PCI DSS 4.0 Changes: What Australian E-Commerce Businesses Need to Know

PCI DSS 4.0 became active in March 2024. Australian e-commerce businesses have until March 2025 to comply with existing requirements, and March 2026 for new “future-dated” controls. If you process card payments online, this affects you.

Key Changes for E-Commerce

Version 4.0 shifts from prescriptive controls to outcome-based requirements. The most significant changes for Australian merchants are expanded MFA, formal network segmentation validation, automated log monitoring, and phishing-resistant authentication by 2026.

Multi-factor authentication now applies to all cardholder data environment (CDE) access, not just remote access. For businesses using Stripe, PayPal, or Square, this means enforcing MFA on payment gateway admin accounts, CMS admin panels, and any systems touching payment data. By March 2026, you’ll need phishing-resistant MFA (hardware tokens, FIDO2 keys, biometrics)—SMS codes and authenticator apps won’t suffice.

Network segmentation is now mandatory to validate if you claim it reduces PCI scope. This requires annual penetration testing to prove payment systems are isolated from general networks. If segmentation fails validation, your entire network becomes in-scope.

Automated monitoring replaces quarterly manual log reviews. Most merchants using third-party gateways inherit this from their provider, but if you handle cardholder data directly, you need real-time security event detection.

Timeline and Acquirer Expectations

All existing and immediately applicable requirements must be implemented by 31 March 2025. Thirteen future-dated requirements (including phishing-resistant authentication) become mandatory 31 March 2026. Australian acquirers—CommBank, Westpac, NAB—are not granting extensions.

Merchants are categorized by transaction volume. Level 1 (6M+ transactions annually) requires quarterly audits by Qualified Security Assessors. Levels 2-4 complete annual Self-Assessment Questionnaires (SAQs). Non-compliance risks acquirer penalties, increased transaction fees, or loss of payment processing capabilities.

Common gaps Australian acquirers identify: inadequate network segmentation proof, inconsistent MFA enforcement, and outdated payment system patches. These translate to practical requirements: enable MFA on all admin accounts, verify your hosting provider segments payment infrastructure, and maintain current software versions.

What Applies to Your Business

Most Australian online retailers use SAQ A (fully outsourced payment processing—redirect to gateway) or SAQ A-EP (embedded payment form via iframe). SAQ A has 22 questions covering policies and vendor management. SAQ A-EP requires stronger web server security controls.

If you use SAQ A-EP, focus on: MFA for all website administrative access, automated security monitoring for web servers, and payment gateway script integrity checking (Requirement 11.6.1). Major gateways like Stripe and Adyen provide this—verify with your provider.

If you store, process, or transmit cardholder data in your own systems, compliance increases significantly: full network segmentation, quarterly vulnerability scans by Approved Scanning Vendors, annual penetration testing, and comprehensive logging. Engage a Qualified Security Assessor for gap assessment before March 2025.

Next Steps

Confirm your merchant level and SAQ type with your acquiring bank. Download the appropriate SAQ from pcisecuritystandards.org and review against your setup. Verify your payment gateway has completed PCI DSS 4.0 compliance and obtain their Attestation of Compliance.

Implement MFA on all systems touching payment data. If you claim network segmentation, schedule annual penetration testing. Document security policies—acquirers expect written access control, incident response, and vendor management policies even for minimal-scope SAQ A merchants.

Non-compliance penalties range from $5,000-$25,000 monthly fines to loss of payment processing. Need help with PCI DSS 4.0 assessment? Contact Eviant for compliance reviews aligned with Australian acquirer requirements.