IoT Security / PCI-DSS
PCI-DSS v4.0.1 and IoT Security: The Complete Guide for Connected Payment Environments
PCI-DSS v4.0.1 is not just an update to a compliance framework. It is a recognition that the payment security threat landscape has fundamentally changed – and that connected IoT devices, cellular networks, and distributed payment infrastructure are now the primary attack surface. This guide covers what changed, why connected payment devices are genuinely at risk, what the attack vectors look like in practice, and what organisations, IT teams, and payment hardware providers can do about it. It also covers sensible security practice for all connected devices – because PCI scope is only part of the problem.
What is PCI-DSS v4.0.1 and What Actually Changed?
PCI-DSS – the Payment Card Industry Data Security Standard – is the global framework governing how organisations that handle cardholder data must protect it. It is maintained by the PCI Security Standards Council, a body founded by the major card schemes: Visa, Mastercard, American Express, Discover, and JCB.
Version 4.0 was published in March 2022 and replaced v3.2.1 as the active standard. Version 4.0.1, a minor clarifying update, followed in June 2024. The full set of requirements became mandatory on 31 March 2025, with no grace period for the new controls that were previously listed as “best practice”.
The headline shift from v3.2.1 to v4.0 is the move from periodic compliance to continuous security. Under v3.2.1, many controls were assessed at a point in time – an annual QSA assessment would review a snapshot of the environment. v4.0 introduces the concept of customised implementation and ongoing assurance, with controls that require continuous monitoring, automated testing, and demonstrable evidence of operational security – not just a configuration review taken once a year.
The key changes that affect IoT and connected payment environments
| PCI-DSS v4.0.1 requirement area | What changed | IoT / connectivity impact |
|---|---|---|
| Req 1 – Network security controls | Expanded from “firewalls” to all network security controls. Explicit requirements for network segmentation and documentation. | IoT payment devices must be on segmented network zones. Cellular-connected devices need documented network architecture including SIM and APN configuration. |
| Req 2 – Secure configurations | Default credentials must be changed before deployment. All unnecessary services must be disabled. Inventory of all system components required. | Every connected payment device – router, terminal, gateway – must be in a documented inventory with confirmed secure configuration before going live. |
| Req 6 – Secure software | New requirement for protection against client-side attacks. Payment page scripts must be authorised and integrity-checked. | Firmware on payment terminals and IoT gateways must be on a documented update cycle. Unauthorised firmware modifications must be detectable. |
| Req 8 – Identity and access | MFA required for all access to the cardholder data environment. Phishing-resistant MFA required for remote access. | Remote management access to cellular routers and IoT gateways in CDE scope must use MFA. Default vendor credentials are explicitly prohibited. |
| Req 10 – Logging and monitoring | Automated mechanisms for log review required. Failure of critical security controls must be detected and responded to promptly. | Connectivity gaps, configuration changes, and authentication failures on network devices must be logged and actively monitored. |
| Req 11 – Security testing | Continuous network monitoring required. Rogue wireless access point detection must be automated and active. | Unauthorised cellular connections – rogue SIMs, unauthorised access points near payment terminals – must be actively detected, not just periodically checked. |
| Req 12 – Policies and risk | Formal targeted risk analysis required for each control using a customised approach. Risk assessments must be reviewed annually. | IoT device risk assessment must explicitly cover cellular connectivity, remote management access, and physical device security. |
The critical shift: PCI-DSS v4.0.1 does not just require you to have security controls in place at assessment time. It requires you to demonstrate that those controls are operating continuously and that failures are detected and responded to. For IoT payment environments, this is the shift from a configuration audit to an operational security programme.
Why IoT Payment Devices Are a Different Security Problem
Traditional PCI-DSS compliance was designed for a relatively contained environment: servers in a data centre, POS terminals on a local network, staff at fixed workstations. The threat model was about protecting data in transit and at rest within a known, bounded perimeter.
The modern payment environment does not look like that. Payment devices are distributed across hundreds or thousands of locations. They communicate over cellular networks rather than fixed LAN infrastructure. They are physically accessible to members of the public in retail, hospitality, and transport environments. They are managed remotely by vendors, acquirers, and IT teams who may be in different countries. And they share network infrastructure with other IoT devices – building management systems, environmental sensors, CCTV, access control – that may have very different security postures.
