Top 3 Takeaways of PCI DSS 4.0

5 min read
May 19, 2022 at 10:33 AM

PCI DSS 4.0: What Is It?

Call compliance requires considerable effort from any company, but some call compliance laws are more challenging than others. PCI DSS can be one of the most challenging, but you know that already if you take credit cards online, in person, or especially over the phone. 

One of the trickiest parts of PCI DSS you face every day is dealing with the payment card numbers spoken over the phone. They wind up on recordings and in transcripts and according to PCI DSS they all need to be removed. Fortunately, we live in the advent of AI and machine learning which allows us to identify and wick out those vulnerable credit card numbers before some mustache-twirling evil doer compromises our security and runs off with them, and that’s if they can break the encryption. 

You are redacting and encrypting your recordings and transcripts, yes?

Just making sure. It’s pretty costly if you don’t.

Anyway, that was PCI DSS 3.2.1, and for the first time in years, there’s been a standard update to this regulation, PCI DSS 4.0. What do you need to know about PCI DSS 4.0? It's a major update with many changes, and here we’ll go over the big takeaways that directly impact your customer service and sales teams. In some instances, the standard works even more to the benefit of the business, so there’s good news to come along with some new things to consider.

First off, know that the Payment Card Industry (PCI) Security Standards Council has declared an overlap period between PCI 3.2.1 and 4.0 to give every organization time to transition to the new standard. Put simply everyone’s got 2 years counting from Mar 31, 2022. PCI DSS regulations touch every business on the globe, so it’s no surprise that there’s a grace period. 

Let’s look at the takeaways.

1: Your Compliance Technology Must Modernize

In essence, PCI DSS is a security standard, and when it graduates up to a new version number, our security standards will have to rise as well. Laws are now written around the advance of technological standards, and this update to a new PCI standard will probably cause you to invest in technology to meet the security requirement. Security needs are a day-to-day occurrence, and PCI DSS 4.0 will require us to be ready to address them on a day-to-day basis. 

What does that mean practically speaking? It means you, as the company taking payment cards over the phone, need to designate clear responsibilities and roles for each employee involved in a PCI-related process. This comes down to anyone who has access to unredacted payment card numbers as most of the time, it's from within these employees that cybercriminals pry an opening through an unguarded door or overlooked process. 

Setting up strict role-based access for these employees isn’t primarily to have someone to blame when PCI data is exposed, but to give you maximum visibility when overseeing the day-to-day security of your operation. Keeping the list of employees who can see PCI numbers short protects customers, and your company is crucial.

You’ll also need to assess your training methods for employees that handle PCI data since they are at the frontline of maintaining your security practices. 

2: Plan For More Reporting as PCI Compliance Becomes a Continuous Process

One could argue that PCI compliance was always an everyday thing, but documenting and reporting it was not. Before 4.0, most companies would update their PCI documentation once a year. PCI DSS 4.0 seeks to address new and sophisticated cyber attacks by promoting PCI security as a continuous day-to-day task. This means maintaining the level of security already instituted by the previous PCI iteration, promoting security as a continuous process, building flexibility for alternate methodologies, and enhancing validation practices. 

What does this mean for your reporting? It means things need to get granular, and you will want to use reporting technology that can easily produce audits that can be rapidly assembled. It also means the detail level within the report should be granular. You’ll need to know exactly who within your organization accessed what, when they did it, and where every iota of data was sent. In general, reporting standards have grown with the technology, and PCI DSS expects you to keep pace. 

Reporting will also need to highlight areas needed for improvement. There’s always room for improvement, and if you’re not looking for areas that need bolstering, cybercriminals will highlight them for you. Reporting should be part of the security process so it can be assessed by your security team and you can stay ahead of the threat. 

Role based access

3: PCI DSS Is More Flexible (With New Technology)

The rules of PCI DSS had to flex in order to accommodate increased options to address objectives. Payment technology innovation is impossible without some flex, for instance: To achieve compliance, your organization may require PCI data to be accessed by group, shared, and generic accounts. Or, your organization may need to implement an innovative technological means of achieving PCI DSS compliance, like AI-driven PCI redaction.

Companies may also need to customize the frequency of security tasks based on targeted risk analysis. Security is not a one-size-fits-all topic and factors such as company size, industry type, and call volume change the best practice methodology for individual companies. PCI DSS 4.0 has more flex built into it for accommodating the security standards that fit a company, but to be sure it never sacrifices the level of security required for the handling of payment card numbers. 

Verdict: PCI DSS 4.0 Demands You Use the Best Technology Possible

Much of this major update is about making sure your PCI compliance practices track with the technology available. Security threats come from malicious parties that will use new technology, so the idea is that we, the people who want to keep the customers safe, do so by staying on top of our technology as well. 

Data breaches over the past decade have shaken consumer confidence considerably and for good reason. The regulation is never going to be met with a set-it-and-forget-it approach. The good news is that it’s never been a better time to invest in a modern call recording and compliance platform. 

At MiaRec, we’ve built the kind of granular reporting and role-based access you’ll need right into our platform. The best place for PCI security measures to begin is at the agent level during recording. We’re excited to announce that coming this year we’ll be introducing an automatic PCI redaction feature to the MiaRec platform that can help you keep your recordings and transcripts free of vulnerable payment card numbers. 

To learn more about PCI DSS compliance and the MiaRec platform, reach out to us today at

.Experience The Power Of MiaRec Yourself! Demo CTA

Checklist For Maximum Efficiency Call Center Operations

Get Email Notifications

No Comments Yet

Let us know what you think