Compliance briefing — PCI DSS 4.0 raises software security obligations
PCI Security Standards Council published PCI DSS v4.0 on 31 March 2022, introducing expanded requirements for software lifecycle governance, secure coding, and risk analysis that developer organisations must implement.
What happened: PCI DSS 4.0 modernised payment security controls, including secure software development practices, targeted risk analyses, and multi-factor authentication.
- Secure coding: Requirement 6 emphasises secure SDLC processes, developer training, and code reviews.
- Risk management: Targeted risk analyses allow customised controls but require documented justifications and reviews.
- Timeline: Merchants have until 31 March 2025 for full enforcement, but evidence gathering must begin now.
Next steps: Update PCI control matrices, align backlog items to new requirements, and coordinate with QSA partners on remediation roadmaps.