Increase your security and compliance goals

PCI DSS v4.0 FAQs for Acquirers and ISOs

PCI DSS v4.0 FAQs for Acquirers and ISOs

What You Need to Know About PCI DSS v4.0

How is this Going to Impact my Merchants?

Overall Impact of PCI DSS v4.0

Merchants will have until March 31, 2024 before they will no longer be able to validate their compliance using version 3.2.1 of the SAQs.

While merchants can continue to validate their compliance using version 3.2.1, they should start now to implement any missing controls that would be required to validate to version 4.0.

SAQs Will Take Longer to Fill Out

Something to be aware of is that almost every question in the PCI v4.0 SAQ was re-worded and re-ordered, meaning that filling out the SAQ may take more time. Since all of the questions have been reworded, it means that EVERY merchant will need to answer additional questions, even if nothing in their network has changed. 

To help mitigate this, our very best support agents worked together, combing through the 3.2.1 and the 4.0 SAQs to find as many questions as possible that would map over. By using SecurityMetrics' FastPass, merchants could reduce the amount of questions they'd need to answer by a significant amount.

Unfortunately, this may cause some frustration for your merchants.

SAQ A Merchant Changes

Additionally for SAQ A merchants, vulnerability scanning is now a requirement, whereas previously it wasn't. For a merchant that has never needed to scan previously, this new requirement could cause some frustration because they may not know how to set up a scan and they likely will fail their scan the first time around.

However, the SecurityMetrics' support team is ready 24/7 and able to answer the phone within 15 seconds to aid your merchants with any questions they may have about the new scanning requirements or PCI DSS v.4.0.

New Requirements for Ecommerce Security

New PCI DSS v4.0 requirements (e.g., requirement 11.6.1) requires SAQ A, SAQ A-EP, SAQ D merchants, and SAQ D service providers to implement change detection procedures and technologies to alert personnel to unauthorized modifications to the HTTP headers and contents of the page(s) used to house the TPSP iframe. Such tamper-detection mechanisms must run at least weekly to look for unauthorized modifications to these critical web pages.

The SecurityMetrics Shopping Cart Monitor can be used to help meet the intent of this requirement.

What are the actual changes?

The release of the new 4.0 version may cause anxiety for those already familiar with the current PCI DSS requirements. Rest assured that the 12 core PCI DSS requirements remain fundamentally the same; version 4.0 is not a totally new standard.

However, PCI DSS v4.0 introduced 64 new requirements (11 of which are only applicable to service providers). Most of these new requirements are future-dated to March 31, 2025, with notable exceptions being requirements around documentation and performing a targeted risk analysis. To find out more about specific requirement updates, check out this resource. There were also significant changes to the wording of questions.

To find out about more of the fundamental changes within PCI DSS v4.0, read our white paper PCI DSS Version 4.0: What You Need to Know.

Tips to Help You and Your Merchants with PCI v4.0

  1. Get up to speed on PCI v4.0 changes
  2. Decide when to transition your merchant portfolio to PCI 4.0
  3. Educate your team
    • Specifically educate Upper Management, Finance, Product, Sales Reps, and ISOs.
    • Update internal documentation, wiki pages, and internal newsletters to reflect the changes coming with PCI v4.0
  4. Educate your merchants 
  5. Talk to your vendor’s CSM to learn how to communicate about PCI v4.0 most effectively
  6. Use PCI v4.0 as an opportunity to implement a new revenue share, by introducing security and compliance products to your merchants.

How can SecurityMetrics help?

Simplifying Your Merchants' SAQ Process

Our support team works with the SAQs, and they’ve already mapped the new questions to existing questions so that when a merchant has to flip over to PCI v4.0, they don't have to re-fill out the whole entire SAQ.

Taking all the information they currently have, and pre-loading it into the SAQ, so that they may only have a few more to answer. This will simplify the experience for the merchants. We want to help you keep your merchants happy, which is why we try to make the merchant experience as straightforward as possible.

Providing Your Merchants with Compliance Tools

We also have a variety of security and compliance products for merchants from level one to level four. 

For example, the SecurityMetrics Shopping Cart Monitor can be used to help meet the intent of the new requirement 11.6.1.

Providing Your Merchants with Education

SecurityMetrics has produced a number of educational materials about PCI DSS v.4.0 that you can point your merchants back to. We’ll also continue creating content to help educate your merchants on what requirements they should focus on and how to best achieve compliance with PCI DSS version 4.0.

We’re here to help you and your merchants, so feel free to reach out to us with any questions!

White Paper


PCI DSS Version 4.0: What You Need to Know

PCI DSS v4.0: What’s New and How to Prepare for v4.0 Requirements

PCI DSS v4.0: What Is New And How It Affects You

PCI DSS v4.0: What Changes Will Impact SAQs?

Enjoy fully managed, simplified PCI compliance.

Enjoy fully managed, simplified PCI compliance.