by SigmaSRC Team
PCI DSS 4.0 Changes Explained: What You Need to Know
PCI DSS 4.0 represents the most significant update to payment card security standards in years. This guide explains the key changes, new requirements, and how to prepare for the transition.
What is PCI DSS 4.0?
PCI DSS (Payment Card Industry Data Security Standard) version 4.0 is the latest iteration of the global security standard for organizations that handle cardholder data. Released in March 2022, it replaces version 3.2.1 and introduces significant changes to improve payment security.
Key Objectives of v4.0
- Continue meeting security needs - Address emerging threats
- Promote security as continuous process - Move beyond point-in-time compliance
- Add flexibility - Allow customized approaches to meeting requirements
- Enhance validation methods - Improve assessment procedures
Timeline for PCI DSS 4.0
| Date |
Milestone |
| March 2022 |
PCI DSS 4.0 released |
| March 2024 |
PCI DSS 3.2.1 retired |
| March 2025 |
Future-dated requirements become mandatory |
Important: All organizations must be compliant with PCI DSS 4.0 now, and must implement future-dated requirements by March 2025.
Major Changes in PCI DSS 4.0
1. Customized Approach
PCI DSS 4.0 introduces the Customized Approach as an alternative to the traditional Defined Approach.
Defined Approach:
- Prescriptive requirements
- Specific controls defined
- Traditional compliance method
Customized Approach:
- Objective-based requirements
- Flexibility in implementation
- Must achieve the same security objective
- Requires more documentation and testing
Organizations can choose which approach to use for each requirement.
2. Targeted Risk Analysis
Many requirements now require organizations to perform targeted risk analyses to determine:
- Frequency of certain activities
- Strength of certain controls
- Applicability of certain requirements
This replaces some previously prescriptive frequencies with risk-based determinations.
3. Authentication Enhancements
Multi-Factor Authentication (MFA):
- Required for all access to the cardholder data environment (CDE)
- Not just remote access anymore
- Applies to administrators and users
Password Requirements:
- Minimum 12 characters (or 8 characters if system doesn't support 12)
- Increased complexity requirements
- More frequent password changes for certain scenarios
4. Encryption Updates
Disk-Level Encryption:
- No longer acceptable as sole encryption for cardholder data
- Must use additional encryption mechanisms
- Applies to all stored cardholder data
Cryptography Requirements:
- Inventory of cryptographic algorithms
- Migration plans for deprecated algorithms
- Stronger key management requirements
5. E-commerce and Browser Security
New requirements for e-commerce environments:
- Requirement 6.4.3 - Management of payment page scripts
- Requirement 11.6.1 - Change and tamper detection for payment pages
- Protection against Magecart-style attacks
- Script inventory and authorization
- Integrity monitoring
6. Enhanced Logging and Monitoring
Automated Log Review:
- Requirement for automated mechanisms
- Review of all security events
- Not just anomaly detection
Detection of Payment Page Changes:
- Monitoring for unauthorized modifications
- Alerting on suspicious activity
7. Security Awareness Program Updates
Enhanced training requirements:
- Phishing awareness training specifically required
- Social engineering awareness
- Training on new threats
8. Incident Response Enhancements
- Incident response testing requirements
- Forensic investigation procedures
- Evidence preservation requirements
New Requirements Summary
Immediate Requirements (March 2024)
These requirements are effective now:
| Requirement |
Description |
| 3.4.2 |
Technical controls to prevent copy/relocation of PAN when remote access |
| 5.4.1 |
Automated mechanisms to detect and protect against phishing |
| 6.3.2 |
Inventory of custom and third-party software |
| 7.2.4 |
Review user accounts and access privileges at least every six months |
| 8.3.6 |
Minimum password complexity (12+ characters) |
| 8.4.2 |
MFA for all CDE access (not just remote) |
| 10.4.2.1 |
Automated mechanisms for audit log review |
| 11.3.1.1 |
Manage internal vulnerability scans |
| 12.3.1 |
Targeted risk analysis documentation |
