Learn how connectivity and security transforms business in a cloud-based world.

Sales 888-407-9594LoginSupport CenterContact Support
Close this search box.

What You Need to Know About PCI DSS 4.0

PCI DSS 4.0 goes into effect March 31, 2024. Here’s what you need to know about the changes and how to prepare.

What is it?

The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard that provides a baseline of requirements designed to protect cardholder data and reduce fraud. Version 4.0 is its newest iteration. PCI DSS applies to “all entities that store, process, or transmit cardholder data and/or sensitive authentication data or could impact the security of the cardholder data environment.” Simply put, PCI DSS 4.0 applies to any organization that deals with credit cards. In the age of e-commerce, that’s nearly every company.

When does it go into effect?

The current version, PCI DSS 3.2.1, will remain active for two years after PCI DSS 4.0 is published to give companies time to become familiar with the new version and implement necessary changes. Companies will need to be fully compliant by March 31, 2025, but it’ll take time to transition. Experts recommend getting started as soon as possible. No matter when you get started, your first step should be performing a PCI DSS 4.0 gap assessment to come up with a plan of action and prioritize areas of greatest urgency.

What’s new?

In an ever-evolving cybersecurity landscape where e-commerce is omnipresent, standards must evolve with the threats and risks of the time. According to the PCI Security Standards Council, PCI DSS 4.0 serves the purpose of meeting four major goals:

  1. Continue to meet the security needs of the payments industry because security practices must evolve as threats change.
  2. Promote security as a continuous practice.
  3. Increase flexibility in organizations using different methods to achieve security objectives, affording businesses more options to adhere to requirements.
  4. Enhance validation methods and procedures to support transparency and granularity.

PCI DSS 4.0 is a comprehensive update to an already complex document. The good news? A majority of the changes are clarifications and amendments, including requirements to review access privileges. The full list of changes is accessible in The PCI Security Standards Council Document Library.

Notable changes

The changes in PCI DSS 4.0 can be grouped into the following categories:

Introducing a Customized Approach for implementation.

Since the beginning of PCI DSS, assessors and businesses have been using a traditional Defined Approach to implement and validate PCI DSS requirements or “objectives.” The Defined Approach remains an option for PCI DSS 4.0, but the Customized Approach is new. It allows organizations to design, implement, and maintain their own custom security controls to meet the requirement’s Customized Approach Objective.

What’s the difference?
Organizations following the Defined Approach adhere to the control processes exactly as outlined in PCI DSS 4.0. The Customized Approach means designing (and following) a custom-developed set of controls. However, customization does not need to apply to every single PCI requirement – for example, some companies might choose to customize their approach to only a few PCI requirements.

While the Customized Approach might sound like an “easier” option or a workaround to meet lower requirements, it’s not. In fact, the PCI Security Standards Council expects that electing to use the customized approach will require “greater initial effort to ensure the controls are properly implemented, supported by all the required documentation, and can be effectively assessed.”

It’s more accurate to think of the Customized Approach as an alternative that allow companies to meet PCI objectives in a different way than is stated within the requirement. Because this is a difficult exercise, the Customized Approach is recommended for risk-mature organizations with a robust cybersecurity framework. The Defined Approach is well-suite to organizations that are comfortable with the current approach or are new to PCI DSS and may need the specific direction to meet security objectives. It’s always a good idea to take stock of your current security posture before deciding which approach is right for your business.

Requiring stronger authentication and access control

As the payment industry rapidly transitions to the cloud, PCI DSS 4.0 focuses heavily on Identity and Access Management to protect cardholder data from a variety of threats, including human error, phishing, and brute force attacks.

Key changes include:

  • Passwords must be at least 12 characters, increased from 7
  • Multi-factor authentication required for anyone with cardholder data access
  • Access to cardholder data and payment systems should be on a need-to-know basis and carefully scrutinized
  • Access privileges must be reviewed at least twice per year
  • All passwords for payment applications and systems must be changed at least once per year

While none of the new and clarified requirements are groundbreaking for security-conscious business owners, they do provide a very specific framework to adhere to, requiring businesses to be both stringent and specific in their approach to access and authentication.

Increased Use of Risk Assessments

Risk assessments take on a more expansive role in PCI DSS 4.0. In contrast to previous versions of the standard where the emphasis was on an annual assessment, version 4.0 prioritizes Targeted Risk Analysis, an ongoing practice designed to continuously evaluate protective measures and identify and eradicate threats.

Targeted Risk Analyses are narrower in scope and typically focus on a specific asset, threat, or security control. As the name suggests, these analyses are intended to determine risk and guide risk management strategy. Companies will also be expected to perform a Targeted Risk Assessment whenever there is a change in their environment.

Businesses with little familiarity with risk assessments may want to engage a qualified third-party to assist with risk assessment parameters and ensuring they comply with PCI DSS 4.0 standards.

Become defensible

Security doesn’t have to be so intimidating. TPx offers a full suite of cybersecurity and advisory services that can help safeguard your business. Get in touch with TPx cybersecurity experts to get started on your journey.

Subscribe to the TPx Newsletter

Get our top researched insights delivered right into your inbox to help you better manage your IT.

* indicates required fields

*By signing up, you are accepting TPx’s privacy policy.