PCI-DSS 4.0 and the Tokenization Opportunity

PCI-DSS version 4.0 came into full effect in March 2022, giving merchants, payment processors, and service providers until March 2025 to achieve compliance with the new standard's enhanced requirements. The compliance window is a product window for tokenization infrastructure companies whose architecture maps directly to the new standard's scope-reduction framework.

The core mechanism is straightforward. PCI-DSS applies to any entity that stores, processes, or transmits payment card data. The 12 requirements of the standard — governing network security, data protection, vulnerability management, access controls, monitoring, and information security policy — apply in full to any system in scope. Tokenization reduces scope by replacing card numbers with non-sensitive tokens in the systems that handle transaction logic, leaving actual card data in a vault that is dramatically narrower in scope and therefore subject to far fewer compliance requirements.

PCI-DSS 4.0 tightened several requirements that specifically benefit well-architected tokenization products. Enhanced requirements around authenticated scanning, multi-factor authentication across all access points, and customized implementation procedures for companies using compensating controls all favor vendors whose tokenization architecture was designed to align with these requirements from the outset.

The opportunity is substantial. Global card transaction volume continues to grow, and the fintech and embedded finance segment — where Northbarn has concentrated several investments — generates a disproportionate share of new merchant and processor relationships that need PCI compliance. Companies that are entering the payments infrastructure space for the first time do not have legacy systems that predate tokenization. They can build PCI-DSS-compliant architecture from the start, which means they are motivated buyers of developer-first tokenization infrastructure that removes compliance scope from their platforms.

Our investment in Basis Theory reflects this thesis directly. A developer-first tokenization vault that integrates via API and reduces a fintech's PCI scope from full merchant to service provider light is solving a problem that every payments company building on modern infrastructure needs to solve. The compliance mandate creates the market. The quality of the tokenization architecture determines who wins it.