Each of these characteristics creates attack surface that did not exist in the traditional PCI model.
The distributed physical attack surface
A POS terminal in a busy retail environment is touched by hundreds of people per day. Physical tampering – attaching a skimming overlay, replacing the device with a cloned unit, inserting hardware into a peripheral port – is a persistent real-world threat. Unlike a server in a locked data centre, a payment terminal on a shop counter has no physical access control beyond the vigilance of staff. PCI-DSS has always required physical security controls for payment terminals, but the distributed nature of modern retail and hospitality deployments makes consistent enforcement genuinely difficult.
Cellular connectivity as an attack vector
Many modern payment devices and the gateways that connect them use cellular connectivity as their primary data path – either directly (a SIM card in the terminal) or indirectly (a cellular router providing internet connectivity to the payment network segment). Cellular connectivity introduces attack vectors that do not exist on fixed LAN infrastructure:
- SIM swapping – an attacker who gains access to the account management systems of the mobile network operator can reassign a SIM card to a device they control, redirecting traffic from the legitimate device.
- IMSI catching – rogue base stations (IMSI catchers or “stingrays”) can intercept cellular traffic from devices in range. While modern LTE and 5G include protections against the most basic IMSI catcher attacks, sophisticated variants remain a concern for high-value targets.
- Rogue APN configuration – if an attacker can modify the APN configuration on a cellular router or terminal, they can redirect traffic to an infrastructure they control rather than the legitimate payment processor.
- Management interface exposure – cellular routers with management interfaces exposed to the internet (rather than behind a VPN or private APN) are discoverable via tools like Shodan and represent a direct route to reconfiguring the payment network.
Shared IoT network infrastructure
In many retail, hospitality, and transport environments, payment devices share network infrastructure with other IoT systems. A hotel might have CCTV cameras, guest Wi-Fi, building management sensors, and payment terminals all on the same router and cellular connection. If any of those non-PCI devices is compromised, an attacker has potential lateral movement paths toward the payment environment. PCI-DSS requires network segmentation precisely to prevent this – but in IoT deployments, segmentation is frequently incomplete or poorly documented.
Real-world example: In multiple documented breach cases, attackers gained initial access to a retail or hospitality network through a poorly secured IoT device – a CCTV system, an HVAC controller, a vending machine – and used that foothold to move laterally to POS terminals or back-office payment systems. The payment devices themselves were PCI-compliant. The non-payment IoT devices on the same network were not.
The Attack Vectors: What Threats Actually Look Like
Understanding the specific attack vectors helps move security decisions from abstract compliance requirements to concrete defensive measures. These are not theoretical risks – they represent documented attack patterns observed in real payment security incidents.
Physical skimming and terminal tampering
The oldest attack in payment security and still among the most common. Physical skimming devices are overlays or inserts designed to capture card data at the point of interaction – either the magnetic stripe data from swipe, the PIN from keypad entry, or increasingly the NFC/contactless transaction data. Modern skimmers are sophisticated: they can be 3D-printed to match specific terminal models, they transmit captured data via Bluetooth or cellular, and they can be installed and retrieved within minutes by a trained operative.
Beyond skimmers, full terminal replacement is a documented attack – where a legitimate terminal is swapped for a cloned or modified unit that appears identical but routes transactions through attacker-controlled infrastructure while passing them to the legitimate processor to avoid immediate detection.
Man-in-the-middle on cellular traffic
If payment traffic traverses the public internet – even encrypted – it passes through infrastructure an attacker may be able to influence. TLS provides strong protection against passive interception, but man-in-the-middle attacks that exploit certificate validation weaknesses, or that operate at the network layer before TLS termination, remain a concern. Cellular-connected devices that communicate with payment processors over the public internet have a larger attack surface than devices on private network paths. This is one of the primary technical arguments for private APN connectivity in payment environments – traffic never reaches the public internet.
