Why SaaS companies need to prioritize PCI 4.0 compliance (and the impacts to merchants) 

Did you know that your PCI compliance status can influence the PCI 4.0 controls and requirements that need to be met by your customers? 

Allow us to explain. 

When it comes to protecting payment card information from unauthorized use, exposure, and potential fraud, everyone involved in payments has an important role to play, software companies included. 

As a responsible software company that loves to provide your end users with technology that makes their day-to-day lives easier, you know how important the customer experience is. Therefore, it’s important to consider your influence on the bigger payments ecosystem and prioritize meeting PCI 4.0 standards, so you can continue to make the lives of your customers easier and the process of moving money safer for all. 

Throughout this blog, we walk you through PCI, including important PCI 4.0 requirements and why you should consider getting an on-site assessment with a qualified security assessor (even if it’s not technically required of you).

Short on time? Here are key takeaways:

• PCI DSS is a security standards framework applicable to all businesses involved in payments and compliance is mandatory for any business that handles payment card data, including software companies.
• PCI DSS 4.0 guidelines were released in 2022 and introduced new requirements. PCI DSS 3.2.1 expired in March 2024.
• A software company’s PCI compliance status directly impacts their customers’ PCI 4.0 requirements.

What is PCI DSS?

Payment Card Industry Data Security Standard, or PCI DSS, was instated to protect payment data, serving as a framework of security standards applicable to businesses involved in payment processing. Complying with PCI DSS is mandatory for any business that handles payments data, including software companies and platforms that enable embedded or integrated payments to their software users.

PCI DSS 4.0 guidelines were released in 2022 to give companies time to understand the new compliance requirements. Beginning in March 2024, PCI DSS 3.2.1 retired, and PCI DSS 4.0 assessments will only be accepted moving forward. Future-dated PCI DSS 4.0 requirements go into effect in 2025. For more details, check out this resource from the PCI Security Standards Council

PCI 4.0 requirements that software companies should be aware of:    

• Software companies classified as Level 1 must submit an annual report on compliance (ROC) by a qualified security assessor (QSA) and a quarterly external network vulnerability scan report by an approved scanning vendor (ASV).  
• Organizations classified as Level 2 must submit a self-assessment questionnaire (SAQ) D and a quarterly external network vulnerability scan report.  
• These validation requirements are due annually and after any major system changes.  

Navigating PCI requirements and understanding your PCI level is complicated work and quite nuanced. The Payrix team is available and well-positioned to help you identify, scope, and understand your PCI requirements, as well as those of your merchants.

Making the case for an on-site assessment with a QSA

If you understand your PCI leveling, and find your organization in the Level 2 category, Worldpay and Payrix strongly encourage software companies to engage a QSA to assist with correct scoping and completion of the SAQ D, especially if it is your first time through an assessment. This strategy allows you to understand your true scope and all the added requirements that are in SAQ D because of PCI 4.0, as it’s possible that some may not apply to your setup.

Payment set-ups and PCI 4.0 requirements

Below we explain common payment set-ups through the lens of a Payrix partner:   

• Scenario 1: Utilizing Payrix or a Payrix API, to store, process, or transmit account data on the merchant’s behalf.
• Scenario 2: Having access to and/or storing, processing, transmitting payment data can impact the security of the merchant cardholder data environment or CDE.
• Scenario 3: Managing in-scope systems on a merchant’s behalf.

Software companies that store, process, and/or transmit or have the ability to impact account data must be PCI DSS compliant and undergo annual assessment to validate applicable PCI DSS requirements are in place. All other SaaS providers may undergo annual assessments to validate applicable PCI DSS requirements are in place or participate in each merchants’ PCI DSS assessment.

Also, your compliance status as a software company may directly impact the applicability of PCI DSS requirements involved in your customers’ PCI assessments. For example, if the merchant SAQ A includes an ASV scan or not.

There are many reasons to prioritize PCI compliance, but you could argue that prioritization demonstrates your unwavering commitment to your customers, and that may be motivation enough for you to act now. If you walk away from this blog with anything, let it be this. Your PCI compliance validation status simplifies the PCI workload for merchants and provides a better and safer experience for everyone.

We know how complex PCI compliance is, and particularly now with the new PCI 4.0 requirements, which is why the team at Payrix is here to support you.

PCI DSS 4.0 is active now

When it comes to the new PCI 4.0 requirements and controls, your merchant customers depend on you. Help them navigate the process as efficiently as possible by becoming a PCI compliant and leveraging a partnership with Payrix. Together, we can ensure the safety of payments now and in the future.

To learn more about how you as a software company can prepare for PCI DSS 4.0, check out our blog post