PCI DSS 4.0: What's Changed and How to Prepare
PCI DSS 4.0 introduces the Customised Approach, stronger authentication requirements, and expanded e-commerce protections. This guide covers the major changes from version 3.2.1, the transition timeline, and practical preparation steps for merchants and service providers.
PCI DSS 4.0 Overview
The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 was released in March 2022. It replaces version 3.2.1, which was retired on 31 March 2024. PCI DSS 4.0 introduces greater flexibility through the Customised Approach, strengthens authentication requirements, and adds protections for modern payment technologies.
Key Changes from Version 3.2.1
Major changes include:
- Customised Approach: A new validation method allowing organisations to meet security objectives using alternative controls
- Enhanced authentication: Multi-factor authentication now required for all access to the cardholder data environment, not just remote access
- Expanded e-commerce requirements: New controls address payment page integrity, including protections against web skimming attacks
- Targeted risk analysis: Several requirements now allow organisations to define frequencies based on their own risk analysis
- Stronger encryption and key management requirements
The Customised Approach
Under the Customised Approach:
- Organisations define their own controls to meet each requirement's security objective
- A detailed controls matrix documents how the custom control achieves the objective
- The Qualified Security Assessor (QSA) independently validates effectiveness
- Testing procedures are designed by the organisation and verified by the QSA
This approach requires more documentation but provides flexibility for mature security programmes.
Authentication Requirements
PCI DSS 4.0 strengthens authentication significantly:
- MFA is required for all access into the cardholder data environment, including from within the corporate network
- MFA implementation must resist common bypass techniques
- Password requirements increase to a minimum of 12 characters
- Service and application accounts must have enhanced protections against misuse
E-commerce Protections
New requirements address web skimming attacks:
- Requirement 6.4.3: All payment page scripts must be managed with a documented inventory, authorisation, and integrity verification
- Requirement 11.6.1: A change detection mechanism must alert on unauthorised modifications to payment pages
These requirements recognise that attackers increasingly target the browser-side payment experience.
Transition Timeline
- 31 March 2024: PCI DSS 3.2.1 retired; all assessments must use version 4.0
- 31 March 2025: Future-dated requirements become mandatory
Organisations should now focus on meeting all future-dated requirements.
Preparation Steps
- Conduct a detailed gap analysis against all PCI DSS 4.0 requirements, including future-dated ones
- Decide between the Defined Approach and the Customised Approach for each requirement
- Upgrade MFA implementations to cover all CDE access
- Inventory and manage all payment page scripts
- Implement change detection for payment pages
- Conduct targeted risk analyses where required
- Update documentation, policies, and system diagrams
- Engage your QSA early to discuss the Customised Approach if planned
PCI DSS 4.0 rewards organisations that take a risk-based, outcome-focused approach to payment security.
Frequently Asked Questions
Put this guide into practice
Our platform covers 692 compliance frameworks with 819,000+ cross-framework control mappings. Map your compliance journey, track progress, and identify gaps. Start free, no credit card required.
Try the Platform Free →