by SigmaSRC Team

PCI DSS 4.0 Changes Explained: What You Need to Know

PCI DSS 4.0 represents the most significant update to payment card security standards in years. This guide explains the key changes, new requirements, and how to prepare for the transition.


What is PCI DSS 4.0?

PCI DSS (Payment Card Industry Data Security Standard) version 4.0 is the latest iteration of the global security standard for organizations that handle cardholder data. Released in March 2022, it replaces version 3.2.1 and introduces significant changes to improve payment security.

Key Objectives of v4.0

  1. Continue meeting security needs - Address emerging threats
  2. Promote security as continuous process - Move beyond point-in-time compliance
  3. Add flexibility - Allow customized approaches to meeting requirements
  4. Enhance validation methods - Improve assessment procedures

Timeline for PCI DSS 4.0

Date Milestone
March 2022 PCI DSS 4.0 released
March 2024 PCI DSS 3.2.1 retired
March 2025 Future-dated requirements become mandatory

Important: All organizations must be compliant with PCI DSS 4.0 now, and must implement future-dated requirements by March 2025.


Major Changes in PCI DSS 4.0

1. Customized Approach

PCI DSS 4.0 introduces the Customized Approach as an alternative to the traditional Defined Approach.

Defined Approach:

  • Prescriptive requirements
  • Specific controls defined
  • Traditional compliance method

Customized Approach:

  • Objective-based requirements
  • Flexibility in implementation
  • Must achieve the same security objective
  • Requires more documentation and testing

Organizations can choose which approach to use for each requirement.

2. Targeted Risk Analysis

Many requirements now require organizations to perform targeted risk analyses to determine:

  • Frequency of certain activities
  • Strength of certain controls
  • Applicability of certain requirements

This replaces some previously prescriptive frequencies with risk-based determinations.

3. Authentication Enhancements

Multi-Factor Authentication (MFA):

  • Required for all access to the cardholder data environment (CDE)
  • Not just remote access anymore
  • Applies to administrators and users

Password Requirements:

  • Minimum 12 characters (or 8 characters if system doesn't support 12)
  • Increased complexity requirements
  • More frequent password changes for certain scenarios

4. Encryption Updates

Disk-Level Encryption:

  • No longer acceptable as sole encryption for cardholder data
  • Must use additional encryption mechanisms
  • Applies to all stored cardholder data

Cryptography Requirements:

  • Inventory of cryptographic algorithms
  • Migration plans for deprecated algorithms
  • Stronger key management requirements

5. E-commerce and Browser Security

New requirements for e-commerce environments:

  • Requirement 6.4.3 - Management of payment page scripts
  • Requirement 11.6.1 - Change and tamper detection for payment pages
  • Protection against Magecart-style attacks
  • Script inventory and authorization
  • Integrity monitoring

6. Enhanced Logging and Monitoring

Automated Log Review:

  • Requirement for automated mechanisms
  • Review of all security events
  • Not just anomaly detection

Detection of Payment Page Changes:

  • Monitoring for unauthorized modifications
  • Alerting on suspicious activity

7. Security Awareness Program Updates

Enhanced training requirements:

  • Phishing awareness training specifically required
  • Social engineering awareness
  • Training on new threats

8. Incident Response Enhancements

  • Incident response testing requirements
  • Forensic investigation procedures
  • Evidence preservation requirements

New Requirements Summary

Immediate Requirements (March 2024)

These requirements are effective now:

Requirement Description
3.4.2 Technical controls to prevent copy/relocation of PAN when remote access
5.4.1 Automated mechanisms to detect and protect against phishing
6.3.2 Inventory of custom and third-party software
7.2.4 Review user accounts and access privileges at least every six months
8.3.6 Minimum password complexity (12+ characters)
8.4.2 MFA for all CDE access (not just remote)
10.4.2.1 Automated mechanisms for audit log review
11.3.1.1 Manage internal vulnerability scans
12.3.1 Targeted risk analysis documentation

Future-Dated Requirements (March 2025)

