TL;DR: Quick Takeaways
- β’PCI-DSS 4.0 introduces the Customized Approach as an alternative to prescriptive requirements
- β’MFA is now required for all access to the cardholder data environment (CDE)
- β’New requirements for e-commerce skimming protection and payment page integrity
- β’Version 3.2.1 retired on March 31, 2024 - all entities must now use v4.0
- β’Future-dated requirements become mandatory by March 31, 2025
After eight years of PCI-DSS v3.2.1, the Payment Card Industry Security Standards Council released version 4.0 in March 2022, marking the most significant update to the standard since its inception. This isn't just a minor refreshβit's a fundamental reimagining of how organizations can achieve and demonstrate payment security compliance.
Whether you're already PCI-DSS compliant or working toward certification, understanding these changes is critical. The transition period has ended, and all organizations must now comply with v4.0, with additional requirements becoming mandatory in 2025.
In this comprehensive guide, we'll break down every major change, explain what they mean for your organization, and provide a clear migration timeline to ensure you stay compliant.
The Biggest Change: Customized Approach
The most revolutionary addition to PCI-DSS 4.0 is the introduction of the Customized Approach as an alternative to the traditional prescriptive requirements (now called the "Defined Approach").
What is the Customized Approach?
Instead of following specific technical requirements, organizations can now design their own controls that achieve the same security objectives. This is a massive shift from "do this specific thing" to "achieve this security outcome however works best for you."
Defined Approach (Traditional)
- β Follow prescriptive requirements
- β Clear, specific controls
- β Easier to audit
- β Best for most organizations
- β Lower documentation burden
Customized Approach (New)
- β Design your own controls
- β Focus on security objectives
- β Flexibility for innovation
- β Requires extensive documentation
- β Must prove equivalent security
π‘ When to Consider Customized Approach:
The Customized Approach is best suited for large enterprises with mature security programs and dedicated compliance teams. You'll need to:
- β’ Document how your controls meet each security objective
- β’ Conduct and document a targeted risk analysis
- β’ Maintain detailed testing procedures
- β’ Work closely with your QSA to validate your approach
Expanded Multi-Factor Authentication (MFA) Requirements
PCI-DSS 4.0 significantly expands MFA requirements, making it mandatory for virtually all access to the cardholder data environment (CDE).
What Changed in v4.0:
OLD (v3.2.1): Requirement 8.3
MFA required only for:
- β’ Remote network access to the CDE
- β’ Administrative access from outside the network
NEW (v4.0): Requirement 8.4 & 8.5
MFA now required for:
- β’ All access into the CDE (not just remote)
- β’ All access to systems that can impact security of the CDE
- β’ All non-console administrative access
- β’ All remote access (mandatory now, future-dated by March 2025)
8.4.2 - Effective Now
MFA for all access into the CDE from internal networks. No more exceptions for "trusted" internal users.
8.5.1 - By March 31, 2025
MFA for all remote access to the entity's network. This includes VPN, remote desktop, and any remote connectivity.
π Action Items:
- β Implement MFA for all CDE access immediately if not already done
- β Plan for organization-wide MFA deployment by March 2025
- β Evaluate MFA solutions that support both internal and remote access
- β Document all system access points and verify MFA coverage
- β Update access control policies and procedures
New E-Commerce and Payment Page Security Requirements
With the rise of web-based payment card skimming attacks (also known as Magecart attacks), PCI-DSS 4.0 introduces new requirements specifically designed to protect payment pages from compromise.
Why This Matters
Payment card skimming attacks have increased by over 200% in recent years. Attackers inject malicious JavaScript into payment pages to steal card data as customers enter it. These new requirements directly address this threat.
Requirement 6.4.3 - Payment Page Integrity
All payment pages must have mechanisms to detect unauthorized changes or tampering. Organizations must:
- β’ Implement script integrity checks (e.g., Subresource Integrity)
- β’ Monitor for unauthorized modifications to payment page code
- β’ Implement Content Security Policy (CSP) headers
- β’ Detect and alert on changes to HTTP headers
- β’ Review payment pages at least quarterly for unauthorized scripts
Requirement 11.6.1 - Change Detection for Payment Pages
Implement automated mechanisms to detect and report on any changes to payment page scripts, specifically:
- β’ Scripts loaded and executed in the customer's browser
- β’ Changes that could affect the integrity of payment pages
- β’ Detection must occur at least weekly (or before updates)
- β’ Alerts must be sent to designated personnel
Implementation Options:
Technical Controls:
- β’ Subresource Integrity (SRI) tags
- β’ Content Security Policy (CSP)
- β’ File integrity monitoring
- β’ JavaScript sandboxing
- β’ Third-party script monitoring tools
Commercial Solutions:
- β’ Magecart protection services
- β’ Client-side security platforms
- β’ Web application firewalls with script monitoring
- β’ Payment page integrity vendors
Need Help with PCI-DSS 4.0 Migration?
Get a free compliance assessment and roadmap for upgrading to PCI-DSS 4.0. Our experts will identify your gaps and provide a clear implementation plan.
Enhanced Encryption and Cryptographic Requirements
PCI-DSS 4.0 updates encryption requirements to address modern threats and deprecated cryptographic protocols.
