Apr 16, 2025
Since April 2025, the PCI DSS (Payment Card Industry Data Security Standard, version 4.0.1) has included new mandatory requirements that were previously considered best practices. These changes particularly affect online merchants and service providers that process or forward credit card transactions. Below you will find some of these changes.
Password requirements for administrators
Passwords for administrator access must now be at least 12 characters long and contain both numeric and alphabetic characters. If the system does not support 12 characters, at least 8 characters are required.
Two-factor authentication (2FA)
Access to CDE areas must be protected by two-factor authentication. This means that an additional identification factor is required in addition to the password, for example a one-time code via an authenticator app or a physical security key.
Content Security Policy (CSP)
A content security policy must be implemented to control which external content may be loaded on a website. This serves to protect against attacks such as cross-site scripting (XSS) and manipulation in the checkout process.
Certificate inventory
An inventory of trusted keys and certificates used to protect PAN (Primary Account Number) during transmission must be maintained. This enables proactive monitoring and management of cryptographic resources.
Authenticated vulnerability scans
Internal vulnerability scans must now be authenticated. This means that the scanners used must be equipped with access data in order to log into the systems and thus gain deeper insights into the system configuration and software statuses.
Monitoring of payment pages
Monitoring for changes is required for all the payment pages you manage. This can be done by using change and integrity monitoring tools to detect manipulation at an early stage.
Protection against phishing attacks
You are expected to implement measures to protect your employees against phishing attacks. This can be done through training, technical solutions or both to minimize the risk of attacks.
Regular review of user accounts
All user accounts and their access rights must be reviewed at least every six months. This is to ensure that only authorized persons have access to sensitive data.
This is only a subset of the new requirements. You can find the full list of the requirements in the standard document of the PCI Standards Security Council.
These requirements apply to all companies that accept or process credit card payments. It is important to take the necessary measures to ensure compliance with the PCI DSS and to guarantee the security of payment data.