Firmware and software compromise
Payment terminal firmware that has been modified – either through a supply chain attack, through exploitation of an update mechanism, or through physical access to the device – can capture card data at the point of entry before encryption, bypass security controls, or establish persistent remote access for the attacker. Firmware integrity verification – checking that the firmware running on a device matches an authorised, signed version – is a requirement under PCI-DSS v4.0.1 and is the primary defence against this attack vector.
Credential attacks on management interfaces
Cellular routers and IoT gateways in payment environments frequently have web-based management interfaces. Default credentials on these devices are well-documented in vendor manuals that are publicly available. A router with a default username and password, a management interface accessible from the internet, and PCI-scope devices behind it is a straightforward compromise waiting to happen. Shodan – a publicly accessible search engine for internet-connected devices – indexes thousands of cellular routers with exposed management interfaces at any given time.
Lateral movement from non-PCI IoT devices
As described above, the initial compromise of a payment environment frequently does not target the payment devices directly. It targets adjacent IoT infrastructure on the same network, uses that foothold to map the internal network, identifies the payment segment, and moves laterally toward the higher-value target. Inadequate network segmentation – or segmentation that exists on paper but has not been validated – is the enabling condition for this attack pattern.
Supply chain and third-party risk
Payment devices pass through multiple hands before reaching their installation location – manufacturer, distributor, installer, and maintenance provider all have physical access to the hardware at various points. A device tampered with in the supply chain may appear legitimate on delivery. PCI-DSS v4.0.1 places increased emphasis on third-party and supply chain risk, requiring documented assessment of service providers and their security controls.
Connectivity Architecture as a Security Control
The connectivity choices made when deploying payment IoT infrastructure are not just operational decisions – they are security decisions. The network architecture beneath a payment environment determines what attacks are possible, what is detectable, and how quickly a breach can be contained.
Private APN: the single most impactful connectivity security control
A private APN (Access Point Name) gives IoT payment devices a dedicated, isolated network path from the SIM card through the mobile core to the organisation’s own infrastructure – bypassing the public internet entirely. For payment environments, this has three significant security consequences.
First, payment traffic never traverses the public internet. There is no public internet exposure to exploit, no opportunity for man-in-the-middle attacks at internet exchange points, and no dependency on the security of public routing infrastructure.
Second, devices on a private APN are not publicly routable. They cannot be discovered by Shodan or any other internet scanning tool. An attacker who does not already have access to the private network has no route to the device management interface.
Third, private APN connectivity can be combined with network-level device authentication – where only SIM cards registered to the account can access the private network, and connections from unregistered SIMs are rejected. This is a hardware-enforced control that software cannot easily bypass.
Fixed IP SIM addressing
Fixed IP SIM cards assign a static, known IP address to each device. In a payment context, this enables precise firewall rules: payment traffic is only permitted from known device IP addresses to known processor endpoints. Any traffic from an unexpected source is automatically blocked. Dynamic IP addressing, by contrast, makes this kind of allowlist-based control much harder to implement reliably.
Network segmentation: enforced, not assumed
PCI-DSS has always required network segmentation between the cardholder data environment and other networks. In IoT deployments, this means the payment network segment must be physically or logically separated from other IoT devices – CCTV, environmental sensors, guest Wi-Fi, building management systems – regardless of whether they share the same cellular router or gateway hardware.
On a cellular router with VLAN support, payment devices and non-payment IoT devices can share the same hardware while being on isolated network segments with firewall rules preventing inter-VLAN traffic. This is the correct architecture. What is not acceptable is a flat network where all connected devices can reach all other connected devices without restriction.
Segmentation must be tested: PCI-DSS v4.0.1 requires that network segmentation controls are tested at least every six months – or after any significant change to the network architecture. Segmentation that exists in the network diagram but has not been validated with penetration testing or equivalent technical verification does not satisfy the requirement.
VPN for all remote management access
Remote management access to any device in or adjacent to the payment environment – routers, gateways, terminals – must traverse an encrypted VPN tunnel. Direct internet-facing management interfaces are not acceptable. WireGuard and OpenVPN are both well-supported on industrial cellular routers and provide strong encryption with good performance on cellular links. IPsec is common in enterprise environments and equally valid.
