Trust in organisations is on the decline. According to our 2025 Digital Trust Index, nearly one in ten Brits have had financial or credit card data stolen in the past 12 months, and 16% have been informed that their personal data has been compromised.

For startups, regardless of the sector, any breach or loss of customer data – particularly financial data – can be devastating and hinder future growth. From e-commerce platforms to mobile payment solutions and beyond, as the number of applications handling data grows, so does the attack surface.

This is where the requirements set out by the Payment Card Industry Data Security Standard (PCI DSS) becomes vital. It provides a comprehensive framework to secure payment card data, helping startups protect their customers' information and build a foundation of trust that is vital for long-term success.

So, what does this latest version require? Is your business up to date? And just what should you do to ensure compliance?

What is PCI DSS 4.0?

PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard; a set of security requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. 

Version 4.0 introduces 64 new requirements, and focuses on ensuring companies put measures in place to continuously monitor security. The updated standard allows businesses to decide how best to comply, but they must prove their approach works. PCI DSS 4.0 shifts from one-time compliance checks to ongoing security monitoring, emphasising the connection between cybersecurity and fraud management and focusing on risk outcomes rather than just passing assessments.

How to ensure compliance

Achieving compliance with PCI DSS 4.0 is essential for protecting your customers' payment card data and building trust. Here are some effective ways to ensure compliance.

Network and System Security: protect your network by installing firewalls, which act as barriers between your internal network and external threats, blocking unauthorised access. Configure your systems and software securely to minimise vulnerabilities, including disabling unnecessary services and ensuring default passwords are changed. Regularly update and patch your systems and software to fix security issues, helping protect against known vulnerabilities that attackers might exploit.

Data Protection: use strong encryption methods to protect any payment card data you store, ensuring that even if data is accessed without authorisation, it remains unreadable. Protect card data when it’s being sent over the internet by using encryption, preventing it from being intercepted and read by unauthorised parties. Only allow access to payment card data for employees who need it to perform their job, reducing the risk of data being mishandled or accessed by unauthorised individuals.

Access Control: implement multi-factor authentication (MFA) to verify the identity of anyone accessing your systems, adding an extra layer of security beyond just a password. Ensure that only authorised personnel can physically access systems that store card data, which might include using locks, security badges, or biometric scanners. Keep detailed logs of who accesses your systems and data, and regularly review these logs to detect and respond to any suspicious activity.

Malware and Security Testing: install and regularly update anti-malware software to guard against harmful programs that could compromise your systems. Perform regular security tests, such as vulnerability scans and penetration testing, to identify and fix potential security issues before they can be exploited.

Security Policies: develop and enforce a security policy that outlines how your startup will protect card data. This policy should cover all aspects of data security, including how to handle data breaches and employee training.

It’s not all about compliance 

Rather than viewing PCI DSS 4.0 as a cumbersome tick-box exercise, business and security leaders should see this transition as a golden opportunity to enhance their organisation’s overall security posture. By integrating cybersecurity with fraud management and revolutionising the protection of cardholder data, you not only achieve compliance and prevent costly breaches, but also uphold customer confidence and build a trusted customer base.

To further boost consumer trust in the digital economy – and even more so in at a time when those levels of trust are at an all-time low – companies should be transparent about what they’re doing to secure sensitive data, outlining to customers what data they’re capturing, where it is going and what’s being done with it. 

For businesses that are still catching up, this is a decisive moment to organise your compliance strategy and get your efforts underway. Remember, data is one of your most valuable assets, and its security and integrity should never be compromised. Embrace PCI DSS 4.0 not just as a regulatory requirement, but as a strategic move to foster trust and secure your business’s future. 

For more startup news, check out the other articles on the website, and subscribe to the magazine for free. Listen to The Cereal Entrepreneur podcast for more interviews with entrepreneurs and big-hitters in the startup ecosystem.