PCI DSS 4.0 Updates. All You Need to Know

Stay compliant with the latest PCI DSS 4.0 updates. Explore key essential security requirements to protect cardholder data. Financial organizations are highly exposed to cyber threats, not least given the volume of sensitive data and transactions they handle. In fact, attackers primarily targeted sensitive personal data such as Social Security numbers, bank account information, and login credentials in 2024. Ongoing technological advancements exploited by criminals are yet another factor contributing to the growing cyber risk exposure. For example, the integration of generative artificial intelligence (GenAI) tools by scammers is expected to escalate fraud losses in the U.S. from $12.3 billion in 2023 to an estimated $40 billion by 2027. In a logical move, regulatory bodies respond to these emerging threats by proactively updating the existing regulations and standards and developing brand-new frameworks. One of the key regulatory advancements in the financial sector in recent years is the major update of PCI DSS —a set of requirements designed to protect cardholder data and ensure the safe handling of credit card transactions. In 2022, the Payment Card Industry Security Standards Council (PCI SSC) rolled out PCI DSS 4.0—the most recent update since 2018. Given a two-year transition period, PCI DSS 4.0 officially took effect in March 2024. However, in response to extensive public talks, the Council released PCI DSS 4.0.1 in June 2024 to provide clarifications, corrections, and minor updates. These updates do not introduce new security requirements but ensure a better understanding and implementation of the existing ones. PCI DSS 4.0.1 is the only active standard, with the compliance deadline set for March 31, 2025. Continue reading to learn more about PCI DSS 4.0. updates.

Understanding the Purpose of PCI DSS 4.0 Updates

The primary reasons behind upgrading PCI DSS 3.21 to PCI DSS 4.0 and later to PCI DSS 4.0.1 were driven by the need to:

• ensure advanced protection against evolving security threats, including phishing, malware, and ransomware. PCI DSS 4.0 strengthens authentication, encryption, and anti-phishing controls to combat modern security risks;
• enhance flexibility with Targeted Risk Assessment, allowing businesses to apply risk-based security controls instead of general requirements;
• increase accountability for third-party security by obligating vendors to comply with PCI DSS 4.0 and provide explict responsibility matrices;
• demonstrate continuous compliance rather than just passing an annual audit. While PCI DSS 3.2.1 focused on annual assessments, PCI DSS 4.0 requires ongoing security monitoring and real-time threat detection;
• enhance validation methods and procedures to improve the accuracy, consistency, and effectiveness of compliance assessments. These updates impact how businesses demonstrate compliance through Reports on Compliance (ROC), Self-Assessment Questionnaires (SAQ), and Attestations of Compliance (AOC).
• Clarify and refine requirements through PCI DSS 4.0.1 which provides clarifications to ensure a better understanding of the requirements and corrections to typos, formatting issues, and reporting templates.

Summary of Changes from PCI DSS v3.2.1 to v4.0 and Summary of Changes from PCI DSS v4.0. to v4.0.1 highlight all the key differences between PCI DSS 3.2.1 vs PCI DSS 4.0 vs. PCI DSS 4.0.1. In general, PCI DSS 4.0.1 focuses on several specific areas, including security, customized implementation, authentication, encryption, monitoring, and critical control testing frequency methods. We’ll not describe every single change. However, let’s dive deeper into the most significant updates that affect your compliance program.

PCI DSS 4.0. Introduced a Customized Approach to Increase Flexibility for Organizations

Earlier, when merchants and service providers could not meet some of the controls of PCI DSS 3.2.1, for one reason or another, they were required to implement compensating controls. It was also necessary to justify the compensating control with a risk assessment and a Compensating Control Worksheet. This option is still available in PCI DSS 4.0.1, and a new Compensating Control Worksheet can be found in PCI Document Library However, there is also an alternative to the compensating control approach. PCI DSS 4.0 introduces a new customized approach, allowing organizations to implement alternative security controls instead of strictly following prescriptive requirements. This offers businesses more flexibility while still meeting the intent of PCI DSS. See how the customized approach work:

• instead of following a fixed security requirement, organizations can implement alternative security measures that achieve the same or stronger level of protection;
• a Targeted Risk Assessment (TRA) must be conducted to justify and document why the alternative approach is effective;
• a Qualified Security Assessor (QSA) or internal security team must validate and approve the customized control.

At the same time, not every business can customize the PCI DSS security controls. It is only eligible for:

• organizations with complex or advanced security infrastructures;
• companies leveraging new security technologies that may not fit into traditional PCI DSS requirements;
• businesses that adopt a risk-based approach and identify an alternative method that offers the same or greater level of protection during a Targeted Risk Assessment (TRA).

With the customized approach, merchants and service providers are given an opportunity to achieve the objective by means most feasible for them. The main aim of such an update is to allow organizations more flexibility as long as they can demonstrate their custom solution meets the objective of the PCI DSS requirement. Note: Not all controls are eligible for the customized approach. For instance, PCI DSS 3.3.1, which prohibits the storage of sensitive authentication data after authorization, cannot be customized.

