Article

PCI DSS 4.0: Major Changes and What They Mean for Your Organization

Saravanan G Nov 15, 2025 11 min read

Introduction: A New Era for Payment Security

PCI DSS 4.0, released in March 2022, represents the most significant update to the Payment Card Industry Data Security Standard in over a decade. With the transition period ending March 31, 2024 for v3.2.1, and future-dated requirements becoming mandatory by March 31, 2025, organizations must understand and prepare for these changes now.

This article explores the major changes in PCI DSS 4.0, what they mean for your compliance program, and how to prepare for the transition.

Key Philosophy Changes in PCI DSS 4.0

1. The Customized Approach

Perhaps the most significant change is the introduction of the Customized Approach—a new validation method that allows organizations to implement alternative controls to meet security objectives:

  • Defined Approach: The traditional method—follow prescriptive requirements exactly
  • Customized Approach: Meet the security objective through custom controls, with documented justification and testing

Important: The Customized Approach is not a shortcut—it requires more documentation, risk analysis, and rigorous testing than the Defined Approach. It's designed for mature security programs with specific business needs.

2. Outcome-Based Requirements

PCI DSS 4.0 shifts focus from prescriptive checklists to security outcomes. Requirements now clearly state the intended security objective, giving organizations more flexibility in how they achieve compliance.

3. Continuous Security

The standard emphasizes that security must be continuous, not just a point-in-time assessment. New requirements reinforce ongoing monitoring, testing, and validation throughout the year.

Major Technical Changes

Requirement Area What's Changed Impact
Authentication MFA required for all CDE access; stronger password requirements (12+ characters) High - affects all users and systems
E-commerce Security New requirements for payment page scripts and integrity monitoring High - new technical controls required
Risk Assessment Targeted risk analysis required for many controls; annual enterprise risk assessment Medium - process changes needed
Encryption Disk/partition encryption no longer acceptable alone for stored PAN High - may require infrastructure changes
Service Providers Enhanced responsibilities and documentation requirements Medium - contract and process updates

New Requirements Deep Dive

Payment Page Script Security (6.4.3)

One of the most impactful new requirements targets web skimming attacks (Magecart-style):

  • All payment page scripts must be inventoried and justified
  • Integrity of scripts must be assured (via SRI hashes, CSP, etc.)
  • Changes to scripts must be detected and alerted

Enhanced Authentication (8.3.6, 8.4.2)

Significant authentication upgrades include:

  • Password length: Minimum 12 characters (up from 7)
  • MFA scope: Required for all access to CDE, not just remote
  • MFA implementation: Must be phishing-resistant or require two different factors
  • System accounts: Interactive login must be disabled or tightly controlled

Internal Vulnerability Scanning (11.3.1.1)

Organizations must now perform authenticated internal vulnerability scans, providing deeper visibility into system vulnerabilities that unauthenticated scans might miss.

Security Awareness Training (12.6.2)

Enhanced training requirements include:

  • Training on current threats and vulnerabilities
  • Acceptable use of end-user technologies
  • Training must be reviewed and updated annually

Transition Timeline

March 31, 2024

PCI DSS v3.2.1 retired. All assessments must use v4.0.

March 31, 2025

Future-dated requirements become mandatory. These include:

  • Targeted risk analysis for many controls
  • Payment page script integrity requirements
  • Enhanced authentication requirements
  • Automated log review mechanisms
  • Detection of cleartext PAN in unexpected locations

Preparing for PCI DSS 4.0

Gap Assessment

Start with a thorough gap assessment against v4.0 requirements:

  • Compare current controls to new requirements
  • Identify future-dated requirements needing attention
  • Assess readiness for Customized Approach (if planning to use)
  • Document remediation timeline and resources needed

Priority Actions

  1. MFA Enhancement: Plan MFA rollout for all CDE access
  2. Password Policy Updates: Implement 12-character minimum
  3. E-commerce Review: Inventory and secure payment page scripts
  4. Risk Assessment Process: Develop targeted risk analysis methodology
  5. Documentation: Update policies and procedures to v4.0 language

Working with Your QSA

Engage your Qualified Security Assessor early:

  • Discuss Customized Approach options if appropriate
  • Clarify any requirement interpretations
  • Plan assessment timeline around future-dated deadlines
  • Identify training needs for your team

Benefits of PCI DSS 4.0

While the transition requires effort, PCI DSS 4.0 offers significant benefits:

  • Flexibility: Customized Approach allows innovation in security controls
  • Clearer objectives: Outcome-based requirements improve understanding
  • Modern threats: New requirements address current attack vectors
  • Continuous security: Emphasis on ongoing validation improves security posture

Conclusion

PCI DSS 4.0 represents a significant evolution in payment security standards. Organizations should view this transition as an opportunity to strengthen their security posture while gaining more flexibility in how they achieve compliance.

Start your gap assessment now, prioritize future-dated requirements, and engage with your QSA to ensure a smooth transition. The investment in preparation will pay dividends in both security and compliance efficiency.