Compliance Briefing — PCI DSS Version 4.0 Published
The PCI Security Standards Council released PCI DSS v4.0 on March 31, 2022, adding continuous compliance requirements, targeted risk analyses, and enhanced multi-factor authentication for cardholder data environments.
Executive briefing: On the PCI Security Standards Council (PCI SSC) published PCI Data Security Standard (PCI DSS) version 4.0. The update modernises payment security expectations by emphasising continuous control monitoring, risk-based testing, and stronger authentication in cardholder data environments (CDEs).
Key requirement updates
- Continuous compliance. Requirement 12.11 introduces mandated quarterly reviews and evidence collection to prove that security controls operate continuously between assessments.
- Targeted risk analysis. Flexible requirements now demand documented risk analyses to justify control frequencies and alternative implementations.
- Stronger authentication. Requirement 8 expands multi-factor authentication to all access into the CDE, including administrative and console access.
Implementation guidance
- Transition planning. Map current PCI DSS v3.2.1 controls to v4.0 requirements and identify gaps that must be closed before the March 31, 2025 retirement of v3.2.1.
- Evidence automation. Instrument logging, ticketing, and configuration management systems to capture continuous compliance artefacts required by Requirement 12.11.
- Authentication upgrades. Extend multi-factor authentication to administrators, service accounts, and remote access pathways touching the CDE.
Enablement moves
- Update policies and procedures to reflect targeted risk analysis expectations and document compensating control rationale.
- Coordinate with acquiring banks and QSAs on adoption timelines, especially for new e-commerce requirements such as automated anti-phishing controls.
- Deliver training for engineering and operations teams covering changes to logging, vulnerability management, and risk documentation.