What’s New in PCI DSS 4.0?

January 4, 2023

In March 2022, The Payment Card Industry (PCI) Security Standards Council released the latest version of the PCI Data Security Standard (DSS), version 4.0. Its predecessor, PCI DSS v3.2.1, remains active for two years, meaning that PCI assessments started on or after March 31, 2024 will also require PCI v4.0 report submissions.


At a high level, the 12 core PCI DSS requirements do not fundamentally change with the upcoming v4.0. The original v3.2.1 requirements remain the foundation of v4.0 and the existing methods used to measure compliance remain essentially the same. However, v4.0 updates focus on how the security controls should be implemented.


Key goals of PCI DSS v4.0 include:


  • Updating the standard to ensure it continues meeting security requirements
  • Improving current requirements through validation methods and procedures
  • Adding flexibility and support for methods to achieve the requirements
  • Promoting PCI security as part of a continually improving process


One noteworthy change in v4.0 introduces an alternate option for meeting compliance. Customized implementation, only applicable to those completing a Report on Compliance (ROC), considers an objective’s intent and allows businesses to design their own unique security controls to meet data security regulatory requirements.


This change, however, also has the potential to cause confusion if organizations miss the intended rigor of the requirement. Qualified security assessors (QSAs) must carefully scope new assessments, taking the time to thoroughly explain the control intent. While this may be possible for businesses with mature PCI controls and experienced PCI employees, other businesses may have difficulty understanding the nuances of the language and therefore complying with the control intent.


Building on a Zero Trust mindset, the v4.0 standard also lets organizations scale their authentication methods to fit their transaction control objectives and better align to the risk ecosystem. This is due to the PCI Security Standards Council, in partnership with Europay International, Mastercard and Visa, implementing the use of the “3DS Core Security Standard” during transaction authorization.


Although the Zero Trust security model is not directly mentioned in the new standard, its differences from PCI v3.2.1 indicate a subtle shift away from precise technical specifications and toward a broader, more progressive view of achieving adequate control.


Other v4.0 changes include recognizing the value of stronger authentication mechanisms within identity and access management (IAM) solutions for safeguarding cardholder data. This involves aligning more closely to the National Institute for Standards and Technology (NIST) authentication and lifecycle management models. As organizations within the payment industry migrate to cloud-based ecosystems, payment and control solutions must employ even stronger authentication methods. PCI DSS v4.0 addresses these requirements with:


  • Multi-factor authentication (MFA) for all accounts with access to cardholder data (no longer limited to the overarching card holder environment)
  • User passwords increased from 8 characters to 12 characters with alphanumeric complexity requirements
  • Application and system passwords increased to 15 characters with full complexity requirements (alphanumeric, upper and lower case and special characters)
  • Password changes required every 12 months or on suspicion of compromise. Prospective passwords are also compared to a list of known weak passwords
  • Privileged access reviews every six months minimum
  • Enablement of vendor and/or third-party accounts only as needed (and monitored while in use)


In addition to compliance and authentication, v4.0 also has expanded data encryption to “trusted networks,” broadening requirements for encrypting cardholder data, for example, while a business waits for authorization.


Finally, v4.0 sets the requirement for data discovery services to find all sources and locations of cleartext primary account numbers (PAN) at least once every 12 months. Discovery must also occur upon significant changes to the cardholder data environment or its supporting operational processes. This is to prevent malicious access to the environment. Once malicious code embeds in the network, cardholder data can be accessed at weak points in the data transmission path as authorization takes place.


In closing, PCI DSS v4.0 should be a significant upcoming change for everyone involved in the payment card industry. In the meantime, expect plenty of debate, new council-issued guidelines and requirement clarifications leading up to March 2024 and beyond.

Security Consultant II | Optiv
Security Consultant II, PCI Advisory Services, MPM, CISA, CIA, CISSP, QSA, CDPSE, PCIP
Technical Manager | Optiv
Technical Manager, Strategy and Risk Services, CISSP, CISM, CISA, BSI ISO 22301 LA

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Related Insights



PCI DSS 4.0 Is Here: When Does My Company Need To Be Ready?


Some companies should update to PCI DSS v4.0 now, while others should wait. This post features helpful details and advice on how to begin preparing.



PCI DSS 4.0: A Primer


The new Payment Card Industry Data Security Standard – version 4.0 – has been released. This post explores the details of the new standard.



Payment Card Industry (PCI) Advisory Services


Our PCI Advisory Services can build around your specific context, helping you to untangle competing requirements from multiple regulations.