Adrian's KB

PCI DSS v4.0 (Credit Cards and Payments)

2 min read

Overview

Info

PCI DSS (Payment Card Industry Data Security Standard) v4.0 is the latest version of the global standard for securing payment card data, developed by the PCI Security Standards Council (PCI SSC).

Released in March 2022, v4.0 replaces v3.2.1 and introduces more flexibility, stronger authentication, and a new approach to security validation.

Purpose

  • Protect cardholder data and reduce credit card fraud
  • Standardize technical and operational security measures for entities that process, store, or transmit payment card data
  • Adapt to evolving threats, technologies, and compliance models

Key Changes in v4.0

  1. Customized Approach Option
    • Allows organizations to meet security objectives using alternative methods—if they can prove effectiveness
  2. Enhanced Authentication
    • Stronger password requirements and support for modern multi-factor authentication (MFA)
  3. Continuous Compliance Focus
    • Emphasizes ongoing security, not just annual checkbox compliance
  4. Updated Requirements
    • New controls for phishing, e-commerce, and access controls
    • Better alignment with modern tech (cloud, containers, etc.)

Core Requirements

Note

The 12 core PCI DSS requirements remain the same, grouped under six control objectives:

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

Validation and Applicability

  • Applies to merchants, service providers, and financial institutions
  • Validation methods vary (SAQ, QSA, ISA) depending on transaction volume and environment
  • v3.2.1 sunset date: March 31, 2024 — all entities must transition to v4.0 afterward

Summary

Tip

PCI DSS v4.0 brings more flexibility, stronger security, and a focus on continuous improvement, helping organizations adapt to changing payment tech and threats.

  • Supports traditional and customized implementation approaches
  • More future-ready with guidance for modern architectures
  • Helps reduce risk in payment card ecosystems

Graph View