PCI DSS 4.0 became mandatory on March 31, 2025, replacing version 3.2.1 after a two-year transition period. Organizations that haven’t completed migration face potential penalties, increased assessment scope, and heightened risk. This guide covers what’s changed and how to ensure compliance.

Timeline Recap

  • March 2022: PCI DSS 4.0 published
  • March 2024: v3.2.1 retired for new implementations
  • March 2025: v3.2.1 fully retired; 4.0 mandatory
  • March 2025: “Best practice” requirements become mandatory

Significant Changes

Enhanced Authentication Requirements

Multi-Factor Authentication (8.4)

MFA is now required for all access to the cardholder data environment, not just remote access:

  • All personnel with administrative access to systems
  • All access to the CDE from trusted networks
  • Third-party vendor access

Password Requirements (8.3)

Passwords must meet enhanced criteria:

  • Minimum 12 characters (increased from 7)
  • Changed every 90 days if passwords are sole authentication
  • Unique passwords for each system
  • Prohibition of commonly used passwords

Targeted Risk Analysis

Customized Approach Option

PCI DSS 4.0 introduces a “customized approach” allowing organizations to implement alternative controls meeting security objectives. Requirements:

  • Document security objective
  • Perform targeted risk analysis
  • Implement controls addressing identified risks
  • Document testing procedures
  • Obtain assessor validation

Enhanced Encryption Requirements

Encryption in Transit (4.2)

All PAN transmissions must use strong cryptography:

  • TLS 1.2 minimum (TLS 1.3 recommended)
  • Certificate validation required
  • No fallback to weaker protocols

Key Management (3.6, 3.7)

Enhanced key management requirements:

  • Documented key management procedures
  • Defined key custodians
  • Cryptographic key inventory
  • Key rotation procedures

E-commerce and Payment Page Security

Payment Page Scripts (6.4.3)

New requirement to inventory and control scripts on payment pages:

  • Maintain inventory of all scripts
  • Document authorization and business justification
  • Implement integrity controls
  • Monitor for unauthorized changes

HTTP Security Headers (11.6.1)

Payment pages must implement security headers:

  • Content Security Policy (CSP)
  • Subresource Integrity (SRI)
  • Monitoring for header changes

Security Awareness Training

Targeted Training (12.6)

Training must be tailored to job function:

  • Role-based content for personnel with CDE access
  • Phishing awareness with simulations
  • Social engineering recognition
  • Annual training minimum

Vendor and Third-Party Management

Service Provider Accountability (12.8, 12.9)

Enhanced requirements for service providers:

  • Written agreements defining responsibilities
  • Monitoring of service provider compliance status
  • Annual review of service provider PCI DSS compliance
  • Clear delineation of responsibility matrix

New Requirements Summary

RequirementDescriptionCategory
3.4.2Technical controls for copying PANData Protection
5.4.1Anti-phishing mechanisms for emailMalware
6.3.2Software inventory maintenanceDevelopment
6.4.3Payment page script managementE-commerce
8.4.2MFA for all CDE accessAuthentication
8.6.3Password/passphrase reuse preventionAuthentication
10.7.1-3Prompt detection of security control failuresMonitoring
11.6.1Payment page change detectionE-commerce
12.3.1Targeted risk analysis documentationRisk Management

Migration Checklist

Phase 1: Assessment (Complete)

  • Conduct gap analysis against v4.0
  • Identify new requirements applicable to your environment
  • Assess customized approach opportunities
  • Scope confirmation for v4.0

Phase 2: Remediation

  • Implement MFA for all CDE access
  • Update password policies and technical controls
  • Deploy payment page security controls
  • Enhance third-party management processes
  • Update security awareness training program

Phase 3: Validation

  • Internal testing of new controls
  • Update policies and procedures documentation
  • Prepare evidence for QSA assessment
  • Schedule v4.0 assessment with QSA

Common Migration Challenges

  1. MFA implementation scope: Many organizations underestimate the scope of required MFA deployment
  2. Payment page script inventory: Complex e-commerce sites may have numerous scripts to inventory
  3. Targeted risk analysis documentation: New documentation requirements require process updates
  4. Third-party compliance verification: Service providers may not have v4.0 attestation

Resources

  • PCI Security Standards Council v4.0 documentation
  • QSA and ISA training materials
  • Transition guidance from PCI SSC
  • Community forums and implementation guides