PCI DSS in May 2025: Where are you really?
- Stefan Timotijevic
- Jun 3
- 2 min read
(And why there is still time… but not for much longer)
What you need to understand today
March 31, 2025, was the real tipping point .
Not an announcement. Not a draft. Since that date, several so-called “deferred” requirements of the PCI DSS v4 standard have become mandatory .
But if we look around—in retail, SMEs, fintechs—very few companies in Quebec are really ready.
The reality on the ground
Some believe they have checked the boxes with a hastily completed SAQ.
Others think Stripe or Shopify have them “covered.”
And yet…
Since April, several companies have received formal requests from their bank or acquirer:
“Please provide your ASV scan report”
“Please send us the policy related to script management.”
“Your SAQ seems incomplete or incorrectly categorized”
👉 PCI is no longer an annual audit requirement. It's an operational prerequisite.
What is now required
Here are the 4 biggest points you should have already implemented:
1. Monitoring payment scripts
Requirements 6.4.3 and 11.6.1 require that all client-side scripts be authorized, documented, and monitored for unauthorized changes.❌ If your site contains Google Tag Manager, a marketing plugin, or a third-party script, you are exposed.
2. Reinforced MFA
Multi-factor authentication is required for all access, even internal.❌ The same device cannot be used for authentication and access.
3. Annual review of cryptographic protocols
It is now necessary to document the algorithms used , their justification, their security, and their updates.❌ TLS 1.0, SSL or weak suites are no longer tolerated.
4. Automated protection of public web pages
An application firewall (WAF) or equivalent solution should monitor public access.❌ CMS with unverified plugins are high risk.
And in Quebec?
The situation is even more sensitive:
➕ Law 25 converges with PCI DSS
Personal Information Manager
Incident management
Third Party Review
Documentation of Risk Assessments (EFVP)
👉 So you have two regulatory frameworks to harmonize — and a real opportunity to simplify your procedures if you handle them together.
And what about the SAQ A? Are we good?
Not so fast.
Since 2025, the SAQ A has been modified . You are no longer eligible if:
Your site includes an iframe or a map field
You have custom scripts
You don't monitor your payment pages
👉 Many Quebec e-commerce businesses believe they are “SAQ A”, but are actually SAQ A-EP , which is much more complex.
What you can do right now
Good news: it's not too late.
But each week that passes increases your risk of:
Receive non-compliance fees
Losing your merchant contract
Being excluded from projects with partners that require PCI proof
PCI360 can help you immediately
With PCI360, you can:
⚙️ Automatically scan your payment pages
🔐 Check your active scripts
📄 Determine the SAQ that is actually applicable to your environment
🛡️ Generate policies in French , compliant with standards
🌐 Integrate your Qualys ASV scans directly
📊 Get a dashboard for continuous monitoring , not just in “panic audit” mode
🧠 Not sure if you've been compliant since March 31?
Comments