Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

PCI DSS compliance is a mandatory, revenue-critical requirement for fintech companies that touch cardholder data—directly or indirectly. This guide is written for fintech founders, CISOs, CTOs, and security leaders building or scaling payment-enabled platforms in the US and globally. If your fintech stores, processes, or transmits cardholder data, PCI DSS compliance for fintech companies is not optional—it is a baseline operating requirement. With PCI DSS v4.0.x now fully in force.

Ask five compliance leads in the gaming industry how 6.4.3 applies to their payment flows, and you’ll get five different answers. Ever since PCI v4.0.1 has come into effect, gaming and iGaming operators have been struggling to identify where they fall in scope, which SAQ paths apply to their specific architecture, and if Requirement 6.4.3 and 11.6.1 apply to them or their payment processors.

Very few people know this, but passing a PCI audit has very little to do with having defensible evidence. Your processor passed its last PCI assessment. Three months later, a merchant using your payment forms gets hit with a Magecart attack. Card brands start asking: What monitoring did you have on that checkout page? When did you detect the compromise? What evidence can you provide? That’s when the gap becomes obvious.

Nearly 70% of online purchases now happen on mobile, yet PCI scoping decisions are still often made as if mobile is just a smaller browser. It is not. A native in-app payment flow and a mobile web checkout trigger materially different obligations under PCI DSS 4.0.1. In one case, risk concentrates inside the application runtime through SDKs, platform storage, and release controls.

Financial services firms handling payment card data just ran out of runway. As of March 31, '25, PCI-DSS 4.0 compliance is mandatory. The 64 new requirements that organizations could previously treat as best practices are now enforceable, and auditors are scrutinizing every control. According to Verizon’s 2024 Payment Security Report, only 14.3% of organizations achieved full PCI-DSS compliance during interim assessments. That means most firms are closing gaps while managing day-to-day operations.

Let’s get right to it: Razorthorn Security helps organisations achieve and maintain PCI DSS compliance through expert consultancy, gap analysis and preparation for formal assessment and has been recognised by Gartner as a market leader in PCI DSS QSA services. If you’re handling payment card data, you’ll need qualified support to navigate the 500+ controls that PCI DSS demands.

Payment Card Industry Data Security Standard (PCI DSS) compliance isn’t a once-a-year exercise; it’s a year-round effort that requires regular validation to protect cardholder data, manage risk, and maintain audit readiness throughout the year. Compliance failures are rarely caused by a single missing control.

If you stand behind almost any modern checkout today and inspect the network tab, you will rarely see a tidy, controlled set of assets. Instead, you will see 15 to 30 different scripts, ranging from payment orchestration and fraud tools to analytics and session replay, all the way to tag managers, experimentation, consent logic, and accessibility widgets, with many loading from domains your security team has never directly vetted.

If your latest PCI DSS audit report flagged gaps against Requirements 6.4.3 and 11.6.1, it’s not time to panic yet. These findings are common and entirely fixable. Most of the time, the gap is between static guardrails and continuous runtime governance. QSAs assess whether you have active control over what executes in the client browser, not simply whether guardrails are configured. That is also why traditional controls like CSP or manual reviews can feel complete and still fall short.

Even well-maintained Magento and Adobe Commerce environments still land PCI DSS findings against 6.4.3 and 11.6.1. When that happens, it’s usually not a server-side Magento configuration issue. Instead, it’s a client-side runtime governance gap that Magento and most server-side stacks aren’t designed to close, even with helpful guardrails like CSP and SRI on payment pages.