The Payment Card Industry Data Security Standard (PCI DSS) has been in place since 2004 and has undergone several iterations to keep up with the ever-changing security landscape. PCI DSS version 4.0.1 brings significant updates to its predecessor to enhance security measures and adapt to emerging threats to cardholder data with the additional new requirements that took effect on April 1st, 2025.

Understanding the Cardholder Data Environment (CDE)

There are 12 PCI DSS requirements, all of which apply to secure the Cardholder Data Environment (CDE), which covers any system and network components, people, and processes that store, transmit, or process cardholder data.

New Annual Scoping Requirement

A significant change in 4.0.1 is the required annual PCI DSS scoping by the business entity (Merchants or Service Providers), separate from the assessment of the PCI assessor. The business entity must review and confirm the accuracy of its PCI DSS scope (per PCI DSS Requirement 12.5.2) by identifying all locations and flows of account data and identifying all systems that are connected to or if compromised, could impact the CDE to ensure they are included in the PCI DSS scope. All systems, networks, and locations should be considered during the scoping process, including backup/recovery sites and fail-over systems. This annual confirmation of PCI DSS scope is an activity expected to be performed by the business entity, and it is not intended to be replaced by the scoping confirmation performed by the PCI assessor for compliance validation.

Another key change that took effect on April 1st, 2025, is that a Targeted Risk Analysis (TRA) must be completed and documented for each PCI requirement. This TRA (as opposed to a traditional enterprise-wide risk assessment) focuses on PCI DSS requirements that give business entities flexibility about how often an activity is performed based on risk exposure and risk appetite. The entity carefully evaluates each PCI DSS requirement for this targeted risk analysis, determining the frequency that supports adequate security for the business and the level of risk it is willing to accept. Also, under version 4.0.1, each of the twelve (12) PCI DSS requirements must clearly define roles and responsibilities for activities that are documented, assigned, and understood.

How Everforth Apex Supports PCI DSS Compliance

Everforth Apex can help businesses prepare for their PCI DSS certifications by providing a comprehensive suite of cybersecurity solutions and managing their PCI DSS Program. Everforth Apex helps all companies that store, process, and transmit cardholder data become not only more secure but also resilient with their cybersecurity program. 

We partner with our clients and collaborate with their payment providers and service providers, facilitate discussions, and formulate solutions to achieve PCI DSS compliance. Everforth Apex delivers tailored solutions to your organization’s maturity level, resources, and risk tolerance. We advise, design, and implement long-term, sustainable programs to help clients meet PCI DSS compliance.

Conclusion: Partnering with Everforth Apex

Our PCI DSS team is composed of experienced professionals with certifications like CISSP, CISM, CRISC, CISA, CDPSE, and former PCI QSAs. With decades of combined experience, they are ready to tackle complex security challenges. By partnering with Everforth Apex, businesses can be more prepared to comply with PCI DSS and mitigate attacks before they happen, helping protect their interests and maintaining investor confidence.

Everforth Apex is part of the parent company ASGN (ASGN: NYSE), a publicly traded company that consults public companies. Everforth Apex delivers clarity and control tailored precisely to our clients’ organizations’ maturity level, resources, and risk tolerance. Our customizable security solutions balance robust protection with productivity, utilizing technologies and services that span Governance Risk & Compliance (GRC), Identity and Access Management, Threat and Vulnerability Management, Cloud Security, and more.