The VPN architecture should enforce the principle of least privilege: a maintenance engineer accessing a router for configuration changes should not automatically have access to the payment server behind it. Access controls at the VPN level should limit each role to the specific devices and services they need.
Dual-SIM for resilience without security compromise
Connectivity resilience in a payment environment has a security dimension as well as an operational one. A payment gateway that goes offline during a connectivity failure may fall back to less secure processing modes – offline authorisation, store-and-forward – that have weaker fraud controls. Maintaining continuous connectivity via dual-SIM failover is not just an uptime requirement; it keeps the payment environment operating under its full security controls at all times.
Router and Device Hardening for PCI Environments
Connectivity architecture defines the perimeter. Device hardening defines what happens within it. Every router, gateway, and connected device in or adjacent to a payment environment needs to meet a baseline security configuration before deployment and maintain it throughout its operational life.
Change all default credentials immediately
This is Requirement 2.1 of PCI-DSS and it is non-negotiable. Default usernames and passwords on network hardware are documented in publicly available vendor manuals. Every device must have its default credentials changed before being connected to a live network. Passwords must meet complexity requirements: minimum 12 characters, combination of uppercase, lowercase, numbers, and symbols, no dictionary words, not reused from other accounts.
Disable all unnecessary services
A cellular router running in a payment environment does not need Telnet, FTP, or HTTP management access enabled. It should run HTTPS for management (if web UI is required at all) and SSH for CLI access. All other management protocols should be disabled. Any port that is not required for the device’s operational function should be closed. This applies to every device in the environment – routers, switches, terminals, and any IoT device on the same network segment.
Maintain a firmware update cycle
Firmware vulnerabilities on network hardware are regularly discovered and patched by vendors. A router running firmware from 18 months ago may have known vulnerabilities that have been publicly documented – and therefore known to attackers. Establish a firmware update cycle for all network hardware: subscribe to vendor security advisories, test updates in a non-production environment where possible, and deploy security patches within a defined timeframe from release.
For large fleets of cellular routers, remote firmware management via a platform like Teltonika RMS is the only practical approach. Manual firmware updates across hundreds of remote devices are not operationally viable and will inevitably fall behind.
Enable tamper detection and integrity verification
PCI-DSS v4.0.1 Requirement 9.9 requires that payment terminals are protected from tampering and substitution. Physical controls include anti-tamper seals, device serial number verification, and regular visual inspection of terminals by trained staff. Logical controls include firmware integrity verification – automated checks that confirm the firmware running on a device matches an authorised, signed version – and configuration drift detection, which alerts when device configuration changes from its known-good baseline.
Implement logging on all network devices
Every router, switch, and gateway in or adjacent to the payment environment must have logging enabled and logs must be forwarded to a centralised, tamper-evident log management system. Logs must capture: all authentication attempts (successful and failed), configuration changes, connectivity events (link up/down, failover), and any security control failures. Under PCI-DSS v4.0.1, log review must be automated – manual daily log review is not sufficient for environments with significant log volumes.
Restrict management access by source IP
Management interfaces on network hardware should only be accessible from known, authorised IP addresses – ideally the IP range of a jump server or management network, accessed via VPN. A firewall rule allowing management access from any source is not acceptable in a PCI environment. If the management interface cannot be restricted by source IP at the device level, a network-level firewall rule must enforce this restriction upstream.
Questions to Ask Your Providers
Compliance in a distributed payment environment is a shared responsibility across multiple vendors – POS hardware supplier, payment software provider, acquirer, cellular connectivity provider, and managed service provider. Each has a role in the security posture of the overall environment. These are the questions to ask.
Questions for your POS hardware supplier
Ask this
Is this terminal on the PCI SSC list of approved PTS devices, and what is its approval expiry date?
PCI-approved PTS (PIN Transaction Security) devices have been independently tested for hardware security. Approval expires – typically after five years – and devices on an expired approval should not be deployed in new installations. The full list is published at pcisecuritystandards.org.
Ask this
How is firmware delivered and verified on this device?
Firmware updates should be cryptographically signed by the manufacturer and verified on the device before installation. If the vendor cannot explain how firmware integrity is verified, that is a significant gap. Ask also: what is the process for emergency security patches, and what is the typical time from vulnerability disclosure to patch availability?
