In keeping with its ongoing goal of safeguarding cardholder information, the PCI Security Standards Council (PCI SSC) is rolling out a new version of its Payment Card Industry Data Security Standard (PCI DSS). This updated iteration came from extensive feedback from numerous players in the global payments industry belonging to over 200 organizations over three years. With this most recent update comes a transition to outcome-based requirements to meet the security industry’s evolving needs, emphasizing security as a continuous process focusing on flexibility and customizability.

Although only four years have passed since the last version of the standard, v3.2.1, was put in place, tumultuous changes have required a new set of modifications. The COVID pandemic acted as the catalyst for abrupt shifts in shopper behaviors and the embracing of cloud-based platforms that facilitated online shopping and remote work. In keeping with this evolution, cyber attackers also developed ever more sophisticated ways to compromise data and usurp digital systems.

Compliance Management Platform

PCI DSS 4.0 Audit Management and Continuous Compliance by Experts

Goals of PCI DSS 4.0

The newest version of PCI DSS addresses this societal evolution in many ways. Although the 12 core requirements remain in place to protect cardholder data, the focus has moved toward initiating many security objectives designed to guide the implementation of security controls.
Thanks to the new emphasis on customization, compliance with the standard can be obtained via either the traditional method or through scaled plans designed to meet the unique needs of individual businesses.

The standard will continue to meet the payment industry’s security needs.


It will keep achieving security via flexibility and support of additional methodologies.


It will promote security as a continuous process.


It will enhance procedures and validation methods.

The PCI DSS is made up of 12 requirements divided into six categories:

Build and Maintain a Secure Network

Protect Cardholder Data

Maintain a Vulnerability Management Program

Implement Strong Access Control Measures

Regularly Monitor and Test Networks

Maintain an Information Security Policy

These days, cardholder data is safeguarded in several ways, with one of the most important to emerge in recent years being identity and access management (IAM). PCI DSS v4.0 recognizes this priority, aligning with the NIST guidance on digital identities. That is in response to the increased use of cloud-based technologies and the accompanying need for stronger authentication protocols.

PCI DSS 4.0 Changes


Multifactor authentication (MFA) for all accounts that can access cardholder data became more stringient.


Access privileges must be reviewed at least once every six months.


Permissions for the group, shared, and public accounts. Targeted risk analyses aim to allow organizations to establish the frequency of performing certain tasks.


It is required that strong passwords for accounts and systems be used. They should be at least 15 characters long, including numeric and alphabetic characters. Additionally, any password must be compared against a list of known bad passwords.


Password protocols require that those used for applications and systems be changed at least every 12 months or if there is suspicion of compromise.

The new emphasis on customizability allows organizations to construct their authentication systems to meet the standard’s requirements and the company’s risk environment. Additionally, PCI SSC is working with Europay, Mastercard, and Visa to implement the 3DS Core Security Standard during the transaction authorization process.
Encryption has long been used to keep cardholder data safe, and the new version of PCI DSS builds on this foundation by expanding on trusted networks. Additionally, the mandate for data discovery for identifying all sources and locations of cleartext primary account numbers has been made more frequent, at least every 12 months, or if the data environment undergoes significant changes.
PCI DSS version 4.0 will not immediately affect all organizations. Between now and June of this year, the text of the revised standard will be published in numerous languages and distributed around the globe. Additionally, an online educational symposium will be available to PCI SSC community members on June 21, 2022.

Assessor training will begin in June. V3.2.1 will remain in effect for two years after the publication of V4.0, with a deadline date of March 31, 2024. That will give organizations time to learn the new requirements and develop strategies to implement the changes.

Ready To Get Started?

If you have any questions about PCI DSS or how it affects your business, don’t hesitate to contact us.

We would be happy to help you get started on your compliance journey.