These become mandatory in March 2025:

Requirement Description
3.5.1.2 Disk-level encryption no longer meets requirement alone
4.2.1 Strong cryptography for PAN transmission
5.2.3.1 Automated mechanisms for malware solution updates
5.3.2.1 Automated mechanisms for anti-malware scans
6.4.2 Automated technical solution for web application protection
6.4.3 Payment page script management
8.4.3 MFA for all administrative access
8.6.3 Password/passphrase requirements for service provider accounts
10.7.2 Security control failure detection and alerting
11.5.1.1 Intrusion detection for covert communication channels
11.6.1 Change and tamper detection for payment pages
12.6.2 Security awareness training updates

Key Requirement Changes by Section

Requirement 1: Network Security Controls

What Changed:

  • Renamed from "Firewall" to "Network Security Controls"
  • Broader scope including cloud and software-defined networks
  • Enhanced documentation requirements

Requirement 2: Secure Configurations

What Changed:

  • Applies to all system components
  • Vendor default accounts management
  • Configuration standards documentation

Requirement 3: Protect Stored Account Data

What Changed:

  • Disk-level encryption changes
  • Hash function requirements
  • Data retention policy enforcement

Requirement 4: Protect Data in Transit

What Changed:

  • Strong cryptography requirements
  • Certificate inventory
  • End-to-end encryption considerations

Requirement 5: Malware Protection

What Changed:

  • Renamed from "Antivirus"
  • Phishing protection requirements
  • Automated update mechanisms

Requirement 6: Secure Development

What Changed:

  • Software inventory requirements
  • Payment page script management
  • Enhanced web application security

Requirement 7: Access Control

What Changed:

  • Access reviews every six months
  • Enhanced documentation
  • Privilege escalation controls

Requirement 8: User Identification

What Changed:

  • MFA everywhere in CDE
  • Password length increases
  • Service account management

Requirement 9: Physical Access

What Changed:

  • POI device inspection
  • Visitor management enhancements
  • Media destruction procedures

Requirement 10: Logging and Monitoring

What Changed:

  • Automated log review
  • Enhanced time synchronization
  • Security event detection

Requirement 11: Security Testing

What Changed:

  • Internal scan management
  • Change detection for payment pages
  • Enhanced penetration testing

Requirement 12: Policies and Programs

What Changed:

  • Targeted risk analysis requirements
  • Enhanced security awareness
  • Incident response enhancements

Preparing for PCI DSS 4.0

Step 1: Gap Assessment

Compare current controls to v4.0 requirements:

  • Identify gaps against new requirements
  • Prioritize based on implementation effort
  • Focus on future-dated requirements timeline

Step 2: Update Policies

Review and update documentation:

  • Revise security policies
  • Update procedures
  • Create new required documentation

Step 3: Technical Implementation

Address technical requirements:

  • MFA expansion
  • Encryption updates
  • Script management for e-commerce
  • Log review automation

Step 4: Training Updates

Enhance security awareness:

  • Phishing training
  • Updated policy training
  • Role-specific training

Step 5: Assessment Preparation

Prepare for v4.0 assessments:

  • Engage with QSA early
  • Understand customized approach option
  • Gather evidence for new requirements

Common Challenges

MFA Expansion

Implementing MFA for all CDE access, not just remote, requires significant planning and user communication.

E-commerce Script Management

Managing and monitoring payment page scripts (Requirement 6.4.3) requires new tools and processes.

Targeted Risk Analysis

Documentation requirements for risk-based decisions are more rigorous.

Encryption Updates

Moving away from disk-level encryption as sole protection requires architecture changes.


How SigmaSRC Helps

SigmaSRC supports PCI DSS 4.0 compliance with:

  • Updated Control Mapping - All v4.0 requirements mapped
  • Gap Assessment - Identify v4.0 compliance gaps
  • Continuous Monitoring - Real-time compliance tracking
  • Evidence Collection - Automated audit evidence
  • Future-Dated Tracking - Monitor March 2025 deadlines

Related Resources

Previous Post Next Post