← Back to all briefings
Compliance 6 min read Published Updated Credibility 91/100

PCI DSS version 4.0 released

The PCI Security Standards Council published PCI DSS v4.0 on 31 March 2022, expanding requirements for authentication, e-commerce, and risk-based testing with transition timelines into 2025.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Compliance pillar illustration for Zeph Tech briefings
Compliance controls, audit, and evidence briefings

The PCI SSC released PCI DSS 4.0 on , updating controls for multi-factor authentication, e-commerce scripts, customized approaches, and targeted risk analyzes. Organizations must adopt the standard by March 2025, with several new requirements becoming effective after March 2025.

Key changes from v3.2.1

  • Multi-factor authentication: MFA required for all access into the cardholder data environment, not just remote access. Expanded authentication requirements for all personnel with administrative access.
  • E-commerce and browser security: New requirements for payment page script integrity monitoring, HTTP header controls, and web application protection mechanisms.
  • Customized approach: Option to implement controls differently from prescribed methods if organizations can show equivalent security outcomes through targeted risk analysis.
  • Targeted risk analysis: Requirements to perform periodic risk analyzes to determine frequency of certain activities like log reviews and access reviews.
  • Encryption updates: Stronger encryption requirements and deprecation of older protocols with defined transition timelines.

Key dates and milestones

PCI DSS 3.2.1 retires on 31 March 2024. Organizations must be fully compliant with v4.0 by that date. However, many new requirements are identified as "future-dated" and become mandatory on 31 March 2025, providing additional setup runway for significant technical changes.

Compliance planning

Merchants, service providers, and engineering teams should map gaps from version 3.2.1 to 4.0, focus on MFA coverage and payment page integrity monitoring, and plan evidence for customized controls and assessor expectations during the transition period. Engage QSAs early to clarify interpretation of new requirements.

Further reading

Framework Overview

The Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standard version 4.0 on March 31, 2022, representing the first major revision since version 3.0 in 2013. The updated standard introduces significant changes including customized setup options, expanded multi-factor authentication requirements, and improved encryption standards that organizations must address through full compliance program updates.

PCI DSS 4.0 establishes two setup approaches: the traditional defined approach with prescriptive requirements, and a new customized approach allowing organizations to implement alternative controls meeting the security objective if they can show equivalent security. This flexibility acknowledges that security solutions vary across organizations while maintaining consistent protection for cardholder data.

Key Changes and Requirements

Authentication requirements expand significantly under version 4.0. Multi-factor authentication is now required for all access to the cardholder data environment, extending beyond the previous requirement limited to administrative access. Password complexity requirements increase, and organizations must implement controls preventing use of previously compromised passwords.

Encryption standards receive significant updates, with requirements for stronger cryptographic algorithms and key management practices. Organizations must transition away from deprecated protocols and implement encryption meeting current cryptographic standards. Encryption in transit requirements expand to cover more internal network communications.

Security awareness training requirements strengthen, with more frequent training cycles and testing requirements to verify effectiveness. Organizations must maintain documented training programs addressing specific threats and attack techniques relevant to the payment card environment.

Key dates and milestones

The standard sets up a transition period to allow organizations time to implement required changes. PCI DSS 3.2.1 remains valid until March 31, 2024, after which all assessments must use version 4.0. However, several requirements identified as future-dated do not become mandatory until March 31, 2025, providing additional setup runway for more complex changes.

If you are affected, assess their current compliance posture against version 4.0 requirements, identifying gaps and developing remediation roadmaps. Prioritization should consider both requirement effective dates and setup complexity, enabling efficient resource allocation across the transition period.

Compliance Program Updates

Compliance programs require updates to address new requirements and documentation expectations. Risk assessment processes must incorporate the customized approach if organizations choose to implement alternative controls. Evidence collection and documentation practices should align with version 4.0 assessment procedures.

Qualified Security Assessor (QSA) engagement should occur early in the transition to validate interpretation of new requirements and review proposed customized setups. Internal audit programs should incorporate version 4.0 control testing to identify and address gaps before formal assessment.

