PCI DSS 4.0 Compliance Scytale

Understanding the Top Changes in PCI DSS 4.0

Robyn Ferreira

Compliance Success Manager

Summary: There is a new version of PCI DSS - PCI DSS version 4.0. Here are the top changes that you must be aware of to help your business navigate.

We get it – just when you’ve cracked down the gist of PCI DSS version 3.2.1, here comes the new kid on the block with some significant plans to switch things up in the PCI DSS neighborhood. 

Are you ready to navigate the change? Let’s dive in. 

PCI DSS Version 4.0

The Payment Card Industry Data Security Standard (PCI DSS) was initially launched in 2006. Although the core objective remains the same, to ensure cardholder data security, the standard needs to consider the evolving threats within a changing cybersecurity landscape. 

One of the key changes in PCI DSS 4.0 is the shift towards a more risk-based approach. This change allows organizations to tailor their security measures more closely to the specific risks they face, encouraging a more dynamic and proactive security posture.

This brings us to the latest version of the PCI DSS – version 4.0. Version 4.0 will come into effect on March 31, 2024, The new version brings significant changes in how businesses must comply with PCI DSS. These changes hone into the intricacies of the security standard and can be challenging to navigate without expertise in cybersecurity. In brief, all changes within the latest version update stem from four core goals: 

  • To ensure that the standard meets the security needs of an evolving payment industry. 
  • To promote continuous security processes
  • To enhance validation methods and procedures
  • To add flexibility and support for alternative approaches to achieve security. 

So, to help your business navigate through PCI DSS version 4.0, here are the top changes you must be aware of. 

What’s New in PCI DSS 4.0: An Overview of the Latest Changes

The PCI DSS is known as the global standard for establishing cardholder data’s baseline security. However, even a mature standard can’t afford to stay stagnant amid emerging threats and technologies. Therefore, the following core changes have been introduced to better protect merchants and their customers from new threats against sensitive payment data. Here are the key takeaways to help you navigate your next PCI DSS audit.

Additional customized approach

One of the most significant changes within the version update includes adding a customized approach to implementing and validating PCI DSS. 

The new customized approach in PCI DSS 4.0 focuses on outcomes-based methodology, allowing organizations to meet the objectives of each requirement in a way that fits their unique environment. This approach requires a deeper understanding of the intended outcome of each requirement and encourages innovation in achieving compliance.

The new, customized validation approach will clearly define the security outcomes linked to each requirement. Organizations will then be able to choose to implement the control as prescribed, or for a customized implementation. With customized implementation, companies can show that the intent of the requirement is met without needing to provide an operational or technical justification.

The new customized approach allows organizations more flexibility in how they choose to meet the security objectives of PCI DSS requirements. Organizations now have the freedom to implement new technology to help them reach the PCI DSS objectives. However, not without adhering to some basic principles and guidelines. In brief, if an organization chooses to adopt a customized implementation approach, an assessor must validate that this approach meets the PCI DSS requirements. The validation process will include reviewing the entity’s approach documentation, controls matrix, and risk analysis.

Stronger authentication measures

As the payments industry is fast transitioning to cloud platforms, merchants must implement more robust authentication standards. 

To improve a merchant’s posture against emerging threats, the latest PCI DSS version is now better aligned with the National Institute of Standards and Technology (NIST) approach to digital identity authentication and life cycle management. Version 4.0 focuses on Identity and Access Management (IAM) and understands that it is critical to mitigating new threats against cardholder data. Some fundamental changes regarding authentication measures that merchants need to consider include: 

  • Review access privileges a minimum of twice per year. 
  • Implement multi-factor authentication (MFA) for all accounts with access to cardholder data. 
  • All passwords for payment applications and systems must be changed at least once a year or in case of any suspicious activity or potential breach. 
  • All passwords must be strong, unique and include at least 15 numeric and alphabetical characters. 
  • All vendor and third-party accounts must only be used when needed and continuously monitored for vulnerabilities and security risks. 

New changes to the 12 requirements

The core 12 PCI DSS requirements continue to provide the foundation for PCI DSS compliance. However, version 4.0 brings much-needed improvements to a few essential requirements. The fundamental changes include, but are not limited to, the following: 

RequirementSignificant changesEffective date
Requirement 1: No significant changesNot applicable
Requirement 2: No significant changesNot applicable
Requirement 3: Merchants must encrypt or protect all stored sensitive authentication data.
The changes in Requirement 3 aim to enhance data protection, particularly for stored sensitive authentication data. The focus is on stronger encryption methods and ensuring that encryption keys are managed securely. The new requirements emphasize the importance of protecting data throughout its entire lifecycle.
Merchants using remote access technology must prevent the copy and relocation of PAN data not only in policies but reinforce it with the relevant technology. 
Merchants may no longer use disk-level encryption for protecting any kind of non-removable media.
Organizations may now only use a keyed cryptographic hash method (if using a hash method for protecting card data).
March 31, 2025
Requirement 4: A new sub-requirement confirms that all merchants must document, track, and inventory all SSL and TLS certificates in use across public domains in order to strengthen their validity. March 31, 2025
Requirement 5: Organizations must now implement automatic processes and systems to detect and protect personnel against phishing attacks. March 31, 2025
Requirement 6:Organizations must have a web application firewall in place for any web applications exposed to the Internet.
Organizations must keep an inventory of all the known scripts used on those pages to mitigate the use of malicious scripts. 
March 31, 2025
Requirement 7: No significant changes, although merchants are reminded to tighten account reviews and processes around reviews for systems, users, and applications.March 31, 2025
Requirement 8:Relevant strengthening of authentication measures as mentioned before. 
Requirement 8’s changes revolve around strengthening authentication measures. This includes the implementation of multi-factor authentication (MFA) for all access to the cardholder data environment, not just for remote access. This reflects the evolving nature of threats and reinforces the importance of robust authentication mechanisms.
March 31, 2025
Requirement: 9No significant changesNot applicable
Requirement: 10Organizations are no longer allowed to manually review their logs. The process is deemed too time-consuming and prone to error. Merchants must therefore implement automated review tools. 
With the automation of log monitoring in Requirement 10, organizations are required to implement systems that can automatically identify and alert personnel to security incidents. This requirement addresses the challenges and limitations of manual log reviews and emphasizes the need for real-time monitoring and response.
All organizations are now required to detect, alert, and address failures of critical security control systems. Previously, this only applied to service providers but has now been extended to everyone.
March 31, 2025
Requirement: 11Organizations must implement a change and tamper detection mechanism for any payment pages. March 31, 2025
Requirement: 12Merchants must conduct an annual documented scoping exercise or after significant changes to the scope environment.Immediately Effective for 4.0 Assessments

How long do merchants have to comply with version 4.0? 

Merchants will have until March 31, 2024, to fully implement and follow PCI DSS version 4.0 before the previous version (3.2.1) is entirely replaced. However, it’s important to note that some requirements have come into effect immediately upon the release of version 4.0. In contrast, some are considered ‘best practice’ until the previous version is replaced on March 31, 2024 – making it compulsory. 


Conquer version PCI DSS 4.0 compliance with Scytale

Fortunately, these changes don’t have to leave you feeling anxious about where you stand regarding your PCI DSS compliance. Rather, automate the entire process to get (and stay) compliant up to 90% faster with Scytale. 

Conquer version 4.0 by updating the relevant new changes, or jumpstart your compliance journey with experts by your side. We do PCI DSS compliance, so you don’t have to.