From Tasks to Oversight: Making PCI DSS 12.4.2 Work for You

PCI DSS version 4.0 was released in March 2022, introducing a significant expansion of the standard, increasing from 370 to over 500 individual requirements, including a number aimed specifically at service providers. One of these was requirement 12.4.2, which became mandatory for service providers on 31st of March 2025.

Nearly a year on, this requirement continues to present a challenge for many organisations in practice. While the intent is clear, many service providers find the transition from performing security tasks to demonstrating consistent oversight and governance more difficult to implement than expected. This theme is seen across service provider environments of varying size and complexity…