Wrapping up

PCI DSS 4.0 represents a significant evolution of payment card security standards, introducing flexibility while strengthening protection requirements. If you are affected, begin transition planning immediately, using the extended timeline to implement changes systematically while maintaining continuous compliance throughout the transition period.

Technical Implementation Considerations

Technology investments may be required to meet version 4.0 requirements. Multi-factor authentication solutions must support the expanded scope of required deployments. Encryption infrastructure should be evaluated for algorithm support and key management capabilities. Security monitoring and logging capabilities must address improved requirements for event detection and response.

Network segmentation remains a critical control for limiting scope of PCI DSS assessments. If you are affected, review segmentation effectiveness and consider whether architecture changes could reduce compliance burden while maintaining security. Virtualization and cloud deployments require particular attention to ensure segmentation controls operate effectively across dynamic infrastructure.

Third-Party Management

Service provider management requirements expand under version 4.0, with improved due diligence and monitoring obligations. Organizations must maintain current lists of service providers with access to cardholder data and verify their compliance status annually. Contractual requirements must address security responsibilities and incident notification obligations.

Payment application security receives increased attention, with requirements for secure development practices and vulnerability management for internally developed applications. Third-party payment applications must be validated against PA-DSS or the successor Software Security Framework requirements.

Ongoing Compliance Maintenance

Continuous compliance requires integration of PCI DSS requirements into security operations and governance processes. Automated compliance monitoring helps identify control deviations before they result in assessment findings. Regular internal assessments provide early warning of emerging gaps requiring remediation.

Staff training should address version 4.0 changes relevant to each role, ensuring personnel understand their compliance responsibilities. Documentation maintenance supports both operational consistency and assessment evidence requirements. early engagement with assessors and industry peers provides insight into common challenges and effective setup approaches.

Investment in compliance automation and security tooling supports efficient compliance maintenance while improving overall security posture. Regular review of industry guidance and PCI SSC resources helps organizations stay current with interpretation clarifications and setup good practices. Strategic planning ensures compliance programs remain effective as requirements continue to evolve.

Early preparation positions organizations for successful compliance transitions. Documentation of setup decisions supports audit processes and enables knowledge transfer.

Continuous improvement drives security maturity.

Risk Management Integration

PCI DSS 4.0 emphasizes risk-based approaches throughout the standard. Organizations must conduct targeted risk analyzes to determine the frequency of security activities, moving away from one-size-fits-all prescriptive requirements. This flexibility enables organizations to tailor security controls to their specific threat environment and operational context while maintaining consistent protection for cardholder data environments.

The customized approach option requires organizations to demonstrate that alternative controls achieve equivalent security outcomes. This demands robust documentation of risk analysis methodology, control design rationale, and effectiveness evidence. Qualified Security Assessors must validate that customized implementations meet the security intent of the corresponding defined approach requirements.

Vendor and Supply Chain Considerations

Payment ecosystem vendors must prepare for increased scrutiny under PCI DSS 4.0. Service provider agreements need revision to address new requirements for third-party security monitoring and incident notification. Payment application developers must align products with updated security requirements, including browser security controls for e-commerce implementations. Early vendor engagement helps organizations assess product roadmap alignment with compliance timelines.

Similar analysis

Additional analysis covering similar themes.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Third-Party Risk Oversight Playbook

    Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

  • Compliance Operations Control Room

    Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

  • ESG Assurance Operating Guide

    Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published
Coverage pillar
Compliance
Source credibility
91/100 — high confidence
Topics
PCI DSS 4.0 · payment security · multi-factor authentication · compliance
Sources cited
3 sources (pcisecuritystandards.org, blog.pcisecuritystandards.org, iso.org)
Reading time
6 min

Further reading

  1. PCI DSS v4.0 Document Library — pcisecuritystandards.org
  2. PCI DSS v4.0 Resource Hub — blog.pcisecuritystandards.org
  3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
  • PCI DSS 4.0
  • payment security
  • multi-factor authentication
  • compliance
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.