PCI DSS 4.0 is the latest standard set by the payment card industry governing precautions organizations must take to protect credit card information and private customer data. The new standard obsoletes the current PCI DSS v3.2.1 version and provides a new set of guidelines for risk mitigation.

The goals behind these additional requirements are to promote security as a continuous process, enhance validation methods and procedures, and give flexibility and support of additional security methodologies.

The new version of the PCI DSS standard 4.0 brings expanded requirements, compliance changes, and revised security controls. The single source of truth for all the new changes is the PCI DSS v3.2.1 to PCI DSS v4.0 Summary of Changes document, located in the PCI SSC Document Library.

Once you have a clear understanding of the new updates and requirements, you need to map them against your current security controls and document the steps your organization needs to take to close the gap.

To ensure smooth transition and implementation on time to meet the March 31st, 2025, deadline, leaders must ensure clear communication between all teams and stakeholders, with well-defined roles and responsibilities for each requirement.

PCI DSS 4.0 is largely already in effect, as of March 2024. A subset of eventual new compliance requirements will take effect March 31, 2025. The latter requirements are now classified as “best practices,” but are part of the eventual set of requirements, grouped with “PCI DSS 4.0.1.”

PCI DSS controls are the security measures that organizations must implement to protect cardholders’ data in their business environment. They are necessary to ensure sensitive customer and payment data safety.

The new PCI DSS 4.0 controls cover most of the same ground as prior versions’ requirements but expands on risk mitigation and access control. There are 64 new controls, spread over the 12 primary PCI DSS requirements. For the complete list on the new PCI DSS 4.0, refer to the PCI DSS v4.0 Summary of Changes, document, located in the PCI SSC Document Library.

There are 12 requirements in PCI DSS 4.0 listed below:

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for all personnel