Targeted Risk Analysis

PCI DSS 4.0 introduces a Targeted Risk Analysis (TRA)—a structured approach that allows organizations to evaluate the implementation and frequency of specific security controls based on their unique risks and business environment. TRA is especially suitable in situations that require flexibility, scrutiny, advanced customization, and stronger risk management as it:

• allows businesses to tailor security controls, including log reviews, vulnerability scans, and malware protection, based on actual risks rather than a one-size-fits-all model;
• is required for decisions affecting authentication, encryption, network security, malware protection, and other sensitive controls;
• supports the customized approach, enabling alternative security solutions instead of standard PCI DSS requirements if they provide equal or better protection;
• encourages organizations to assess evolving threats and apply controls accordingly.

Under PCI DSS 4.0, the frequency of TRA depends on the type of organization, with merchants obligated to conduct TRA at least annually, while third-party service providers (TPSPs)—every six months. Additional situations requiring TRA include:

• when implementing a customized approach;
• after significant changes to the environment (new systems, technologies, or security policies that impact cardholder data;)
• following security incidents or breaches.

Authentication: Deeper Focus on NIST MFA

PCI DSS 4.0. relies more on applying stronger authentication standards to payment and control processes. With this, NIST Password Guidance moves to the forefront. Accordingly, the updated standard focuses more on remote access and access into the cardholder data environment (CDE). Now, an additional MFA step is required to gain access to the CDE. First, the user has to authenticate to the remote access using MFA, and then again when connecting from the remote network to the CDE entry point such as the bastion host. PCI DSS 4.0 has also partnered with Europay, Mastercard, and Visa (EMVco) to implement a 3DS Core Security Standard during transaction authorization. This new standard opens the door for organizations to build their unique authentication standards. Furthermore, this new 3DS Standard allows organizations to scale their own authentication standards to fit the company’s transaction objectives.

New Password Requirements

Along with expanded authentication requirements, the new PCI DSS also provides more strict password requirements. These include:

• Minimum Password Length – 12 characters (previously 7 characters);
• Minimum Complexity – numeric and alphabetic;
• Lockout Requirements – no more than 10 failed attempts (previously 6 attempts);
• Minimum Lockout Duration – 30 minutes;
• Password Expiration – 90 days (there are additional options to satisfy the 90-day expiration requirement in PCI DSS 4.0. It clarifies the use of MFA and performs a real-time dynamic analysis on a user account’s security posture).
• Password History – previous 4 passwords

Read more about PCI DSS 4.0 password requirements.

Enhanced Email Security

PCI DSS 4.0.1 strengthens email security to prevent unauthorized access, phishing attacks, and accidental exposure of sensitive cardholder data (CHD) and Sensitive Authentication Data (SAD). The key email security requirements include:

• prohibition of cardholder data transmission via email. CHD and SAD must never be sent via unprotected email, chat, or other messaging services unless encrypted using strong cryptographic methods;
• implementation of anti-phishing mechanisms (e.g., email filtering, user training, and DMARC/DKIM/SPF protocols) to reduce the risk of fraudulent emails targeting employees.
• access controls for email systems to limit access to email services handling sensitive business communication to authorized individuals;
• security awareness training for employees on identifying phishing attempts and email-based social engineering attacks.

PCI DSS 4.0 Compliance Levels Remain Unchanged

Compliance levels under PCI DSS 4.0 remain unchanged. There are 4 levels for merchants and 2 levels for service providers. The levels are determined by the annual number of transactions a merchant or service provider processes over one year. More on how to define your PCI compliance level in the article Identify Your PCI Compliance Level.

How Planet 9 Can Help with PCI DSS Compliance

Navigating PCI DSS compliance can be challenging. Planet 9 professionals can help you\ become and remain PCI compliant. Whether you’re a small business or a large enterprise, we provide customized support to ensure your organization meets security and compliance requirements efficiently. Our PCI DSS compliance services include:

• conduct gap assessment;
• develop a roadmap for mitigating the identified compliance gaps and risks;
• assist the client in executing the roadmap;
• facilitate and support the client in the required assessment or audit process.

Stay informed by exploring our blog for the latest insights on cybersecurity and compliance. Book a free consultation today to explore how Planet 9 can help you achieve your security and compliance goals.

FAQs

What are the benefits of PCI DSS-compliant gateways for small businesses?

By integrating PCI-compliant payment gateways, businesses can reduce the risk of fraud and provide a more seamless payment experience for their customers. Moreover, it can serve as a selling point, reassuring customers that their transactions are protected by the highest standards.

How does PCI compliance contribute to payment data security?

PCI DSS established a number of requirements around how data is stored, encrypted, and accessed. Organizations that handle such data are required to comply with the PCI DSS standard and demonstrate their compliance in various forms, depending on their compliance.

How to get PCI DSS certified?

In short, to validate PCI DSS compliance, businesses must go through the following steps:

• Determine your compliance requirements under PCI DSS
• Conduct an initial assessment to understand your organization’s level of compliance with PCI DSS requirements, identify gaps, and develop remediation plans;
• Validate compliance through the appropriate PCI validation path (e.g. SAQ, ROC, AOC);
• Maintain annual compliance validation and attestation process.

How do we get started with PCI DSS if we’ve never gone through the process before?

If you're unsure where to start with PCI DSS validation, a common first step is to perform a gap assessment to understand how current practices align with the standard. Working with a knowledgeable partner can help clarify requirements, define scope, and prioritize remediation efforts. This approach helps reduce uncertainty and ensures a more efficient path to compliance.