider this as part of your incident response plan.
5. Prevent Running Unauthorized Cards
Unfortunately, running just one unauthorized credit card could place significant costs on your business.
Even if your state doesn’t have specific laws regarding PCI compliance, a civil suit may come against your company for any data breaches if your company runs an unauthorized card. And it’s unlikely the court will rule in your favor you if you haven’t been PCI-compliant.
One easy way to prevent running unauthorized cards is to check a cardholder’s identification at a point of sale. You may find it helpful to also consider your specific organization and implement safeguards that will protect you in your unique circumstances.
Learn More About PCI Compliance
All in all, it pays to pay attention to PCI compliance. A little time invested today could save you tomorrow.
For help with PCI compliance, contact your Warren Averett Technology Group advisor directly, or ask a member of our team to reach out to you to get the conversation started.
This article was originally published on December 15, 2022, and most recently updated on February 20, 2025.
Back to Resources