Ask this
What anti-tamper mechanisms does the device include?
Physical anti-tamper mechanisms – tamper-evident seals, tamper-responsive electronics that wipe sensitive data on unauthorised opening, and visual indicators of tampering – are required for PCI-approved devices. Ask specifically what happens when the device detects tampering: does it lock itself, wipe its keys, generate an alert?
Ask this
What is in the device supply chain between manufacture and delivery to us?
PCI-DSS v4.0.1 places increased emphasis on supply chain security. Understand who has physical access to the device between manufacture and installation. Devices should arrive in sealed, tamper-evident packaging with serial numbers that can be verified against the manufacturer’s records before deployment.
Questions for your cellular connectivity provider
Ask this
Do you offer a private APN with fixed IP addressing for our payment devices?
This is the baseline connectivity architecture for PCI payment environments on cellular. If the answer is no, or if the provider cannot explain clearly how their private APN works, that is a problem. Fixed IP addressing should be standard on a private APN offering for payment use cases.
Ask this
What controls do you have against SIM swapping on our account?
Account takeover via social engineering of MNO customer service teams is a documented attack. Ask what authentication controls are on your account, whether SIM transfers require multi-factor verification, and what the notification process is for any SIM management action on your account.
Ask this
Can you provide per-SIM data usage monitoring and anomaly alerting?
A SIM card transmitting significantly more data than normal, or transmitting to unexpected destinations, is an early indicator of compromise. Your connectivity provider should be able to provide per-SIM usage data and ideally automated alerting when usage deviates from baseline. This maps directly to PCI-DSS v4.0.1 Requirement 10 on monitoring and log review.
Ask this
What network-level traffic controls can you apply to our SIMs?
Beyond private APN, ask whether the provider can apply network-level allowlists – restricting SIM traffic to specific destination IP addresses or ports. A payment SIM that can only communicate with the payment processor endpoint and your management VPN endpoint has a significantly smaller attack surface than one with unrestricted internet access.
Questions for your router and gateway supplier
Ask this
Does this device support VLAN segmentation between payment and non-payment devices?
If payment terminals and other IoT devices share the same gateway hardware, VLAN segmentation is required to maintain PCI isolation. Confirm the device supports 802.1Q VLANs with firewall rules between segments, and ask for configuration documentation showing how to implement this for a mixed payment/non-payment environment.
Ask this
How do you provide centralised remote management across a device fleet, and does it support MFA?
Remote management at scale requires a centralised platform – not individual device logins. Ask how configuration changes are deployed across a fleet, how firmware updates are managed, and critically, whether the management platform supports multi-factor authentication for all user accounts. PCI-DSS v4.0.1 requires MFA for all access to systems in or adjacent to the cardholder data environment.
Ask this
What is your vulnerability disclosure and patch release process?
Responsible vendors publish security advisories when vulnerabilities are discovered in their products and release patches in a timely manner. Ask for examples of recent security advisories and the time between disclosure and patch availability. A vendor who cannot point to a clear security advisory history is a vendor who may not be disclosing vulnerabilities promptly.
Questions for your acquirer or payment software provider
Ask this
What is your scope under PCI-DSS and how does that interact with ours?
Understanding where your acquirer’s PCI responsibility ends and yours begins is fundamental to avoiding gaps in compliance coverage. Ask for their current Attestation of Compliance (AoC) and confirm which services are covered. Services not covered by their AoC fall within your own PCI scope.
Ask this
How do you support incident response if we suspect a payment security breach?
Know the incident response process before you need it. Who do you call? What is the expected response time? What forensic support do they provide? What are the notification timelines to the card schemes? Having this documented and tested before an incident is a PCI-DSS requirement and genuinely useful when a breach occurs at 2am on a Saturday.
Sensible Security for All Connected Devices: Beyond PCI Scope
PCI-DSS scope covers a defined subset of your connected infrastructure – the devices that store, process, or transmit cardholder data, and the network infrastructure that connects them. But the attack vectors described above do not respect PCI scope boundaries. A poorly secured CCTV camera or environmental sensor can be the entry point for a breach that ultimately reaches your payment environment.
