PCI DSS

PCI DSS v4.0 Changes

A comprehensive overview of the key changes from PCI DSS v3.2.1 to v4.0, including new requirements, the customized approach, and the transition timeline.
Browse PCI DSS topics
PCI DSS Compliance LevelsPCI DSS RequirementsPCI DSS Scope ReductionPCI DSS Self-Assessment Questionnaire (SAQ)PCI DSS v4.0 Changes

The transition from v3.2.1 to v4.0

PCI DSS v4.0 was published in March 2022 and represents the most significant update to the standard since its inception. The PCI Security Standards Council designed v4.0 to address the evolving threat landscape, accommodate modern security technologies, and shift the compliance mindset from point-in-time validation to continuous security.

PCI DSS v3.2.1 was retired on March 31, 2024. All assessments conducted after that date must use PCI DSS v4.0. Additionally, a set of future-dated requirements originally designated as best practices became mandatory on March 31, 2025. Organizations that have not already adapted their PCI DSS compliance programs to v4.0 face immediate compliance gaps.

Key structural changes

The customized approach

The most significant structural change in PCI DSS v4.0 is the introduction of the customized approach as a formal validation method. Under v3.2.1, organizations had two options: meet the defined requirement as stated or implement a compensating control. PCI DSS v4.0 adds a third path.

Defined approach - Meet the requirement exactly as stated, using the prescribed testing procedures. This is the traditional approach and remains available for all requirements.

Customized approach - Meet the stated security objective of a requirement using alternative controls or methods that the organization designs. The assessor validates that the customized implementation achieves the same security outcome as the defined requirement.

The customized approach provides flexibility for organizations with mature security programs that have implemented innovative controls not contemplated by the prescriptive requirements. However, it comes with additional documentation requirements:

  • A controls matrix documenting how the custom implementation meets the security objective
  • A targeted risk analysis supporting the approach
  • Testing procedures defined by the assessor to validate the implementation
  • More detailed documentation than the defined approach requires

The customized approach is not available for all requirements. Certain foundational requirements, such as not storing sensitive authentication data after authorization, must be met using the defined approach.

Targeted risk analysis

PCI DSS v4.0 introduces a formal targeted risk analysis methodology that allows organizations to determine the appropriate frequency for certain recurring activities. Under v3.2.1, many frequencies were prescriptively defined (for example, quarterly reviews). Under v4.0, organizations can perform a documented risk analysis to justify different frequencies for activities such as:

  • Log review frequency
  • Password change intervals
  • Detection mechanism alert tuning
  • Review of user accounts and access privileges

Each targeted risk analysis must be documented, approved by management, and reviewed at least annually. The analysis must consider threat likelihood, potential impact, and the effectiveness of existing controls. This approach acknowledges that a one-size-fits-all frequency may not be appropriate for every organization.

New and expanded requirements

Multi-factor authentication expansion

PCI DSS v3.2.1 required multi-factor authentication (MFA) for remote access to the CDE and for non-console administrative access. PCI DSS v4.0 expands MFA requirements significantly:

  • MFA is now required for all access into the cardholder data environment, not just remote access
  • This applies to all personnel, not just administrators
  • MFA systems must be resistant to replay attacks and cannot be bypassed by any user, including administrators, without explicit exception documentation
  • MFA implementations must use at least two different authentication factors (something you know, something you have, something you are)

This change reflects the reality that credential theft is a leading attack vector and that internal network access alone should not be sufficient to reach cardholder data systems.

Enhanced password requirements

Minimum password length increased from 7 characters to 12 characters (or 8 characters if the system cannot support 12). PCI DSS v4.0 also encourages the use of passphrases and reduces the emphasis on forced periodic password changes when other compensating controls (such as MFA) are in place. This aligns with modern guidance from NIST SP 800-63B.

