PCI-DSS 4.0 and AI Payment Agents: Protecting Cardholder Data in Automated Pipelines
· 4 min read
PCI-DSS 4.0 became the mandatory standard on March 31, 2024. Version 3.2.1 is retired. Among the significant changes in v4.0: expanded requirements for automated and AI-driven systems operating within or adjacent to the Cardholder Data Environment (CDE).
If your AI agent handles, routes, processes, or queries payment card data — primary account numbers (PANs), CVVs, cardholder names, expiration dates — PCI-DSS 4.0 applies to both the agent and its infrastructure.