Any organization that stores, processes or transmits card data — issuing and acquiring banks, processors, fintechs, large merchants — must comply with PCI DSS. Version 4, which has definitively replaced v3.2.1, is no cosmetic update: it durably raises the bar, with its new requirements phased in and mandatory since 31 March 2025.
What really changes with v4
- Stronger authentication: MFA for all access to the cardholder data environment (CDE), not just administrators.
- Passwords and accounts: hardened requirements, regular review of accounts and privileges.
- E-commerce security: inventory and integrity monitoring of payment-page scripts, skimming-attack detection (requirements 6.4.3 and 11.6.1).
- Continuous monitoring: automated log review, detection of control failures.
- Customized approach: meeting a requirement's objective through a documented, tested alternative control.
Our method: shrink the scope first
The cost of PCI DSS compliance is proportional to scope. Before stacking controls, shrink the cardholder data environment: strict network segmentation, tokenization, offloading processing to certified providers. Halve the scope and you halve the audit — while genuinely reducing risk.
Then comes the evidence machinery: every requirement must be demonstrable to the assessor (QSA) through current configurations, logs and procedures. Organizations that succeed run PCI DSS as a permanent program — with a named owner and automated controls — not as an annual sprint before the audit.
Optima Advisory supports West African banks and fintechs across the full PCI DSS cycle: scoping, technical remediation, QSA audit preparation and long-term compliance upkeep.
