Updates to the PCI-DSS: version 4.0

Details about version 4.0 of the Payment Card Industry Data Security Standard (PCI-DSS) were recently published, and although the current version (3.2.1) remains valid until March 2024, organisations must prepare now.

Up until now, the standard has been rigid with little flexibility on how organisations can meet its requirements, but PCI-DSS v4.0 will introduce a new ‘customised approach’.

PCI-DSS v4.0 enables you to substitute your own control(s) to meet PCI-DSS requirements in place of a defined requirement. However, it’s important to recognise that this new flexibility shouldn’t be viewed an easier method.

Strict rules on using the customised approach are aligned and for every customised approach that you adopt.

A customised approach must:

  • Define the control
  • Explain how it operates and how it is maintained
  • Describe how it meets the objective of the original PCI-DSS requirement

Significant changes within PCI-DSS v4.0

Testing and compliance

You are now required to demonstrate how the customised approach has tested that the control has met the objectives. You must also complete a risk assessment for every similar requirement.

Compliance will still be in the form of a compliance assessment, where the Qualified Security Assessor (QSA) will review this information and design their own test procedure for the requirement.


While it has always been the organisation’s responsibility to define and document the scope of its Cardholder Data Environment (CDE) and the QSA’s responsibility to test it, it is now a specific requirement in v4.0 (12.5.2) that the entity defines and documents the scope of the CDE. This includes identifying data flows and segmentation controls.

Risk assessment process

Your organisation will no longer be required to conduct an organisation-wide risk assessment. However, there are new rules related to targeted assessments, which include risk assessments of vulnerabilities identified and how often your organisation conducts the following:

  • Malware scans
  • Point of interaction (POI) device inspections
  • Incident response training
  • Log reviews for ‘other’ system components
  • Assessments of components not at risk of malware
  • Mandatory changes of passwords used for application and system access accounts (elevated permissions)

Information processing environments

Updated information processing – e.g. v4.0 – recognises that network controls, especially cloud environments, do not always use routers and firewalls.

Also included in this section is the importance of strong passwords, mandating that employees’ login credentials are at least 12 characters (or eight if your organisation doesn’t permit longer passwords).

Additionally, v4.0 gives your organisation the option to determine access to resources automatically by dynamically analysing the security posture of accounts, rather than changing passwords every 90 days.

New requirements in PCI-DSS v4.0

New rules within PCI-DSS v4.0 include the mandatory use of:

  • Web application firewalls
  • Automated mechanisms to protect against phishing
  • Automated mechanisms to conduct log reviews
  • Application and system-level accounts

There are also numerous changes to the numbering and wording of requirements, even for requirements that remain the same as v3.2.1. For those organisations who have already prepared policies and procedures that cross-reference to other specific requirements, this means further extensive review and updating is needed.

Act now before the changes take place

We recommend that organisations required to comply with the Payment Card Industry Data Security Standard begin preparing for the roll-out of v4.0 in March 2024 now.

To find out more about the technical requirements to meet the new v4.0 standard and reducing the impact on your resources, speak to our Governance, Risk, and Compliance team.

Arrange a call with us now

Tracey Hannan-Jones
Tracey Hannan-Jones

Tracey is Phoenix's Lead GRC Consultant, with over 25 years' experience across Technical Information Security, Data Governance, and Compliance and Auditing.

See all posts by Tracey Hannan-Jones