PCI DSS 4.0: What's New & How to Prepare for the Latest Version
Quick Answer
PCI DSS 4.0 introduces 64 new requirements including the customized approach, expanded MFA for all CDE access, 12-character minimum passwords, payment page script management, and targeted risk analysis. The standard became mandatory March 31, 2024, with future-dated requirements effective March 31, 2025.
PCI DSS 4.0 Overview
PCI DSS 4.0 represents the most significant update to the Payment Card Industry Data Security Standard since its inception. Released in March 2022, it introduces 64 new requirements, the customized approach for meeting security objectives, and modernized guidance for cloud, mobile, and IoT environments.
Key Takeaways
- 64 new requirements beyond what PCI DSS 3.2.1 required
- PCI DSS 3.2.1 was retired on March 31, 2024 — v4.0 is now the only active standard
- 13 future-dated requirements became mandatory on March 31, 2025
- The customized approach allows flexible methods to meet security objectives
- Major areas of change: authentication (Req 8), payment page security (Req 6), and risk analysis (Req 12)
Key Dates and Timeline
PCI DSS 4.0 Transition Timeline
March 2022
PCI DSS 4.0 released alongside 3.2.1
March 2024
PCI DSS 3.2.1 retired — v4.0 is the only active standard for all assessments
March 2025
All future-dated requirements in v4.0 become mandatory — organizations must now comply with all 64 new requirements
June 2024
PCI DSS 4.0.1 released with minor clarifications (no new requirements)
Ongoing
All assessments and SAQs must be completed against PCI DSS 4.0/4.0.1
The Customized Approach
The customized approach is the biggest conceptual change in PCI DSS 4.0. It allows organizations to meet the security objective of a requirement using alternative methods, rather than following the prescriptive "defined approach." This provides flexibility for innovative security architectures.
Customized Approach vs Defined Approach
Pros
- Flexibility to use innovative security technologies and architectures
- Focus on outcomes rather than prescriptive checklists
- Accommodates modern cloud-native and zero-trust environments
- Can be applied requirement-by-requirement (mix and match with defined approach)
- Better suited for organizations with mature security programs
Cons
- Requires documented targeted risk analysis for each customized control
- QSAs may have limited experience evaluating customized approaches
- More evidence and documentation required than the defined approach
- Not available for all requirements (some must use defined approach)
- Higher assessment costs due to additional QSA evaluation time
Major New Requirements
Authentication Changes (Requirement 8)
| Area | v3.2.1 | v4.0 |
|---|---|---|
| MFA scope | Remote access to CDE only | ALL access to the CDE (interactive login) |
| Password length | 7 characters minimum | 12 characters minimum (8 if system limitation) |
| Service accounts | General guidance | Specific requirements for application/system accounts |
| Failed login lockout | After 6 attempts | After 10 attempts (increased from 6) |
| MFA implementation | Basic guidance | Detailed requirements for each authentication factor |
Payment Page Security (Requirement 6)
PCI DSS 4.0 adds two critical new requirements targeting web skimming attacks (Magecart-style) on e-commerce payment pages:
- Requirement 6.4.3: All payment page scripts must be managed, authorized, and have their integrity confirmed. Implement Content Security Policy (CSP) and Subresource Integrity (SRI).
- Requirement 11.6.1: Deploy change-and-tamper detection mechanisms for HTTP headers and content of payment pages. Alert on unauthorized modifications.
Targeted Risk Analysis (Requirement 12)
PCI DSS 4.0 replaces many prescriptive frequencies ("do X quarterly") with targeted risk analysis — organizations determine the appropriate frequency for periodic activities based on their own risk assessment. This applies to activities like:
- Frequency of password changes
- Review of access privileges
- Log review frequency beyond daily automated review
- Malware scan frequency for systems not considered at risk
- POI device inspection frequency
Migration Checklist
PCI DSS 4.0 Migration Action Items
- Assess all 64 new requirements against your current environment
- Implement MFA for all interactive access to the CDE
- Update password policies to 12-character minimum
- Inventory and manage all scripts on payment pages (Req 6.4.3)
- Deploy payment page tamper detection (Req 11.6.1)
- Create targeted risk analyses for all frequency-based requirements
- Review and update security awareness training program
- Implement automated log review mechanisms
- Review service/application account management processes
- Update SAQ or prepare for ROC assessment against v4.0
- Decide on defined vs customized approach for each requirement
- Update incident response plan with current card brand notification procedures
64
New Requirements
Net-new requirements added in PCI DSS 4.0
51
Immediately Effective
Requirements that applied starting March 2024
13
Future-Dated
Requirements that became mandatory March 2025
2
Validation Approaches
Defined approach and customized approach
Is PCI DSS 3.2.1 still valid?
No. PCI DSS 3.2.1 was retired on March 31, 2024. All assessments, SAQs, and compliance validations must be performed against PCI DSS 4.0 (or 4.0.1). Organizations still referencing v3.2.1 are non-compliant.
What are future-dated requirements?
Future-dated requirements are new requirements in PCI DSS 4.0 that were considered best practices until March 31, 2025, after which they became mandatory. Examples include payment page script management (6.4.3), automated log review mechanisms (10.4.1.1), and enhanced MFA requirements (8.4.2).
Do I need to use the customized approach?
No. The customized approach is optional. Most organizations will continue using the defined approach (following prescriptive requirements as-is). The customized approach is best suited for organizations with mature security programs that use innovative technologies not covered by the defined approach.
How much does PCI DSS 4.0 migration cost?
Migration costs depend on your gap from 3.2.1 to 4.0. Organizations with minimal gaps may spend $10,000-$30,000 on updates. Those needing significant changes (MFA deployment, payment page security, automated log review) could spend $50,000-$200,000 or more.
Get PCI DSS 4.0 Ready
Find compliance platforms and consultants that specialize in PCI DSS 4.0 migration and assessment.
Browse PCI DSS 4.0 Tools