Overview
PCI DSS v4.0 is the latest version of the Payment Card Industry Data Security Standard, released in March 2022 with full enforcement beginning March 31, 2025. It replaces PCI DSS v3.2.1 and introduces significant changes including a customized approach for meeting requirements, expanded multi-factor authentication mandates, and enhanced requirements for e-commerce security. PCI DSS applies to all entities that store, process, or transmit cardholder data, as well as entities that can impact the security of cardholder data environments.
The 12 PCI DSS Requirements
| Requirement | Category | Description |
|---|---|---|
| 1. Network Security Controls | Build and Maintain a Secure Network | Install and maintain network security controls to protect cardholder data |
| 2. Secure Configurations | Build and Maintain a Secure Network | Apply secure configurations to all system components |
| 3. Protect Stored Account Data | Protect Account Data | Protect stored account data with encryption, truncation, or hashing |
| 4. Encrypt Transmissions | Protect Account Data | Protect cardholder data with strong cryptography during transmission over open public networks |
| 5. Anti-Malware | Maintain Vulnerability Mgmt | Protect all systems and networks from malicious software |
| 6. Secure Development | Maintain Vulnerability Mgmt | Develop and maintain secure systems and software |
| 7. Access Control | Implement Access Control | Restrict access to cardholder data by business need to know |
| 8. User Identification | Implement Access Control | Identify users and authenticate access to system components |
| 9. Physical Access | Implement Access Control | Restrict physical access to cardholder data |
| 10. Logging and Monitoring | Monitor and Test Networks | Log and monitor all access to system components and cardholder data |
| 11. Security Testing | Monitor and Test Networks | Test security of systems and networks regularly |
| 12. Security Policies | Maintain Security Policy | Support information security with organizational policies and programs |
Key Changes in v4.0
- PCI DSS v4.0 introduces several significant changes from v3.2.1:
- Customized Approach: Organizations can now meet objectives through custom controls rather than only following the defined approach, with validation through a qualified assessor
- Expanded MFA: Multi-factor authentication is now required for all access to the cardholder data environment, not just remote access
- Targeted Risk Analysis: Organizations must perform targeted risk analyses to determine frequency for certain activities rather than relying on fixed timeframes
- Authenticated Vulnerability Scanning: Internal vulnerability scans must use authenticated scanning
- E-commerce Protections: New requirements for payment page scripts and headers to prevent skimming attacks
- Encryption Updates: Updated cryptographic requirements reflecting current best practices
- Security Awareness: Enhanced security awareness training requirements including phishing simulation
Implementation Checklist
- Define and document the cardholder data environment (CDE) scope with data flow diagrams
- Conduct a gap assessment between current controls and PCI DSS v4.0 requirements
- Implement network segmentation to minimize the CDE scope
- Deploy MFA for all access into the cardholder data environment
- Implement strong cryptography for data at rest and in transit, including TLS 1.2 or higher
- Deploy anti-malware solutions on all systems with automated updates and logging
- Establish a formal vulnerability management program with authenticated internal scanning
- Implement file integrity monitoring for critical system files and payment page content
- Deploy automated audit log review mechanisms for security-relevant events
- Conduct penetration testing at least annually and after significant infrastructure changes
- Develop and maintain an incident response plan with annual testing
- Document all security policies and procedures with annual review cycles
Validation Methods
| Method | Applicable To | Process |
|---|---|---|
| Self-Assessment Questionnaire (SAQ) | Eligible merchants and service providers | Complete the appropriate SAQ and submit an Attestation of Compliance (AOC) |
| Report on Compliance (ROC) | Level 1 merchants and all service providers | On-site assessment by a Qualified Security Assessor (QSA) resulting in a detailed report |
| Qualified Security Assessor | All entities seeking validation | Independent assessment firm approved by the PCI SSC to conduct PCI DSS assessments |
| Internal Security Assessor | Organizations with qualified internal staff | Trained and certified internal personnel who can conduct assessments for their organization |
Penalties and Consequences
PCI DSS compliance is contractually enforced through payment brand agreements. Non-compliance can result in monthly fines ranging from $5,000 to $100,000 imposed by acquiring banks, increased transaction fees, restrictions on card processing, and termination of the merchant agreement. In the event of a data breach, a non-compliant organization faces forensic investigation costs, card reissuance costs, fraud losses, and potential litigation. Breach costs for PCI non-compliant organizations are significantly higher than for compliant organizations.
Frequently Asked Questions
When does PCI DSS v4.0 become mandatory?
PCI DSS v4.0 became the only active version on March 31, 2024, when v3.2.1 was retired. Requirements identified as future-dated in v4.0 became mandatory on March 31, 2025. All organizations must now validate against v4.0 for compliance assessments.
What is the customized approach?
The customized approach allows organizations to meet a PCI DSS requirement objective through a control that differs from the defined approach. It requires documenting the custom control, performing a targeted risk analysis, and having the approach validated by a qualified assessor. This is not available for SAQ validation.
Which SAQ should we use?
The appropriate SAQ depends on how you process card payments. SAQ A is for e-commerce merchants that fully outsource payment processing. SAQ B is for merchants using standalone dial-out terminals. SAQ C is for merchants with payment application systems connected to the internet. SAQ D is for all other merchants and service providers.
How do the new e-commerce requirements affect us?
PCI DSS v4.0 introduces requirements 6.4.3 and 11.6.1 specifically for e-commerce merchants. These require managing all payment page scripts (like JavaScript) to ensure only authorized scripts execute, implementing mechanisms to detect unauthorized changes to payment pages, and conducting inventories of scripts with documented business justification.
Does PCI DSS apply to tokenized data?
If your organization only handles tokens and never has access to the actual cardholder data or the tokenization/detokenization process, those systems may be considered out of scope for PCI DSS. However, the tokenization system itself and any systems that process cardholder data before tokenization are in scope.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.