Financial ServicesInternational
PCI DSS v4.0
PCI DSS v4.0 is the global security standard for organisations that store, process, or transmit cardholder data, published by the PCI Security Standards Council. Version 4.0, released in March 2022 with full enforcement from 31 March 2025, introduced a customised approach to validation, expanded multi-factor authentication requirements, and added 64 new requirements. It contains 63 top-level controls across 12 requirement areas.
Overview
What is PCI DSS v4.0?
The Payment Card Industry Data Security Standard (PCI DSS) v4.0 is the mandatory security standard for any organisation that stores, processes, or transmits payment card data from the major card brands (Visa, Mastercard, American Express, Discover, JCB). Published by the PCI Security Standards Council, it replaced version 3.2.1 with full enforcement from 31 March 2025. Compliance is validated through Self-Assessment Questionnaires (SAQs) or on-site assessments by Qualified Security Assessors (QSAs), depending on transaction volume.
What are the 12 PCI DSS requirements?
PCI DSS v4.0 is organised into 12 top-level requirements grouped under 6 goals:
- Install and Maintain Network Security Controls: Implement and maintain firewall/security configurations to protect cardholder data
- Apply Secure Configurations: Do not use vendor-supplied defaults for system passwords and security parameters
- Protect Stored Account Data: Protect stored cardholder data through encryption, masking, and retention policies
- Protect Cardholder Data in Transit: Encrypt transmission of cardholder data across open, public networks
- Protect from Malicious Software: Protect all systems and networks from malicious software
- Develop Secure Systems and Software: Develop and maintain secure systems and applications
- Restrict Access by Business Need: Restrict access to cardholder data to authorised personnel only
- Identify Users and Authenticate Access: Identify and authenticate access to system components
- Restrict Physical Access: Restrict physical access to cardholder data and systems
- Log and Monitor All Access: Log and monitor all access to cardholder data and network resources
- Test Security Regularly: Regularly test security systems and processes including vulnerability scans and penetration tests
- Maintain an Information Security Policy: Maintain a policy that addresses information security for all personnel
What changed in PCI DSS v4.0?
Version 4.0 introduced several major changes from v3.2.1:
- Customised Approach: A new validation method allowing organisations to meet security objectives using controls different from those in the defined approach, provided they demonstrate equivalent security
- Expanded MFA: Multi-factor authentication now required for all access to the cardholder data environment, not just remote access
- Targeted Risk Analysis: Organisations must perform targeted risk analyses to determine the frequency of certain periodic activities
- Enhanced Authentication: Increased password length requirements (minimum 12 characters) and stricter authentication controls
- 64 New Requirements: Added requirements addressing emerging threats including phishing, e-commerce skimming, and automated security testing
Key Controls
| ID | Control |
|---|---|
| 1.1 | Network Security Controls Defined |
| 3.1 | Account Data Protection |
| 4.1 | Transmission Encryption |
| 6.1 | Secure Development |
| 8.1 | User Identification |
| 8.4 | Multi-Factor Authentication |
| 11.1 | Security Testing |
| 12.1 | Information Security Policy |
Domains
Req 6 - Secure Development
Req 10 - Log and Monitor
Req 5 - Malware Protection
Req 2 - Secure Configuration
Req 4 - Protect Data in Transit
Compare PCI DSS v4.0
Implementation Guides
Compare PCI DSS v4.0
Related Articles
PCI DSS v4.0 Authenticated Vulnerability Scanning Requirements with NIST SP 800-53 Rev 5 System Assessment IntegrationPCI DSS v4.0 introduces enhanced authenticated vulnerability scanning requirements that must integrate with broader security assessment frameworks for comprehensive risk management. This implementation guide demonstrates how to align PCI DSS v4.0 vulnerability management with NIST SP 800-53 Rev 5 assessment and authorization requirements.
PCI DSS v4.0 Network Segmentation Requirements Integration with Zero Trust Architecture Implementation: Complete Payment Data Isolation FrameworkPCI DSS v4.0 introduces enhanced network segmentation validation requirements that align closely with zero trust architecture principles for payment data protection. This integration framework addresses the new customized approach options and automated security testing requirements while implementing comprehensive payment data isolation controls.
PCI DSS v4.0 Customized Approach Implementation for Legacy Payment Systems: Complete Alternative Security Control FrameworkPCI DSS v4.0 introduces the Customized Approach as an alternative compliance path for organizations with legacy payment systems that cannot implement standard security controls. This framework enables equivalent security through alternative controls while maintaining PCI compliance validation.
PCI DSS v4.0 Authenticated Vulnerability Scanning Integration with CIS Controls v8 Penetration Testing RequirementsPCI DSS v4.0 introduces enhanced authenticated vulnerability scanning requirements that must align with CIS Controls v8 penetration testing protocols for comprehensive payment security validation. This guide provides specific implementation steps for integrating vulnerability management programs across both frameworks while maintaining compliance with quarterly scanning and annual penetration testing mandates.
Related Courses
PCI DSS v4.0 by Industry
PCI DSS v4.0 by Role
Frequently Asked Questions
What is PCI DSS v4.0?
Payment Card Industry Data Security Standard for protecting cardholder data.
How many controls does PCI DSS v4.0 have?
PCI DSS v4.0 contains 63 controls organized across 12 domains.
Where does PCI DSS v4.0 apply?
PCI DSS v4.0 is applicable in International. Organizations operating in or serving customers in this jurisdiction should evaluate its requirements.
What frameworks does PCI DSS v4.0 map to?
PCI DSS v4.0 has control-to-control mappings with 514 other compliance frameworks in our database. Use our compliance platform to explore these mappings interactively.
How do I get started with PCI DSS v4.0 compliance?
Start by understanding the framework's key controls and domains. Our compliance platform provides AI-powered gap analysis and mapping tools to help you assess your current posture and build a remediation plan.
How ready are you for PCI DSS v4.0?
Answer 25 questions and get a professional readiness report with gap analysis, maturity scores, and prioritised action items. Results in 5 minutes.