PCI DSS 4.0 New requirements

In keeping with its ongoing goal of safeguarding cardholder information, the PCI Security Standards Council (PCI SSC) is rolling out a new version of its Payment Card Industry Data Security Standard (PCI DSS). This updated iteration came from extensive feedback from numerous players in the global payments industry belonging to over 200 organizations over three years. With this most recent update comes a transition to outcome-based requirements to meet the security industry’s evolving needs, emphasizing security as a continuous process focusing on flexibility and customizability.

Although only four years have passed since the last version of the standard, v3.2.1, was put in place, tumultuous changes have required a new set of modifications. The COVID pandemic acted as the catalyst for abrupt shifts in shopper behaviors and the embracing of cloud-based platforms that facilitated online shopping and remote work. In keeping with this evolution, cyber attackers also developed ever more sophisticated ways to compromise data and usurp digital systems. 

The newest version of PCI DSS addresses this societal evolution in many ways. Although the 12 core requirements remain in place to protect cardholder data, the focus has moved toward initiating many security objectives designed to guide the implementation of security controls. To that end, PCI DSS v4.0 includes the following goals:

  • The standard will continue to meet the payment industry’s security needs.
  • It will keep achieving security via flexibility and support of additional methodologies.
  • It will promote security as a continuous process.
  • It will enhance procedures and validation methods.

Thanks to the new emphasis on customization, compliance with the standard can be obtained via either the traditional method or through scaled plans designed to meet the unique needs of individual businesses.


Click the image to view full version

These days, cardholder data is safeguarded in several ways, with one of the most important to emerge in recent years being identity and access management (IAM). PCI DSS v4.0 recognizes this priority, aligning with the NIST guidance on digital identities. That is in response to the increased use of cloud-based technologies and the accompanying need for stronger authentication protocols. To that end, PCI DSS v4.0 covers:

  • Multifactor authentication for all accounts that can access cardholder data.
  • Password protocols require that those used for applications and systems be changed at least every 12 months or if there is suspicion of compromise.
  • Requirements that strong passwords for accounts and systems be used include at least 15 characters, including numeric and alphabetic characters. Additionally, any password must be compared against a list of known bad passwords.
  • Access privileges must be reviewed at least once every six months.
  • Third-party accounts should be enabled as needed and monitored when in use.

The new emphasis on customizability allows organizations to construct their authentication systems to meet the standard’s requirements and the company’s risk environment. Additionally, PCI SSC is working with Europay, Mastercard, and Visa to implement the 3DS Core Security Standard during the transaction authorization process.

Encryption has long been used to keep cardholder data safe, and the new version of PCI DSS builds on this foundation by expanding on trusted networks. Additionally, the mandate for data discovery for identifying all sources and locations of cleartext primary account numbers has been made more frequent, at least every 12 months, or if the data environment undergoes significant changes. 

PCI DSS version 4.0 will not immediately affect all organizations. Between now and June of this year, the text of the revised standard will be published in numerous languages and distributed around the globe. Additionally, an online educational symposium will be available to PCI SSC community members on June 21, 2022.

Assessor training will begin in June. V3.2.1 will remain in effect for two years after the publication of V4.0, with a deadline date of March 31, 2024. That will give organizations time to learn the new requirements and develop strategies to implement the changes.