PCI DSS 4.0 is the latest standard set by the payment card industry governing precautions organizations must take to protect credit card information and private customer data. The new standard obsoletes the current PCI DSS v3.2.1 version and provides a new set of guidelines for risk mitigation.

The goals behind these additional requirements are to promote security as a continuous process, enhance validation methods and procedures, and give flexibility and support of additional security methodologies.

The new version of the PCI DSS standard 4.0 brings expanded requirements, compliance changes, and revised security controls. The single source of truth for all the new changes is the PCI DSS v3.2.1 to PCI DSS v4.0 Summary of Changes document, located in the PCI SSC Document Library.

Once you have a clear understanding of the new updates and requirements, you need to map them against your current security controls and document the steps your organization needs to take to close the gap.

To ensure smooth transition and implementation on time to meet the March 31st, 2025, deadline, leaders must ensure clear communication between all teams and stakeholders, with well-defined roles and responsibilities for each requirement.

PCI DSS 4.0 is largely already in effect, as of March 2024. A subset of eventual new compliance requirements will take effect March 31, 2025. The latter requirements are now classified as “best practices,” but are part of the eventual set of requirements, grouped with “PCI DSS 4.0.1.”

PCI DSS controls are the security measures that organizations must implement to protect cardholders’ data in their business environment. They are necessary to ensure sensitive customer and payment data safety.

The new PCI DSS 4.0 controls cover most of the same ground as prior versions’ requirements but expands on risk mitigation and access control. There are 64 new controls, spread over the 12 primary PCI DSS requirements. For the complete list on the new PCI DSS 4.0, refer to the PCI DSS v4.0 Summary of Changes, document, located in the PCI SSC Document Library.

There are 12 requirements in PCI DSS 4.0 listed below:

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for all personnel

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect environments where payment account data is stored, processed, or transmitted.

PCI DSS is a comprehensive framework outlining security measures organizations must implement to protect cardholder data from breaches and fraud. It provides guidelines on building and maintaining secure networks, protecting cardholder data, managing vulnerabilities, implementing strong access control measures, monitoring and testing networks regularly, and maintaining information security policies.

The PCI DSS is developed and maintained by the Payment Card Industry Security Standards Council (PCI SSC). This council was founded by major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB, to oversee the development and management of the PCI DSS and other security standards.

The primary purpose of PCI DSS is to protect cardholder data and reduce credit card fraud. The standard identifies six goals, including building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.

PCI DSS was established to address the increasing incidents of credit card fraud and data breaches. By setting standardized security requirements, the major card brands aimed to protect businesses and consumers from the financial and reputational damages associated with compromised card information.

PCI DSS is designed to protect cardholder data and payment account data. This includes the Cardholder Data (CHD), cardholder name, card expiration date, and service code, as well as Sensitive Authenticated Daa (SAD) such as full track data, card verifications, and pin blocks. By ensuring this information is securely handled, stored, and transmitted, PCI DSS minimizes the risk of data breaches and fraud.

The PCI DSS was first introduced on December 15, 2004. Since its inception, it has undergone several revisions to address emerging security threats and technological advancements.

The latest version of the Payment Card Industry Data Security Standard (PCI DSS) is version 4.0.1, published in June 2024. This version includes minor corrections and clarifications to enhance the standard's usability and effectiveness. PCI DSS version 4.0 was released on March 31, 2022, introducing updates to address emerging threats and technologies. Organizations were given until March 31, 2024, to transition from version 3.2.1 to version 4.0.

Following this transition, version 4.0.1 became the active standard, with version 4.0 scheduled for retirement on December 31, 2024.

PCI DSS compliance protects patients' payment card information during transactions in the healthcare sector.

The primary goals include:

Protecting Cardholder Data

Hospitals and clinics process credit card payments, making them subject to PCI DSS compliance. While they focus on protecting patient data, online portals and third-party billing services can sometimes be left vulnerable. Hackers exploit these weaknesses—outdated software, misconfigured cloud storage, and unencrypted data—to steal payment details.

PCI DSS enforces strict security measures, including encryption, secure key storage, and restricted access. By following these guidelines, healthcare IT teams can prevent breaches, minimize ransomware risks, and keep patient payment data safe.

Preventing Financial Loss

A payment security breach in healthcare isn’t just about stolen card details—it can lead to massive financial losses. Hospitals and clinics risk lawsuits, regulatory fines, and ransom demands that can amount to millions. PCI DSS compliance helps prevent these risks by enforcing strict security measures to protect payment data. It also ensures that third-party vendors handling transactions follow the same standards, reducing the chance of costly mistakes. By staying compliant, healthcare providers safeguard their revenue, avoid financial setbacks, and maintain patient trust in keeping their sensitive information secure.

PCI DSS outsourcing is when a company outsources payment processing, data storage, or security functions to a third-party provider that is PCI DSS compliant. Businesses can outsource various aspects of PCI DSS compliance to enhance security and reduce complexity.

The top benefits of the PCI DSS outsourcing are:

1. Reduced Scope and Complexity

Outsourcing payment processing, encryption, or tokenization can help businesses reduce their PCI DSS compliance burden by shifting some responsibilities to a third party. This means they don’t have to store card data themselves, making security management easier. However, businesses are still responsible for ensuring their provider is PCI DSS compliant, undergoes regular audits, and follows strong security practices. While outsourcing simplifies compliance, it doesn’t eliminate accountability—companies must still handle and report any data breaches properly.

2. Enhanced Security

Third-party providers specialize in handling payment security. They know how to encrypt data, tokenize card numbers, set up secure authentication, and prevent unauthorized access. They also handle tasks like network segmentation to keep card data storage separate from other business systems. Their expertise includes setting up real-time monitoring, running security tests, and ensuring compliance with PCI DSS rules, which helps businesses meet requirements without needing an in-house security team.

3. Cost Reduction

Maintaining in-house PCI DSS compliance can be expensive due to infrastructure, audits, and personnel. Outsourcing saves money by removing the need for businesses to build and maintain additional secure payment infrastructure. Working with a compliant provider can simplify and accelerate the process, which can result in further savings.

The first thing a business needs to do is figure out its PCI DSS compliance level. This is based on how many credit card transactions are processed yearly. Knowing the right level helps determine what steps to follow, whether it’s a self-assessment or a full security audit by a professional assessor.