Requirement 4.2.1 - Strong Cryptography
Key updates to encryption standards:
- β’ TLS 1.2 or higher required for all transmission of cardholder data
- β’ SSL and early TLS versions (1.0, 1.1) must be disabled
- β’ Certificate management and validity monitoring
- β’ Strong cipher suites only - weak ciphers explicitly prohibited
Requirement 3.5.1 - Key Management Procedures
Enhanced requirements for cryptographic key management:
- β’ Documented key management procedures and processes
- β’ Key rotation policies and enforcement
- β’ Secure key generation using industry-standard methods
- β’ Key storage in hardware security modules (HSMs) where appropriate
- β’ Regular review of key custodian access
Requirement 12.3.3 - Cryptographic Architecture
By March 31, 2025, organizations must maintain a documented cryptographic architecture that includes:
- β’ Inventory of all cryptographic algorithms and protocols in use
- β’ Details of how algorithms are used and where
- β’ Plans for upgrading deprecated algorithms
- β’ Risk analysis for cryptographic implementations
π Recommended Actions:
- β Audit all systems for SSL/TLS versions and disable obsolete protocols
- β Review cipher suites and remove weak or deprecated options
- β Document all uses of cryptography across your environment
- β Implement automated certificate expiration monitoring
- β Create cryptographic architecture documentation before March 2025
Enhanced Logging and Monitoring
PCI-DSS 4.0 significantly expands logging requirements and introduces more specific guidance on what must be logged and how logs should be protected.
Requirement 10.2 - Expanded Audit Log Events
Additional events that must now be logged:
- β’ All actions by users with administrative or elevated privileges
- β’ All access to audit logs
- β’ Invalid logical access attempts
- β’ All changes to identification and authentication credentials
- β’ Initialization of audit logs
- β’ All changes to audit log configurations
- β’ Creation and deletion of system-level objects
Requirement 10.3 - Log Record Details
Each audit log entry must now include:
- β’ User identification
- β’ Type of event
- β’ Date and timestamp
- β’ Success or failure indication
- β’ Origination of event (component, location)
- β’ Identity or name of affected data, system, or resource
Requirement 10.4.1.1 - Automated Log Review
By March 31, 2025, organizations must implement automated mechanisms to perform log reviews, including:
- β’ Automated tools to detect and alert on anomalies and suspicious activity
- β’ Integration with security information and event management (SIEM) systems
- β’ Real-time or near-real-time alerting capabilities
- β’ Correlation of logs from multiple sources
Logging Architecture Diagram
PCI-DSS 4.0 Migration Timeline
Understanding the transition timeline is critical for compliance planning. Here's what you need to know:
Key Dates
PCI-DSS v4.0 Released
Initial publication with 2-year transition period announced
v3.2.1 Retirement
PCI-DSS v3.2.1 officially retired - all assessments must use v4.0
Future-Dated Requirements Mandatory
All future-dated requirements become mandatory, including:
- β’ MFA for all remote network access (8.5.1)
- β’ Automated log review mechanisms (10.4.1.1)
- β’ Cryptographic architecture documentation (12.3.3)
- β’ Enhanced vulnerability management processes
Continuous Compliance
All other v4.0 requirements remain in effect with annual assessments
β οΈ Critical: March 31, 2025 Deadline
If you haven't already implemented the future-dated requirements, you have less than 3 months remaining. These requirements are significant and may require:
- β’ Budget allocation for new tools (SIEM, MFA, monitoring solutions)
- β’ Architecture changes (cryptographic systems, logging infrastructure)
- β’ Policy and procedure updates
- β’ Staff training on new controls
- β’ Testing and validation before your next assessment
Other Notable Changes in PCI-DSS 4.0
Beyond the major updates covered above, PCI-DSS 4.0 includes numerous other enhancements:
π Vulnerability Management
- β’ Expanded scope of vulnerability scans
- β’ More frequent scanning requirements
- β’ Enhanced patch management timelines
- β’ Container and cloud-native security
π Documentation Requirements
- β’ Targeted risk analysis documentation
- β’ Enhanced network diagram requirements
- β’ Data flow documentation
- β’ Role and responsibility matrices
π₯ User Management
- β’ Enhanced password requirements
- β’ Account review and recertification
- β’ Application and system account management
- β’ Privileged account monitoring
π Cloud and Third-Party Services
- β’ Third-party service provider management
- β’ Cloud environment security requirements
- β’ API security considerations
- β’ Shared responsibility clarifications
π Security Awareness
- β’ Enhanced training requirements
- β’ Phishing awareness programs
- β’ Training frequency and documentation
- β’ Role-specific security training
β‘ Incident Response
- β’ Enhanced incident response procedures
- β’ Incident response team requirements
- β’ Testing and review requirements
- β’ Communication plan documentation
Achieve PCI-DSS 4.0 Compliance in 8-12 Weeks
LowerPlane automates 40% of PCI-DSS requirements and provides expert guidance for the rest. Get compliant faster and stay compliant easier.
- βAutomated evidence collection from 375+ integrations
- βBuilt-in PCI-DSS 4.0 requirement mapping
- βQSA coordination and audit readiness support
- βReal-time compliance dashboard and gap analysis
Key Takeaways
- 1
PCI-DSS 4.0 introduces revolutionary flexibility with the Customized Approach while maintaining security rigor through outcome-based objectives.
- 2
MFA is now mandatory for virtually all CDE access - plan for organization-wide implementation before March 2025.
- 3
E-commerce businesses must implement payment page integrity monitoring to protect against skimming attacks.
- 4
March 31, 2025 is the hard deadline for all future-dated requirements - start implementation now if you haven't already.
- 5
Automation and modern compliance platforms can reduce the burden of new requirements by 30-50% through integrated evidence collection and monitoring.
Frequently Asked Questions
Can I still use PCI-DSS v3.2.1 for my assessment?
What happens if I don't meet the March 31, 2025 future-dated requirements?
Should I use the Defined Approach or Customized Approach?
How much will upgrading to PCI-DSS 4.0 cost?
Do the new e-commerce requirements apply to my business?
Related Articles
Stay Updated on Compliance Changes
Get expert insights on PCI-DSS, SOC 2, ISO 27001, and other compliance frameworks delivered to your inbox.
No spam. Unsubscribe anytime.