Making the Shift to PCI v4.0

In Brief:

  • Nelnet Campus Commerce works hard to be prepared for any upcoming PCI DSS changes.

  • Released in March 2022, PCI DSS v4.0 has a two-year transition period.

Blog Post

Change is a constant, especially when it comes to data protection standards. That’s why Nelnet Campus Commerce works hard to be prepared for upcoming changes as payment security standards seem to be in a state of change. Here are some updates on data security standards and what’s new with the PCI DSS v4.0 release.

Payment Card Industry Updated Standards

Payment security is undergoing a transition as the Payment Card Industry Security Standards Council (PCI SSC) has rolled out updated standards to enable organizations to better protect payment information against ever-evolving threats.


As a Payment Card Industry Data Security Standard (PCI DSS) validated service provider, Nelnet Campus Commerce has watched this evolution all along, and is preparing for the rollout of the new PCI DSS standards. Becky Pollock, Nelnet Business Services Chief Payment Officer, notes the critical importance of PCI DSS adherence and validation. “The payments industry is constantly evolving, and unfortunately the fraudsters continue to look for ways to get to cardholder data. As a PCI DSS Level 1 service provider, we know the importance of our responsibility to protect this data and our clients,” she said.


The new PCI DSS standards will provide a comprehensive update that takes into account the diverse array of payment applications and software, as well as a range of data protection standards. The PCI SSC has revised the standards in a years-long process that included three Request for Comments periods, which drew over 6,000 individual comments from over 200 companies. With a customized approach, the ultimate goal was to create a security framework that allows organizations to use different means to achieve security objectives.

PCI-DSS v4.0 Updates

In March 2022, the newest version of PCI DSS, Version 4.0, was released. This has a multi-year transition period, during which time individual organizations can choose whether to assess at the earlier standard or the new standard. The old standard, v3.2.1, will be retired March 31, 2024, and v4.0 will become the only version available for use in validations.


The Payments Security Standards Council had four goals for the new requirements:

  • Continue to meet the security needs of the payment industry
  • Promote security as continuous process
  • Add flexibility for different methodologies
  • Enhance validation methods


Overall, these goals will help payment processors be more dynamic in how they meet the challenges posed by evolving security threats. For example, the standard will now require multi-factor authentication or stronger passwords for any system housing cardholder data, which can help reduce the risk of account information being stolen. Other requirements are aimed at preventing phishing and skimming attacks.


Organizations will have the flexibility they need to reduce risk in a variety of ways – and the PCI SSC won’t have to scramble to keep up rewriting overly narrow requirements. The emphasis on security as a continuous process is also important as it takes the protection of customer information beyond specific technical controls and encourages organizations to think critically about security in every role.


Want to learn more about PCI DSS? Read our blog: A QSA’s Top Seven PCI DSS v4.0 Critical Takeaways


Interested in cybersecurity awareness? Read our blog: 7 Ways to Engage in Cybersecurity Awareness

Linda Hansen
Author: Linda Hansen

With nearly 10 years’ experience in writing proposals, Linda enjoys collaborating with various security and technical staff to provide pertinent answers to clients’ concerns. She joined Nelnet Campus Commerce in 2019, bringing experience in journalism, customer support, and business writing to her role as Proposal Writer. When not answering long lists of questions, Linda can be found reading fiction or playing board games.

View all posts by Linda Hansen