PCI DSS 4.0 Compliance for Fintech & Payments
Infilux AppSec runs PCI DSS 4.0 compliance for fintechs, payment processors, and merchants — scoping the cardholder data environment, preparing the appropriate SAQ (A, A-EP, B, C, D), coordinating Approved Scanning Vendor (ASV) external scans, and supporting full Report on Compliance (RoC) engagements for Level 1 merchants and service providers.
PCI DSS 4.0 fully replaced 3.2.1 on 31 March 2024, with future-dated requirements becoming enforcement-mandatory through 31 March 2025. The new standard is significantly more prescriptive on multi-factor authentication, anti-malware, scripts on payment pages, and continuous monitoring than its predecessor. Most existing PCI programmes need real work, not just a quick refresh.
Our PCI engagement starts with scoping — what's actually in your cardholder data environment, what's connected to it, and what can be segmented out. A correctly scoped CDE shrinks the audit perimeter dramatically; we've taken Level 1 fintechs from 200+ servers in scope down to 20 through proper network segmentation.
For service providers and Level 1 merchants we engage with your QSA throughout the RoC fieldwork — control walk-throughs, sampling, evidence packages, the management response. For Level 2-4 merchants we prepare the appropriate Self-Assessment Questionnaire and complete the quarterly ASV external scan via partners.
Key controls we implement
Scope determination
What's in the CDE, what's connected, what can be segmented out. The single highest-leverage activity in any PCI engagement.
Requirement 8 — strong authentication
PCI 4.0 mandated MFA on all non-console admin access AND on all access to the CDE. Requires phishing-resistant MFA for sensitive accounts after 31 March 2025.
Requirement 11 — security testing
Quarterly ASV external scans, internal vulnerability scans, annual segmentation testing, annual external + internal penetration testing.
Requirement 6.4.3 — payment page scripts
New in 4.0 — inventory and authorise every script on payment pages, alert on changes. Mitigates Magecart / web-skimming.
Requirement 12.10 — incident response
Documented IR plan, tested annually, with PCI-specific notification timing to acquirers and card brands.
Continuous monitoring
PCI 4.0 emphasises a defined frequency for each control activity, derived from a documented risk analysis.
Network segmentation
Proper segmentation can reduce CDE scope 5-10× and dramatically lower audit + compliance cost.
Frequently asked
What's the difference between PCI DSS Level 1, 2, 3, 4?+
What changed in PCI DSS 4.0 vs 3.2.1?+
We use Stripe / a hosted payment page. Are we PCI-compliant by default?+
How much does a PCI DSS engagement cost?+
Do you partner with a specific QSA firm?+
Related Infilux services
Other compliance frameworks
SOC 2 Type 2
SOC 2 Type 2 Audit Readiness for US SaaS Companies
HIPAA Security Rule
HIPAA Compliance & Security Risk Assessment for US Healthcare
GDPR (EU 2016/679)
GDPR Compliance & Data Protection for EU Companies
NIS2 Directive (EU 2022/2555)
NIS2 Directive Compliance for EU Essential & Important Entities
UAE IAR / NESA / SIA
UAE NESA / SIA Information Assurance Compliance