PCI DSS 4.0: What You Need To Know

The Payment Card Industry Data Security Standard (PCI DSS) is a critical set of requirements designed to ensure the safe handling of cardholder data. As of March 31, 2024, version 3.2.1 of PCI DSS will be retired. This means organizations accepting card payments must transition to the updated standard, PCI DSS 4.0, to remain compliant.

What's New and What You Need To Know About PCI DSS 4.0

PCI DSS 4.0 introduces several key changes, adopting a more flexible and outcome-based approach. This means you have more control over tailoring your security controls to your specific environment, as long as you achieve the desired security objectives.

Here's a breakdown of the key changes and what they mean for your business:

  • Focus on Outcomes, Not Just Checklists: Previously, strict adherence to specific controls was necessary. Now, the focus shifts to demonstrating how your chosen controls effectively mitigate risk and meet the intended security outcome. This allows for greater flexibility in implementing security measures.
  • Enhanced Security Measures:
    • Stronger authentication: PCI DSS 4.0 emphasizes stricter multi-factor authentication (MFA) for accessing the cardholder data environment.
    • Increased password complexity: Password complexity requirements have been strengthened, with a minimum length of 12 characters now recommended.
    • Data protection: Additional focus is placed on data protection, with specific requirements for keyed cryptographic hashing and limitations on the use of disk-level encryption.
  • Streamlined Validation Process: PCI DSS 4.0 introduces a customized validation approach. This allows organizations to choose between demonstrating compliance through traditional methods or by showing how their existing security practices achieve the desired outcomes. This can potentially streamline the validation process for some businesses.
What You Need To Do
  • Familiarize yourself with the changes: While the core objectives remain the same, understanding the specifics of PCI DSS 4.0 is crucial. The PCI SSC website provides comprehensive resources, including the standard itself and implementation guides.
  • Assess your current compliance posture: Conduct a gap analysis to identify areas where your existing controls might need adjustments to meet the new requirements.
  • Develop a plan for implementation: Create a roadmap for addressing any identified gaps and ensuring compliance with the updated standard. Consider seeking guidance from a qualified security professional if needed.


  • While the deadline for full compliance is March 31, 2025, it's crucial to begin planning and implementing changes well in advance to ensure a smooth transition and continued compliance.
  • By taking a proactive approach and embracing the new requirements, you can effectively safeguard your business and your customers' sensitive information.


Contact us today and we will guide your business through the new PCI DSS 4.0 planning and implementations to stay compliant!