AuditXYZ

Lesson 5 of 5

PCI DSS v4.0: What Changed and How to Prepare

12 min readAdvanced

PCI DSS v4.0

PCI DSS v4.0 is the most significant update to the standard since its creation. Released in March 2022, it introduces a customized approach to compliance, new security requirements, and enhanced authentication standards. PCI DSS v3.2.1 was retired on March 31, 2024, and all assessments must now use v4.0.

The Customized Approach

The biggest philosophical change is the introduction of the customized approach alongside the traditional defined approach. The defined approach works like previous versions — meet specific requirements as prescribed. The customized approach lets organizations design their own controls to meet the security objective of each requirement. This provides flexibility for organizations with mature security programs but requires more documentation and testing.

Key New Requirements

Targeted risk analysis is now required for many controls, allowing organizations to define the frequency of certain activities based on their specific risk environment rather than following prescriptive timelines.

Enhanced authentication requirements include multi-factor authentication for all access to the CDE (not just remote access), stronger password requirements (minimum 12 characters), and protection against phishing attacks.

E-commerce security requirements include managing all payment page scripts, monitoring for unauthorized changes to payment pages, and implementing mechanisms to detect and prevent web-based attacks against payment pages.

Encryption requirements expand to mandate encryption of sensitive authentication data stored before completion of authorization, where it was previously prohibited entirely.

Future-Dated Requirements

Several requirements are designated as best practices until March 31, 2025, after which they become mandatory. These include automated log reviews, targeted risk analyses, enhanced script management for payment pages, and expanded MFA requirements.

Migration Planning

Organizations should assess their current compliance against v4.0 requirements, identify gaps requiring remediation, prioritize new requirements approaching their enforcement dates, and consider whether the customized approach is appropriate for their maturity level.

Practical Impact

For most organizations, the biggest impacts are expanded MFA requirements, enhanced e-commerce security controls, and the requirement for targeted risk analysis. Start with a gap assessment against v4.0 and plan remediation based on enforcement timelines.