PCI DSS 4.0 became mandatory on March 31, 2025, replacing version 3.2.1 after a two-year transition. Organizations that have not completed migration face potential penalties, increased assessment scope, and heightened risk. Here is what changed and how to ensure compliance.
Timeline Recap
PCI DSS 4.0 was published in March 2022. Version 3.2.1 was retired for new implementations in March 2024. By March 2025, version 3.2.1 was fully retired and 4.0 became mandatory. Requirements previously labeled “best practice” also became mandatory in March 2025.
Significant Changes
Authentication Requirements
MFA is now required for all access to the cardholder data environment, not just remote access. This means all personnel with administrative access to systems, all access to the CDE from trusted networks, and third-party vendor access must use multi-factor authentication.
Password requirements increased too. Minimum length jumped from 7 to 12 characters. Passwords must change every 90 days if they are the sole authentication method. Each system needs unique passwords, and commonly used passwords are now prohibited.
Targeted Risk Analysis
Version 4.0 introduces a “customized approach” that allows organizations to implement alternative controls that meet security objectives. To use it, document the security objective, perform a targeted risk analysis, implement controls that address identified risks, document testing procedures, and get assessor validation.
Encryption Requirements
All PAN transmissions must use strong cryptography. That means TLS 1.2 minimum, with TLS 1.3 recommended. Certificate validation is required and fallback to weaker protocols is not allowed.
Key management requirements expanded to include documented procedures, defined key custodians, a cryptographic key inventory, and rotation procedures.
E-commerce and Payment Page Security
New requirement 6.4.3 requires inventorying and controlling scripts on payment pages. You need to maintain an inventory of all scripts, document authorization and business justification for each, implement integrity controls, and monitor for unauthorized changes.
Payment pages must implement security headers including Content Security Policy (CSP), Subresource Integrity (SRI), and monitoring for header changes.
Security Awareness Training
Training must now be tailored to job function. Personnel with CDE access need role-based content, and everyone needs phishing awareness with simulations and social engineering recognition. Annual training is the minimum.
Vendor and Third-Party Management
Requirements for service providers expanded. You need written agreements defining responsibilities, monitoring of service provider compliance status, annual review of their PCI DSS compliance, and a clear responsibility matrix.
New Requirements Summary
| Requirement | Description | Category |
|---|---|---|
| 3.4.2 | Technical controls for copying PAN | Data Protection |
| 5.4.1 | Anti-phishing mechanisms for email | Malware |
| 6.3.2 | Software inventory maintenance | Development |
| 6.4.3 | Payment page script management | E-commerce |
| 8.4.2 | MFA for all CDE access | Authentication |
| 8.6.3 | Password/passphrase reuse prevention | Authentication |
| 10.7.1-3 | Prompt detection of security control failures | Monitoring |
| 11.6.1 | Payment page change detection | E-commerce |
| 12.3.1 | Targeted risk analysis documentation | Risk Management |
Migration Checklist
Phase 1: Assessment
Conduct gap analysis against v4.0. Identify new requirements applicable to your environment. Assess customized approach opportunities. Confirm scope for v4.0.
Phase 2: Remediation
Implement MFA for all CDE access. Update password policies and technical controls. Deploy payment page security controls. Enhance third-party management processes. Update your security awareness training program.
Phase 3: Validation
Test new controls internally. Update policies and procedures documentation. Prepare evidence for QSA assessment. Schedule your v4.0 assessment with a QSA.
Common Migration Challenges
Many organizations underestimate the scope of required MFA deployment. Complex e-commerce sites may have numerous scripts to inventory. New documentation requirements for targeted risk analysis require process updates. And some service providers may not have v4.0 attestation yet.
Resources
Check the PCI Security Standards Council v4.0 documentation, QSA and ISA training materials, transition guidance from PCI SSC, and community forums for implementation guides.