Future-Dated Requirements (March 2025)
These become mandatory in March 2025:
| Requirement |
Description |
| 3.5.1.2 |
Disk-level encryption no longer meets requirement alone |
| 4.2.1 |
Strong cryptography for PAN transmission |
| 5.2.3.1 |
Automated mechanisms for malware solution updates |
| 5.3.2.1 |
Automated mechanisms for anti-malware scans |
| 6.4.2 |
Automated technical solution for web application protection |
| 6.4.3 |
Payment page script management |
| 8.4.3 |
MFA for all administrative access |
| 8.6.3 |
Password/passphrase requirements for service provider accounts |
| 10.7.2 |
Security control failure detection and alerting |
| 11.5.1.1 |
Intrusion detection for covert communication channels |
| 11.6.1 |
Change and tamper detection for payment pages |
| 12.6.2 |
Security awareness training updates |
Key Requirement Changes by Section
Requirement 1: Network Security Controls
What Changed:
- Renamed from "Firewall" to "Network Security Controls"
- Broader scope including cloud and software-defined networks
- Enhanced documentation requirements
Requirement 2: Secure Configurations
What Changed:
- Applies to all system components
- Vendor default accounts management
- Configuration standards documentation
Requirement 3: Protect Stored Account Data
What Changed:
- Disk-level encryption changes
- Hash function requirements
- Data retention policy enforcement
Requirement 4: Protect Data in Transit
What Changed:
- Strong cryptography requirements
- Certificate inventory
- End-to-end encryption considerations
Requirement 5: Malware Protection
What Changed:
- Renamed from "Antivirus"
- Phishing protection requirements
- Automated update mechanisms
Requirement 6: Secure Development
What Changed:
- Software inventory requirements
- Payment page script management
- Enhanced web application security
Requirement 7: Access Control
What Changed:
- Access reviews every six months
- Enhanced documentation
- Privilege escalation controls
Requirement 8: User Identification
What Changed:
- MFA everywhere in CDE
- Password length increases
- Service account management
Requirement 9: Physical Access
What Changed:
- POI device inspection
- Visitor management enhancements
- Media destruction procedures
Requirement 10: Logging and Monitoring
What Changed:
- Automated log review
- Enhanced time synchronization
- Security event detection
Requirement 11: Security Testing
What Changed:
- Internal scan management
- Change detection for payment pages
- Enhanced penetration testing
Requirement 12: Policies and Programs
What Changed:
- Targeted risk analysis requirements
- Enhanced security awareness
- Incident response enhancements
Preparing for PCI DSS 4.0
Step 1: Gap Assessment
Compare current controls to v4.0 requirements:
- Identify gaps against new requirements
- Prioritize based on implementation effort
- Focus on future-dated requirements timeline
Step 2: Update Policies
Review and update documentation:
- Revise security policies
- Update procedures
- Create new required documentation
Step 3: Technical Implementation
Address technical requirements:
- MFA expansion
- Encryption updates
- Script management for e-commerce
- Log review automation
Step 4: Training Updates
Enhance security awareness:
- Phishing training
- Updated policy training
- Role-specific training
Step 5: Assessment Preparation
Prepare for v4.0 assessments:
- Engage with QSA early
- Understand customized approach option
- Gather evidence for new requirements
Common Challenges
MFA Expansion
Implementing MFA for all CDE access, not just remote, requires significant planning and user communication.
E-commerce Script Management
Managing and monitoring payment page scripts (Requirement 6.4.3) requires new tools and processes.
Targeted Risk Analysis
Documentation requirements for risk-based decisions are more rigorous.
Encryption Updates
Moving away from disk-level encryption as sole protection requires architecture changes.
How SigmaSRC Helps
SigmaSRC supports PCI DSS 4.0 compliance with:
- Updated Control Mapping - All v4.0 requirements mapped
- Gap Assessment - Identify v4.0 compliance gaps
- Continuous Monitoring - Real-time compliance tracking
- Evidence Collection - Automated audit evidence
- Future-Dated Tracking - Monitor March 2025 deadlines
Related Resources