Achieving PCI DSS 4.0 compliance is more than a technical milestone. It’s a sustained commitment to security across your entire infrastructure.
In 2024, we built our new infrastructure following PCI DSS principles not because we had to, but because security demands no compromise.
Beyond minimum requirements
PCI DSS compliance was required for our payment solutions business in the Baltic regions, but only for a subset of our infrastructure. We chose to apply PCI DSS principles across our entire IT environment anyway. There are no shortcuts when it comes to security.
Rather than treating compliance as a checkbox, we built controls and processes designed to last. Today, we maintain compliance through routine audits also with no internal or external pressure, proof that our approach works.
What we faced
Complexity – the standard applies to all systems that could impact security, requiring careful scoping, network segmentation, and precise control design across the infrastructure. PCI DSS 4.0 introduced over 50 new requirements and 30 modified controls compared to previous one, demanding a complete review of your security architecture.
Operational overhead – continuous compliance demands hundreds of recurring tasks each year. Like monitoring, reviews, evidence collection, and ongoing verification. Organizations typically spend 20-30% of their security team’s time on compliance-related activities. We designed our processes to make this sustainable without burning out our teams.
Shared responsibility – strong technical controls aren’t enough. Security depends on consistent practices and awareness across all teams. According to industry data, over 80% of security breaches involve a human element, which makes organizational culture as critical as technology.
What we delivered
Effective Segmentation – testing confirmed our segmentation controls protect critical systems as designed. Proper network segmentation can reduce the scope of PCI DSS assessments by up to 70%, but more importantly, it limits potential breach impact and contains threats before they spread.
Sustained compliance – our controls, processes, and documentation meet requirements without remediation.
Stronger security posture – applying compliance principles beyond the minimum boundary improved access control, monitoring, and logging across our entire infrastructure.
What to remember
- PCI DSS defines strict requirements for organizations handling card data, spanning 12 controls across six areas: secure networks, data protection, vulnerability management, access control, monitoring, and security policy.
- Version 4.0 shifts from prescriptive rules to outcome-based requirements. This allows tailored implementations but requires stronger security expertise and accountability.
- Technology alone isn’t enough. Human behavior matters. Phishing attacks have risen by 60%, making awareness, policy adherence, and incident reporting even more critical for everyone.
- PCI DSS is a baseline, not the goal. Applying principles like defense in depth, least privilege, and continuous monitoring across systems leads to fewer incidents and faster response.
- Security is continuous, not annual. With breaches averaging over €4M, proactive, everyday security is a business necessity.
We’re open to sharing our experience with other companies navigating PCI DSS compliance. If you’re a quality manager, risk officer, or CTO facing similar challenges, we welcome the conversation.
