Aperia Compliance (an IXOPAY company) webinar key takeaways - PCI DSS 4.0

Paula Albu, Junior Editor at The Paypers, examines the key takeaways from Aperia Compliance’s ‘PCI DSS 4.0: Building Merchant Trust in the Next Era of Compliance’ webinar.

PCI DSS 4.0 is more than a box-ticking exercise. It needs to be treated as a foundation for building merchant trust, and for unlocking new revenue opportunities in an increasingly complex payments landscape.

This was one of the central themes of the webinar PCI DSS 4.0: Building Merchant Trust in the Next Era of Compliance, hosted by The Paypers and Aperia Compliance. Moderated by Masha Cilliers, Consultant, Board Advisor, NED, and Payment Industry Expert, the session featured Chris Bucolo, Director, PCI Compliance at Aperia Compliance, an IXOPAY Company, and John Newton, VP of Sales at IXOPAY.

In December 2024, IXOPAY teamed up with Aperia Compliance. Through this move, Aperia, which offers its solutions to over 100 merchant acquirers, was set to operate as Aperia Compliance, an IXOPAY company, aiming to optimise payment data security for merchants and merchant acquirers worldwide.

Together, the speakers explored what PCI DSS 4.0 means in practice for PSPs and payment platforms, and how modern compliance tools can help simplify operations while strengthening merchant protection.

Below are the key takeaways from the webinar.

The threat landscape has shifted, and PCI 4.0 is catching up

After an introduction, Chris Bucolo started the discussion with an overview of where the risk lives today.  Looking at the data points, things used to be more retail-focused. Now, attention has shifted to e-commerce, with risks centering on password strength, device updates, and remote access vulnerabilities.

This shift matters because it changes who is exposed and how. As more commerce moves online and more components are added to payment stacks (plug-ins, third-party scripts, additional features), the attack surface grows. The more you build, the more third and fourth parties are involved, each introducing new potential points of failure. 

PCI DSS 4.0 is a direct response to this evolution. As Masha highlighted, the standard is transforming compliance from static to continuous. The key changes include continuous monitoring expectations, stronger authentication and access controls, patching within one month, and significantly tightened TPSP oversight and accountability.

Client-side risk: the threat hiding in plain sights

One of the more technically focused segments of the webinar addressed client-side risk, a vulnerability that is growing rapidly in relevance but is still underappreciated by many merchants.

Client-side risk refers to vulnerabilities on the user’s device, typically a browser, that attackers can exploit through malicious code, insecure third-party scripts, outdated components, or unauthorised actions that bypass traditional server-side security. As e-commerce checkout flows become more complex, with multiple embedded scripts, tag managers, and payment options, the exposure on the client side grows accordingly.

PCI DSS 4.0 directly addresses this through security requirements. Merchants must inventory and authorise all scripts running in the consumer’s browser during a transaction and deploy mechanisms to detect unauthorised changes or signs of malicious activity in real time.

The responsibility: who owns that?

A recurring and practical theme throughout the webinar was the question of responsibility, one that Chris illustrated through an analogy to a home renovation.

Just as a renovation requires multiple vendors working in the same space, raising constant questions about who is accountable for what, a modern payment stack involves layers of providers, each with partial ownership of the security perimeter.

The key questions that merchants and PSPs need to answer clearly include: who is responsible for software patching, and how often does it happen? Is website and application security the merchant's responsibility or the providers'? Who monitors for e-commerce skimming? Is the TPSP updating the PCI scope every six months as required? Are roles clearly defined in a way that prevents the gaps, which most commonly lead to breaches?

Chris emphasised that one of the primary causes of breaches is organisations not fully covering the area they are actually responsible for. Merchants need to think carefully about the third and fourth parties involved in the process, whether fully outsourced or partially managed, and ensure that no part of the compliance perimeter is assumed to be someone else’s problem without explicit confirmation.

PCI DSS 4.0 provides resources and frameworks to help clarify these responsibilities. The standard raises important questions to ask vendors: which user accounts and application accounts are in scope? Who needs access, and under what circumstances? When does a testing environment transition to a production one, and what obligations does that trigger?

There is also an emerging dimension to consider, which Chris raised under the lens of agentic commerce. As AI agents begin to participate in purchase flows, new compliance questions arise:

• How do you identify the buyer when it is an agent?
• What was the intent behind the transaction?
• What is the agent authorised to do?

These are not yet fully settled questions, but they are ones the industry needs to address as agentic commerce scales.

Compliance as a trust and revenue engine

The second half of the webinar focused on the commercial dimension of compliance, a reframe that John Newton drove with clarity.

As technology evolves, so does fraud. Merchants increasingly have expectations around safety, and consumers are more confident transacting when they trust the source. By implementing strong compliance programmes, PSPs create an environment where consumers have greater trust in merchants, and merchants have greater trust in their acquirers. Trust compounds up and down the value chain.

At scale, John argued, the financial impact is not the cost of compliance, but the cost of non-compliance. Fines, forensic investigation fees, scheme penalties, reputational damage, and, in the worst cases, the loss of card-acceptance privileges all make the investment in compliance look modest in comparison.

But the opportunity goes further than risk avoidance. Compliance can be a genuine revenue driver. For acquirers and payment platforms, offering white-labelled compliance tools, guided self-assessment support, and ongoing monitoring creates a premium service layer that strengthens merchants' stickiness and opens new income streams.

The SME dilemma - who is most exposed?

One of the most important points raised in the webinar was the vulnerability of small and mid-sized merchants, a segment that is both underserved and increasingly targeted.

Most SMEs do not have a compliance department. Many do not even know they need one. Mid-sized merchants typically lack dedicated payment security staff and rely entirely on their PSPs, banks, and outsourced providers to navigate compliance on their behalf. They are not the experts, and they know it.

Attackers are well aware of this. As large enterprises have hardened their defences, fraudsters have increasingly redirected attention toward SMEs, where security resources and expertise are thinner. The risk is concentrated precisely where compliance support is least available.

That is where PSPs have both responsibility and opportunity. Providing accessible, clearly communicated compliance tools for smaller merchants, including SAQ guidance, vulnerability scanning, breach protection, and merchant education, is not just a service offering. It is an important contribution to the resilience of the broader payments ecosystem.

Looking ahead: conclusions to take away

Masha Cilliers closed the session with some clear conclusions that sum up the spirit of the discussion.

First, threats are evolving, and so is PCI. Version 4.0 is specifically designed to address the new vulnerabilities that define today’s e-commerce environment, from client-side attacks to TPSP risk. Staying current with the threat landscape is essential.

Second, there are tools available to help. Industry solutions, including those offered by Aperia Compliance, exist to make compliance manageable at scale, whether you are a large PSP managing thousands of merchants or a smaller acquirer building out its compliance program for the first time.

Third, compliance should not be seen as a cost. It is a potential source of new and additional revenue. Third-party providers can help monetise compliance services, and as agentic commerce continues to evolve, PCI will become more important, not less. Compliance was never the most exciting part of payments, but it is increasingly one of the most consequential.

These are just a few brief takeaways from the webinar. The session was packed with insights, practical guidance, and actionable strategies, all of which you can benefit from by watching the full webinar recording here.