PCI-DSS 4.0 for E-commerce: Key Changes and 2026 Readiness
PCI-DSS 4.0 is mandatory for all card processors. The 2025 full enforcement introduces 64 new requirements. Discover concrete steps for compliance.
In Short
PCI-DSS (Payment Card Industry Data Security Standard) is the mandatory standard for any organization that processes, transmits, or stores card data. Version 4.0/4.0.1 was published in 2022 and entered full enforcement in March 2025 — all organizations under PCI-DSS are now required to comply with 4.0 requirements.
In Romania, PCI-DSS 4.0 directly affects:
- Online merchants accepting card payments on their website
- Payment processors (Stripe Connect partners, Netopia, EuPlătesc, Mobilpay)
- Banks + fintechs
- Service providers intermediating transactions
Non-compliance = MasterCard / Visa fines ($2,000-$100,000/month) + financial liability for breaches.
PCI-DSS Levels Based on Volume
| Level | Transaction Volume/Year | Requirements |
|---|---|---|
| Level 1 | >6 million cards (Visa/MC) | Annual audit by certified QSA (Qualified Security Assessor) + quarterly penetration test |
| Level 2 | 1-6 million | Self-Assessment Questionnaire (SAQ) D + quarterly ASV scan |
| Level 3 | 20,000 - 1 million | SAQ + quarterly ASV scan |
| Level 4 | <20,000 | SAQ — depends on processor |
For average Romanian online commerce: Level 3 or 4. For large e-commerce (eMAG, OLX): Level 1 or 2.
Key PCI-DSS 4.0 Requirements (12 Categories)
1. Build and Maintain Secure Network (Req. 1-2)
- Req. 1 — Strictly configured firewall, cardholder data environment (CDE) segmentation
- Req. 2 — Changed defaults (passwords, configs); component inventory
2. Protect Account Data (Req. 3-4)
- Req. 3 — Minimal storage — do not save PAN, CVV, track data unless necessary; encryption at rest for anything stored
- Req. 4 — Strong cryptography in transit. HSTS mandatory on all payment pages (new in 4.0).
3. Maintain Vulnerability Management (Req. 5-6)
- Req. 5 — Antivirus + EDR on all systems
- Req. 6 — Secure development: SAST + DAST + code review for custom applications
4. Strong Access Control (Req. 7-9)
- Req. 7 — Need-to-know access (RBAC)
- Req. 8 — Universal MFA for remote access to CDE (new in 4.0) + universal admin MFA
- Req. 9 — Physical datacenter security
5. Monitor and Test (Req. 10-11)
- Req. 10 — Log all access to cardholder data; daily review; retain minimum 1 year
- Req. 11 — Quarterly external ASV vulnerability scan + annual penetration test. Authenticated scan introduced in 4.0 as a requirement.
6. Information Security Policy (Req. 12)
- Req. 12 — Documented policy, approved by top management, annual training, incident response plan
What Changed in 4.0 vs 3.2.1 (Relevant for You)
| Requirement | 3.2.1 → 4.0 |
|---|---|
| MFA | Admin only → Universal for any remote access to CDE |
| HSTS | Recommended → Mandatory on payment pages |
| Authenticated vulnerability scan | Optional → Mandatory in addition to unauthenticated scan |
| Phishing-resistant MFA | — → Strongly recommended (FIDO2/WebAuthn) |
| Targeted Risk Analysis | Generic → Documented per each requirement |
| Customized Approach | — → Allowed if alternatives provide equivalent security (requires justification) |
| Software security 3.0 | — → New requirements for SDLC, secrets management, container security |
64 requirements are new or modified compared to 3.2.1.
Implementation Roadmap for Romanian E-commerce
Phase 1 — Reduce CDE Scope (Universally Recommended)
Tokenization via processor = you never see card numbers. Stripe / Netopia / EuPlătesc offer iframe redirect which:
- Your page delegates the card form to the processor’s iframe
- Card number does not pass through your server
- You receive only a token (reference for future transactions)
This drastically reduces PCI scope — many requirements do not apply or apply only partially. SAQ A (the simplest) instead of SAQ D.
Phase 2 — Self-Assessment Questionnaire (SAQ)
SAQ A: for merchants using processor tokenization + never saving card data. SAQ A-EP: similar but with own redirect page. SAQ D: full PCI-DSS — for those who save / process directly.
Use Lexnomia for guided SAQ + official report to processor.
Phase 3 — ASV Vulnerability Scan (Approved Scanning Vendor)
PCI-DSS Req. 11.3.2 requires quarterly external scan from an ASV on the official PCI Council list. Costs: €200-€1,000/quarter per IP/domain.
ARTEMIS is NOT ASV-certified (different tier), but the ARTEMIS audit detects most ASV-relevant vulnerabilities before the official scan — saving you time/cost.
Phase 4 — Annual Penetration Test
Requirement Req. 11.4. Manual pentest with Statement of Work, professional report. Cost: €8,000-€30,000/year depending on scope.
CAI Technology offers the Manual Penetration Test tier via ARTEMIS Pro.
Phase 5 — Logging + Monitoring
SIEM (Splunk, Wazuh, Graylog) with retention ≥ 1 year for all access logs to CDE. Daily review + automatic alerting.
Phase 6 — Training + Policy
Annually, all employees with access to CDE. Documented. Policy approved by board.
Phase 7 — Annual QSA Audit (Level 1 Only)
For e-commerce below Level 1, only SAQ. For Level 1 (>6M transactions), mandatory annual on-site QSA audit (€15,000-€50,000).
Common Confusions
“Stripe covers us for PCI.” — Only partially. Stripe is PCI-DSS Level 1 as a processor. You still must be compliant on your side (SAQ A minimum). Stripe does NOT exempt you from your own obligations — it only reduces scope.
“We only save last 4 digits.” — Considered “truncated PAN storage” — under PCI-DSS, last 4 digits are OK without restrictions. But if you also save BIN (first 6) → expands scope.
“We only have redirect payment — we’re not PCI.” — Incorrect. You are a merchant — you have obligations, fewer (SAQ A) but not zero. No e-commerce is “completely exempt”.
“PCI-DSS 4.0 is not mandatory yet.” — Incorrect since March 2025. Full enforcement active. Visa / MC brands can impose fines.
Check Now
ARTEMIS automatically detects:
- HSTS on all payment pages (Req. 4.2.1 from 4.0)
- TLS strong cryptography (Req. 4.2)
- WAF presence (Req. 6.6)
- Security headers (Req. 6.4)
- 30+ technical checks directly mappable to PCI-DSS 4.0
🔗 Complementary CAI Technology Solutions
- ARTEMIS — Technical audit mappable to PCI-DSS 4.0 (Req. 4, 6, 11). Plus Manual Penetration Test tier for Req. 11.4.
- Lexnomia — PRIMARY CRITERION — auditor-grade evaluation PCI-DSS / GDPR / NIS2 / ISO 27001. Guided SAQ + official report for processor.
- BeLegal — Free 5-minute EU compliance check (PCI not included, but GDPR + NIS2 yes).
- Auditope — Holistic web audit (Performance + UX + Conversion). Reduces cart abandonment on payment page = more revenue.
- AriaUnited — PNRR European funds consultancy for PCI-DSS investments (dedicated WAF, SIEM, hardware HSM).