What PCI-DSS 4.0 does
PCI-DSS 4.0 establishes a baseline security standard to reduce credit card fraud. It outlines twelve key requirements, grouped into six control objectives: network security, cardholder data protection, vulnerability management, access control measures, regularly monitoring and testing networks, and maintaining an information security policy. Version 4.0 introduces a Customised Approach, allowing organisations greater flexibility in how they meet requirements, while strengthening authentication controls, notably mandating multi-factor authentication for all access to the Cardholder Data Environment (CDE).
PCI-DSS 4.0 in Australian tenants today
AU mid-market merchants are subject to PCI-DSS based on their transaction volume and data handling practices. Level 1 merchants require a Qualified Security Assessor (QSA) attestation, while Level 2–4 merchants can often self-assess using a Self-Assessment Questionnaire (SAQ). The shift towards self-assessment at lower levels reduces costs but requires robust internal controls. Microsoft Compliance Manager can assist in mapping PCI-DSS controls and gathering evidence, while Defender for Cloud helps identify vulnerabilities and misconfigurations within the CDE. Adherence to PCI-DSS is crucial for avoiding penalties and maintaining customer trust, and is a consideration for organisations subject to APRA CPS 234.