E-commerce and payment page protections

PCI DSS v4.0 added multiple requirements targeting e-commerce security, driven by the rise of Magecart-style attacks that inject malicious scripts into payment pages:

  • Requirement 6.4.3 - All payment page scripts that are loaded and executed in the consumer's browser must be managed. Organizations must maintain an inventory of scripts, justify each script's presence, and implement a method to ensure script integrity.
  • Requirement 11.6.1 - A change and tamper detection mechanism must monitor payment pages for unauthorized modifications. HTTP headers and scripts on payment pages must be evaluated for changes at least weekly or through an automated mechanism.

These requirements apply to any organization whose website hosts or influences payment pages, even if actual card data processing is outsourced to a third party.

Anti-phishing mechanisms

Requirement 5.4.1 introduced an explicit mandate for mechanisms to detect and protect personnel against phishing attacks. This includes technical controls such as email filtering, link analysis, and domain-based authentication (DMARC, DKIM, SPF), along with security awareness training specifically addressing phishing threats.

Automated log review

Requirement 10.4.1.1 introduced automated mechanisms for performing audit log reviews. While v3.2.1 allowed manual log review processes, v4.0 acknowledges that the volume and velocity of modern log data makes manual review impractical. Organizations should implement SIEM solutions or equivalent tools that can automatically detect anomalies and generate alerts.

Encryption and key management updates

PCI DSS v4.0 strengthened requirements around encryption, clarifying that disk-level or partition-level encryption alone is no longer acceptable for protecting stored cardholder data on electronic media (Requirement 3.5.1.2). This requirement specifically targets environments that relied solely on full-disk encryption solutions like BitLocker or FileVault without additional application-layer encryption.

Future-dated requirements now mandatory

Several requirements in PCI DSS v4.0 were initially classified as best practices with a future effective date of March 31, 2025. These are now mandatory for all assessments:

  • Req 3.5.1.2 - Disk-level encryption restrictions for removable electronic media
  • Req 5.3.3 - Anti-malware scans for removable electronic media
  • Req 5.4.1 - Anti-phishing mechanisms
  • Req 6.4.3 - Payment page script management and integrity
  • Req 7.2.5 - Application and system account access review
  • Req 8.3.6 - Minimum 12-character passwords
  • Req 8.4.2 - MFA for all CDE access
  • Req 8.6.3 - Passwords for application and system accounts managed per defined criteria
  • Req 10.4.1.1 - Automated log review mechanisms
  • Req 10.7.2 - Detection and alerting for critical security control failures
  • Req 11.6.1 - Payment page change and tamper detection
  • Req 12.3.1 - Targeted risk analysis documentation for flexible requirement frequencies

Organizations that deferred these requirements during the transition period must now have them fully implemented and operational.

Impact on SAQs and compliance levels

PCI DSS v4.0 updated all SAQ types to reflect the new and modified requirements. Key changes for self-assessing merchants include:

  • SAQ A-EP now includes questions related to payment page script management and integrity monitoring
  • SAQ C and SAQ D incorporate the expanded MFA and password requirements
  • All SAQ types reflect the updated requirement numbering and language

For organizations at different PCI DSS compliance levels, the impact varies. Level 1 merchants undergoing ROC assessments face the most comprehensive changes, while Level 4 merchants using SAQ A may see minimal impact if their payment processing is fully outsourced.

Preparing for ongoing compliance

The shift in PCI DSS v4.0 toward continuous security rather than annual compliance validation requires organizations to rethink their approach:

  • Build monitoring into daily operations rather than scrambling before assessments
  • Automate evidence collection to maintain continuous compliance readiness
  • Invest in targeted risk analysis documentation as a core compliance activity
  • Review and update scope regularly, leveraging scope reduction strategies to minimize the compliance burden
  • Train teams on the new requirements, particularly around script management and MFA changes

Organizations in the fintech industry that handle payment data should treat the v4.0 transition as an opportunity to mature their security programs. The flexibility offered by the customized approach and targeted risk analysis rewards organizations that invest in understanding their threat landscape and building security controls tailored to their specific risks.

Related topics

requirementscompliance-levelsself-assessment-questionnaire

Related terms

What is GRC?What is PCI DSS?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough