← Back to all briefings
Developer 5 min read Published Updated Credibility 85/100

Compliance briefing — PCI DSS 4.0 raises software security obligations

PCI DSS v4.0’s March 31, 2022 publication requires merchants and service providers to map new requirement families, expand continuous monitoring, and prepare for customized approaches ahead of the 2025 deadline.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standard (PCI DSS) version 4.0 on March 31, 2022—the first major revision since version 3.2.1. The update modernizes requirements for protecting cardholder data, introduces the "customized approach" for meeting control objectives, and emphasizes continuous security monitoring, targeted risk analyses, and expanded multi-factor authentication (MFA). Organizations must maintain compliance with v3.2.1 until March 31, 2024, but should begin implementing v4.0 changes now to meet future deadlines, particularly the 51 requirements flagged as future-dated effective March 31, 2025.

Key changes and strategic implications

PCI DSS 4.0 maintains the 12 core requirements but reorganizes and clarifies control objectives. It introduces flexibility through the customized approach, allowing entities to design controls tailored to their environment if they can demonstrate equivalent security outcomes and provide risk analyses, testing, and documentation. The standard requires targeted risk analyses for select requirements, ensuring organizations justify control frequency and rigor based on their threat landscape. New requirements address phishing awareness, e-commerce scripting, multi-factor authentication for all access into cardholder data environments (CDE) and the cardholder data environment scope, and segmentation testing for multi-tenant service providers.

The update reflects modern payment architectures, including cloud hosting, microservices, and third-party integrations. Requirement 12.5.2, for instance, requires executive management to establish accountability for protecting payment card data, underscoring governance expectations. Requirement 11.6.1 mandates change- and tamper-detection mechanisms for payment pages to combat web skimming. Service providers must conduct semi-annual segmentation testing (Requirement 11.3.4.1) and document logical access controls comprehensively.

Operational priorities for merchants and service providers

Start with a gap assessment comparing v3.2.1 controls to v4.0 requirements. Map existing policies, procedures, and technical safeguards to new control statements, noting future-dated requirements that need longer lead time. Build a remediation roadmap that sequences quick wins (e.g., updating policies to reference v4.0 terminology) and complex projects (e.g., expanding MFA). Align the roadmap with annual assessment cycles and quarterly executive reporting.

Multi-factor authentication must extend to all access into the CDE, including from trusted networks and administrators. Evaluate current identity architectures, implement risk-based MFA solutions, and update access control policies. Integrate MFA with privileged access management (PAM) tools to ensure coverage across remote access, console login, and application access. Test failover procedures and user experience to prevent operational disruptions.

Strengthen security monitoring and logging. Requirement 10.7.1 requires automated mechanisms to detect failures in critical security controls. Security operations centers should integrate log sources across firewalls, intrusion detection, endpoint protection, and cloud services, and deploy alerting for anomalous patterns. Ensure log retention and integrity align with PCI expectations. Update incident response playbooks to reflect new detection capabilities and cross-train teams on handling web skimming, credential stuffing, and ransomware scenarios.

E-commerce teams must implement scripts management controls under Requirement 6.4.3, including inventories, integrity monitoring, and approvals. Deploy content security policies (CSPs), subresource integrity (SRI), or script management platforms to detect unauthorized scripts on payment pages. Document review processes and integrate with change management tools to maintain auditable records.

Prepare for targeted risk analyses and customized approach documentation. For requirements that permit customized controls or flexible frequencies, develop a standard operating procedure to conduct risk analyses, document threat considerations, and obtain executive approval. Maintain evidence such as vulnerability trends, threat intelligence, and business impact assessments. Internal audit should verify risk analyses are performed at least annually or upon significant changes.

Governance and compliance management

Executive leadership must reaffirm accountability for protecting cardholder data. Establish a PCI governance council with representatives from security, IT operations, application development, compliance, procurement, and business units. Update policies to reference v4.0, including information security policies, incident response plans, vendor management procedures, and secure software development life cycle (SDLC) documentation. Track compliance status using dashboards that show requirement maturity, remediation progress, and outstanding issues.

Coordinate with Qualified Security Assessors (QSAs) early. Discuss customized approach plans, evidence expectations, sampling strategies, and future-dated requirements. Consider running a "dry-run" assessment against v4.0 to identify documentation gaps. Update attestation of compliance (AOC) processes to capture new requirement references and ensure board-level reporting reflects the transition timeline.

Internal audit and risk committees should incorporate PCI DSS 4.0 into enterprise risk management. Update risk registers with threats related to digital skimming, third-party exposure, and authentication weaknesses. Define key risk indicators such as MFA coverage rates, segmentation test findings, and vulnerability remediation timelines. Provide quarterly updates to audit committees and senior management.

Sourcing and third-party considerations

Evaluate service providers’ readiness for v4.0. Request updated AOC reports, remediation plans, and evidence of compliance with future-dated requirements. Prioritize due diligence on hosting providers, payment gateways, managed security service providers (MSSPs), and call centers that handle cardholder data. Update contracts to reference PCI DSS 4.0, specify responsibilities for targeted risk analyses, and require timely notification of control failures.

When adopting the customized approach, consider partnering with security consultants or QSAs experienced in risk-based control design. Ensure contracts cover methodology documentation, testing procedures, and sign-off requirements. For script management or change-detection tooling, compare vendors that offer client-side security monitoring, runtime application self-protection (RASP), or content security reporting, and conduct proof-of-concept deployments before committing.

Procurement teams should review new vendor onboarding checklists to ensure they capture v4.0 obligations. Implement scoring models that evaluate vendors’ support for MFA, logging, vulnerability management, and secure development practices. Integrate vendor management with continuous monitoring platforms (BitSight, SecurityScorecard) to detect emerging risks.

Implementation roadmap and performance measurement

Set milestones aligned with PCI’s transition dates: publish gap assessment findings in 2022, implement core control upgrades during 2023, and validate compliance with future-dated requirements before March 31, 2025. Establish workstreams for MFA expansion, monitoring enhancements, SDLC updates, and documentation. Use agile project management techniques with sprint reviews and demos to show progress to stakeholders.

Monitor effectiveness using metrics such as percentage of systems under centralized logging, time to resolve critical vulnerabilities, phishing simulation success rates, and compliance status of targeted risk analyses. Leverage automated compliance tools to map controls, evidence, and policies to PCI requirements, enabling real-time dashboards for leadership.

By treating PCI DSS 4.0 as an opportunity to modernize payment security—not merely a compliance update—organizations can strengthen customer trust, reduce breach risk, and streamline audit processes. Early planning, disciplined governance, and strategic sourcing will ensure a smooth transition ahead of the 2025 enforcement deadline.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Developer pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • PCI DSS 4.0
  • Secure development
  • Compliance
Back to curated briefings