What's New in PCI DSS 4.0
PCI DSS 4.0 is the most significant update since the standard's creation. It introduces 64 new requirements, a customized approach option, and stronger authentication mandates.
Critical Deadline
Organizations must achieve full PCI DSS 4.0 compliance by March 2025. Future-dated requirements also become mandatory at this time.
Transition Timeline
Key Milestones
March 2024
PCI DSS 3.2.1 retired, all new assessments must be 4.0
March 2025
Full compliance with 4.0 required for all organizations
March 2025
Future-dated requirements become mandatory
MFA Changes
- MFA required for ALL CDE access - not just remote
- 12-character minimum passwords - up from 7
- Phishing-resistant MFA - recommended
Key Changes Summary
PCI DSS 4.0 Requirements
Authentication
New Controls
Customized Approach
Continuous Security
Customized Approach
PCI DSS 4.0 introduces a Customized Approach allowing organizations to meet security objectives through alternative controls. Requires mature security program and QSA agreement.
Priority Actions
Start with MFA deployment, password policy updates, and payment page script inventory. These are high-impact requirements with longer implementation timelines.
Conclusion
PCI DSS 4.0 brings essential updates addressing modern threats. Begin transition planning immediately, focusing on authentication, automation, and continuous security practices.
Tags
Written by
Asfaleia Team
Security Consultant
PCI QSA with extensive experience in payment card security assessments.