The security principles below apply to every connected device in your organisation – not just those in PCI scope.
Maintain a complete device inventory
You cannot secure what you do not know you have. Every connected device – router, gateway, sensor, camera, terminal, building management controller, smart display – should be in a documented inventory with its network address, firmware version, last update date, owner, and physical location. The inventory needs to be maintained actively: devices added without being inventoried are the ones that create security gaps.
Automated network discovery tools can help maintain inventory accuracy, but they need to be run against all network segments – including the cellular-connected segments that may not be visible to a LAN-based discovery tool.
Segment networks by function and risk
Not all IoT devices need to communicate with each other. A temperature sensor does not need network access to your payment terminal. A guest Wi-Fi network does not need access to your operational IoT network. Segment your network by function and apply firewall rules that permit only the specific traffic each segment legitimately requires. The default rule should be deny-all; permitted traffic is explicitly allowed.
In practice, a well-segmented small business or multi-site retail network might have: a payment segment (PCI scope, restricted access), an operational IoT segment (CCTV, access control, environmental monitoring), a staff network (computers, printers, phones), and a guest network (public Wi-Fi, isolated from everything else). None of these should have unrestricted access to any other.
Change default credentials on everything
The single most exploited vulnerability in IoT security is default credentials. Manufacturers ship devices with documented default usernames and passwords because it simplifies initial setup. Every device that retains its default credentials is a device that can be compromised in seconds by anyone who can reach its management interface. This applies to every device without exception – routers, cameras, sensors, printers, smart displays, access controllers. If a device does not support credential changes, it should not be deployed on a network that connects to anything sensitive.
Keep firmware and software current
Vulnerabilities in IoT device firmware are discovered regularly. Most IoT security incidents involving exploitation of known vulnerabilities could have been prevented by applying available patches. Subscribe to security advisories from every vendor whose equipment you operate. Define a maximum time from advisory publication to patch deployment – 30 days for critical vulnerabilities is a reasonable baseline. For devices that cannot be updated remotely, include firmware verification in your physical maintenance schedule.
Disable remote management interfaces you are not actively using
A device with its management interface disabled cannot be remotely compromised through that interface. If you are not actively using remote web management on a device, disable it. Where remote management is required, restrict it to VPN access from known IP addresses. Remote management interfaces exposed directly to the internet – even on ports other than 80 and 443 – are routinely discovered and attacked by automated scanning tools.
Monitor connectivity and behaviour baselines
Establish what normal looks like for each device and each network segment: typical data volumes, connection destinations, active hours, and configuration state. Deviations from baseline – a sensor suddenly transmitting ten times its normal data volume, a router establishing connections to an unexpected IP address, a device active outside its normal operational window – are indicators of potential compromise that should trigger investigation.
For cellular-connected devices, per-SIM usage monitoring from your connectivity provider gives you the data needed to detect anomalous behaviour at the network level. For LAN-connected devices, network monitoring tools providing flow analysis and anomaly detection serve the same purpose.
Have and test an incident response plan
When a security incident occurs, the decisions that matter most are made in the first hour. Who is notified? Who has authority to isolate a network segment? Who contacts the payment processor? Who engages external forensic support? Who handles communications to customers, regulators, and card schemes? These decisions should be documented, assigned, and rehearsed before an incident occurs – not worked out under pressure while an active breach is in progress.
Test your incident response plan at least annually with a tabletop exercise. Walk through realistic scenarios: a payment terminal that has been tampered with, a router with an unknown configuration change, a SIM transmitting data to an unexpected destination. Identify the gaps in your response process before an attacker finds them for you.
Maintaining Business as Normal: Continuity Under Security Controls
Security controls and operational continuity are not inherently in conflict, but poorly implemented security can create operational disruption that undermines adoption and maintenance of those controls. The goal is a security architecture that is operationally transparent in normal operation and provides clear, fast response paths when something goes wrong.
