AboutStandardsBlog ✦ AI AssessmentGet a Quote →

PCI DSS v4.0 — Key Changes and What They Mean for Your Business

PCI DSS v4.0 represents the most significant update to the Payment Card Industry standard in over a decade. Here is what merchants and service providers need to know to stay compliant.

PCI DSS 8 min read

Overview of PCI DSS v4.0

The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 was published by the PCI Security Standards Council (PCI SSC) in March 2022, with version 4.0.1 released in June 2024 to provide minor clarifications. PCI DSS v3.2.1 was officially retired on 31 March 2024, making v4.0 the sole active version of the standard.

The update reflects over four years of industry feedback and addresses the evolving threat landscape facing payment card data. Key objectives include promoting security as a continuous process, increasing flexibility for organisations to achieve security outcomes, and enhancing validation methods and procedures.

The Customised Approach

One of the most significant introductions in v4.0 is the Customised Approach. Historically, PCI DSS required organisations to meet each requirement through a prescribed, defined method. The customised approach allows organisations to meet the security objective of a requirement using an alternative control, provided they can demonstrate it achieves an equivalent or better level of security.

This is distinct from the existing compensating controls mechanism. Under the customised approach, organisations must:

  • Document the customised control and how it meets the stated objective
  • Perform a targeted risk analysis to evaluate the effectiveness of the control
  • Undergo testing by a Qualified Security Assessor (QSA) to validate the approach

The customised approach is designed for mature organisations with robust risk management capabilities. It is not a shortcut; it typically requires more documentation and more rigorous assessment than the defined approach.

Enhanced Authentication Requirements

PCI DSS v4.0 strengthens authentication controls significantly:

  • Multi-factor authentication (MFA) is now required for all access to the cardholder data environment (CDE), not just remote access. This is a major expansion from v3.2.1, which required MFA only for remote and administrative access.
  • Password requirements have been updated: minimum length increases from 7 to 12 characters (or 8 characters if the system does not support 12). Passwords must contain both numeric and alphabetic characters.
  • Service account management is explicitly addressed, with requirements to manage and monitor passwords and access privileges for application and system accounts.
  • Identity and access management controls must be reviewed at least every six months to ensure they remain appropriate.

Encryption and Key Management Updates

The standard introduces several important changes to cryptographic controls:

  • Organisations must maintain an inventory of trusted keys and certificates and ensure that certificates are valid and not expired
  • Disk-level encryption is no longer acceptable as the sole mechanism for rendering primary account numbers (PAN) unreadable on removable media or non-removable storage
  • Hashing requirements are clarified: keyed cryptographic hashes (HMAC, CMAC) must be used when hashing is employed to render PAN unreadable
  • Security protocols and cipher suites must be inventoried, and organisations must be prepared to migrate away from deprecated protocols within a defined timeline

Targeted Risk Analysis

PCI DSS v4.0 introduces a formalised concept of targeted risk analysis (TRA), which applies in two contexts:

TRA for the customised approach: Each customised control must be supported by a documented risk analysis that evaluates the effectiveness of the control in meeting the stated security objective.

TRA for flexible requirements: Several requirements in v4.0 allow organisations to determine the frequency of certain activities (such as log reviews, vulnerability scans, or password changes) based on a documented risk analysis rather than a fixed schedule. This acknowledges that a one-size-fits-all frequency is not always appropriate.

Targeted risk analyses must be documented, reviewed by management, and updated at least every 12 months or when significant changes occur.

Other Notable Changes

E-commerce and browser security: New requirements address payment page integrity, including mechanisms to detect and alert on unauthorised modifications to HTTP headers and payment page scripts. This directly responds to the threat of Magecart-style web skimming attacks.

Automated log review: Organisations must implement automated mechanisms to perform log reviews, reducing reliance on manual review processes that are prone to error and inconsistency.

Internal vulnerability management: Authenticated internal vulnerability scanning is now required, and critical and high-severity vulnerabilities discovered during internal scans must be addressed in accordance with the organisation's risk ranking.

Security awareness training: Training programmes must now include awareness of phishing and social engineering threats, and organisations must implement anti-phishing mechanisms.

Compliance Timeline

Understanding the timeline is critical for planning:

  • 31 March 2024: PCI DSS v3.2.1 retired; v4.0 becomes the sole active standard
  • 31 March 2025: All future-dated requirements in v4.0 become mandatory (these were previously identified as best practices)

As of early 2026, all PCI DSS v4.0 requirements, including the previously future-dated items, are now fully enforceable. Organisations that have not yet implemented these controls are non-compliant and should take immediate action.

Impact by Merchant Level

The impact of PCI DSS v4.0 varies by merchant and service provider level:

  • Level 1 merchants (over 6 million transactions annually) and service providers must undergo annual on-site assessments by a QSA. The customised approach and targeted risk analysis requirements will have the greatest impact here, as assessors must validate these in detail.
  • Level 2 merchants (1–6 million transactions) typically complete a Self-Assessment Questionnaire (SAQ) but may still require a QSA depending on acquirer requirements. The expanded MFA and password requirements will demand infrastructure updates.
  • Level 3 and 4 merchants (under 1 million transactions) complete SAQs. While the assessment burden is lighter, they must still comply with all applicable v4.0 requirements, including updated authentication and e-commerce controls.

Preparing Your Organisation

BALTUM recommends the following steps for organisations navigating the transition:

  • Conduct a detailed gap analysis against PCI DSS v4.0, paying particular attention to the previously future-dated requirements that are now mandatory
  • Prioritise MFA deployment across the CDE and all administrative access
  • Implement automated log review and authenticated vulnerability scanning
  • Review and update encryption and key management practices
  • Develop payment page monitoring for e-commerce environments
  • Train QSA teams and internal audit staff on the customised approach and TRA methodology

BALTUM provides PCI DSS gap assessments, remediation planning, policy development, and ongoing compliance support for merchants and service providers at all levels. Contact us to discuss your compliance programme.