What’s new in PCI DSS v4.0

What’s new in PCI DSS v4.0

PCI DSS v4 is here. In this article I will delve into the PCI DSS, the new update changes and what companies should expect.

  • In March 2022, the Payment Card Industry Security Standards Council (PCI SSC) released the latest version of the Payment Card Industry Data Security Standard (PCI DSS), version 4.0.
  • PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address the evolving and expanding threat landscape and provide innovative ways to combat new threats.
  • Organizations have to fully implement and comply with PCI DSS version 4.0 until March 31, 2024.

What is PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards established by major credit card companies (such as Visa, MasterCard, and American Express) to protect against credit card fraud. The standard includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. Organizations that handle credit card payments must comply with the standard to be able to accept credit card payments.

PCI DSS v4.0

PCI DSS v4.0, the latest version of the Payment Card Industry Data Security Standard, aims to tackle new and emerging threats to cardholder data by focusing on outcome-based requirements. This version of the standard comes four years after the release of PCI DSS v3.2.1 and is expected to provide more effective means of combating new threats. PCI DSS v4.0 represents a significant overhaul of the Payment Card Industry Data Security Standard compared to its previous version, PCI DSS v3.2.1. Even for those familiar with the earlier version, the new standard may appear unfamiliar due to various changes such as alteration in requirement number, location, wording, addition of new requirements and testing procedures. Organizations should anticipate significant modifications in the requirements of the standard.

One of the key changes in PCI DSS v4.0 is to the reporting documentation, which now features a new assessment finding status referred to as “In Place with Remediation” and a new validation method known as “Customized Approach.” This update reflects the effort to address emerging threats and technologies and enable innovative methods to combat new threats.

In PCI DSS v4.0, the framework of 12 requirement sections remains unchanged, however, there are notable modifications made to the layout and language of the requirements. Some requirements have been moved to new sections to align with their objectives, while others have been updated to provide clearer security intent and more comprehensive guidance on the implementation of security controls. Despite these changes, the core structure of the standard remains the same.

The main objectives of PCI DSS v4.0 are:


  • To ensure the standard stays aligned with the evolving security needs of the payments industry.
  • To emphasize the importance of ongoing security efforts.
  • To provide more flexibility in achieving requirements and support for various methodologies.
  • To improve the validation process and methods.

In addition, these are the 10 most notable new requirements of v4.0 in comparison to v3.2.1:

  • Measures to safeguard against phishing attacks for staff, including regular staff training.
  • Regular review of user accounts and access privileges every six months.
  • Implementation of stronger password rules with an increase in minimum length from 7 to 12 characters and prohibition of hard-coding passwords in files or scripts.
  • Mandatory multi-factor authentication for all access to the Card Data Environment, including administrative access.
  • Revised multi-factor authentication requirements to ensure secure implementation.
  • Automated log reviews conducted daily rather than the option of manual reviews.
  • Use of authenticated scanning for internal vulnerability scans.
  • Adoption of intrusion detection/prevention techniques to detect and prevent covert malware communication channels.
  • Conducting more comprehensive, specific, and targeted risk assessments.
  • Performing regular PCI DSS scope confirmation, including the use of card data discovery techniques.


In summary, PCI DSS v4.0 has been updated to address evolving security threats and technologies, promote security as a continuous process, add flexibility and support for additional methodologies to achieve the objective of a requirement, and enhance validation methods. It requires organizations to implement stronger password rules, mandatory multi-factor authentication for all access to the card data environment, regular user account review, staff training, and more comprehensive risk assessments.

PCI DSS v4 Timeline

The PCI DSS v4.0 standard will be phased in over time. Both PCI DSS v4.0 and PCI DSS v3.2.1 will be valid standards for organizations until March 31, 2024. After that date, only PCI DSS v4.0 assessments will be allowed. Additionally, some new requirements will be considered best practices until 2025. The PCI SSC is released supporting documents and provides training to assessors which is required before they can perform any PCI DSS v4.0 assessments. Companies should take note of these changes and prepare for any potential impact on their assessments.

What Odyssey can do for you

For more than two decades, Odyssey evolve its cybersecurity solutions to support clients around the globe in effectively managing their digital risks and adhering to compliance requirements. With more than 150 highly skilled professionals with extensive education, expertise and hands-on experience, Odyssey goes beyond traditional consulting practices to help you design Security and Resilience into your overall Digital Business Strategy. With years of experience in executing PCI DSS assessment projects and a dedicated team of Qualified Security Assessor (QSA) specialists, trained in the latest version of the standard (version 4.0), Odyssey can successfully advise and guide you throughout the entire process.

Author: Andreas Constantinides, Manager, Professional Services