Design for graceful degradation
If your primary connectivity fails, your payment environment should have a defined, secure fallback mode. Dual-SIM cellular routers with automatic failover maintain connectivity through single-MNO outages without any operational disruption. If all cellular connectivity fails, define what happens: does the terminal queue transactions for later submission, switch to a backup fixed broadband connection, or suspend card acceptance and switch to alternative payment methods? The answer should be documented and tested, not discovered during an actual outage.
Remote management reduces response time
A centralised remote management platform – covering all routers, gateways, and network devices – means that a configuration issue at a remote site can be diagnosed and resolved without dispatching an engineer. For a multi-site payment environment, this is the difference between a 20-minute remote fix and a four-hour site visit. Platforms like Teltonika RMS provide the remote CLI access, configuration management, and health monitoring needed for this capability across a fleet of cellular routers.
Security events should not require physical response as the first step
If a security event – a failed authentication attempt, a configuration change alert, a connectivity anomaly – requires an engineer to visit the site to investigate, your response time is measured in hours or days. Logging and monitoring infrastructure should provide enough remote visibility to triage security events and determine whether physical response is actually needed. In most cases, remote investigation and remediation should be possible for the common security event types.
Staff training is a security control
The human layer is part of the security architecture. Staff who handle payment terminals need to know what tampered devices look like and what to do if they suspect one. Staff who receive calls from people claiming to be from the payment provider or IT support need to know that legitimate providers do not ask for credentials over the phone. PCI-DSS v4.0.1 requires security awareness training for all personnel, including role-specific training for those with payment security responsibilities. This is not a compliance checkbox – it is one of the most cost-effective security controls available.
Frequently Asked Questions
What is PCI-DSS v4.0.1?
PCI-DSS v4.0.1 is the current version of the Payment Card Industry Data Security Standard, the global framework governing security requirements for organisations that handle cardholder data. It replaced v3.2.1 in 2022 and became fully mandatory on 31 March 2025. Key changes include a shift from periodic compliance to continuous security monitoring, new requirements for multi-factor authentication, and explicit requirements for protection against IoT and connected device attack vectors.
Does PCI-DSS apply to IoT devices?
PCI-DSS applies to any system component that stores, processes, or transmits cardholder data, and to the network infrastructure that connects those components. IoT devices in or adjacent to a payment environment – cellular routers, gateways, and any device on the same network segment as payment terminals – fall within PCI scope and must meet the relevant requirements. Non-payment IoT devices on poorly segmented networks can also create compliance risk by providing lateral movement paths toward the payment environment.
What is a private APN and why is it relevant to PCI-DSS?
A private APN is a dedicated mobile network path for IoT devices, separate from the public internet. For payment environments, it ensures that payment traffic never traverses the public internet, that devices are not publicly discoverable or addressable, and that network-level device authentication can be enforced. It significantly reduces the attack surface for man-in-the-middle attacks and unauthorised remote access – both relevant to PCI-DSS network security requirements.
What is the biggest IoT security risk for payment environments?
The most common attack pattern in documented payment breaches is lateral movement from a compromised non-payment IoT device on the same network to the payment environment. Inadequate network segmentation – where payment terminals and other connected devices share unrestricted network access – is the enabling condition. This is why PCI-DSS requires validated network segmentation and why that segmentation must include all IoT devices on the network, not just those directly handling payment data.
How often does PCI-DSS v4.0.1 require security testing?
PCI-DSS v4.0.1 requires penetration testing at least annually and after any significant changes to the network or system components. Network segmentation controls must be tested at least every six months. Vulnerability scanning of internal and external infrastructure must be performed quarterly. Automated log review and security monitoring is required continuously – not just at assessment time.
What should small businesses do to achieve PCI-DSS compliance for IoT payment devices?
For small businesses using hosted payment solutions, the scope can be significantly reduced by using a PCI-validated point-to-point encryption (P2PE) solution – where card data is encrypted at the terminal before it enters your network. With P2PE, the network environment around the terminal may be de-scoped from PCI assessment. Beyond P2PE, the baseline requirements are: network segmentation between payment and non-payment devices, changed default credentials on all network hardware, firmware kept current, logging enabled, and staff trained to recognise terminal tampering. A Qualified Security Assessor (QSA) can help define the correct scope for your specific environment.