Skip to content

Are you ready for PCI DSS 4.0?

Andrew Robinson |

December 13, 2022
Are you ready for PCI DSS 4.0?


With the release of PCI DSS 4.0, all businesses that use customers’ payment card information will have to transition to the new framework. Here’s everything you need to know about the revised framework and how to plan for the transition.

Important timelines* 

Many of us work better with a deadline. So here’s what the timeline for PCI DSS 4.0 adoption looks like.

March 2022 - PCI DSS 4.0 was released.

March 2022 to March 2024 - Transition time for businesses to move from PCI DSS v3.2.1 to v4.0. During this time, PCI DSS v3.2.1 will also remain active.

31 March 2025 - The final deadline for compliance with the new framework. All future-dated new requirements become effective from this date. 

*Please note that all the above dates are based on current projections and are subject to change.

Why PCI DSS 4.0?

The existing PCI DSS standard (Read more: All about PCI compliance and reporting) is relatively mature. So then, why was there a need to introduce significant changes with a new version? The four reasons for this change are:

  1. As technology moves forward, the threat landscape continues to evolve. The new changes are introduced to help businesses meet evolving security needs in the payment industry.
  2. Security needs to be viewed as a continuous process that PCI DSS 4.0 aims to reinforce through the new changes.
  3. PCI DSS 4.0 also enhances validation methods and procedures to support transparency and granularity. 
  4. Providing more flexibility for organisations to support new payment technologies and different methodologies to achieve security objectives.

What are the new changes in PCI DSS 4.0?

The 12 PCI DSS requirements will continue to be the core foundation of the framework. However, there is a shift in the requirements to consider a broader perspective of security that moves towards a ‘zero trust’ philosophy. As a result, there have been some changes in the requirements and the framework's documentation. You can access the complete requirements here. Below is a summary of the significant changes in the new version of PCI DSS.

Customised implementation of controls 

The new framework offers more flexibility to businesses while ensuring that the focus remains on better security. So, companies can choose which controls to implement from the set of prescribed controls, or they can customise the controls. The only thing you need to ensure compliance is to effectively prove that the controls implemented are in line with the intent to meet the security standards.

Stringent authentication requirements

There is a stronger emphasis on tighter authentication standards, which means more structured guidelines for password policies and more robust authentication for payments and access. PCI DSS, with Mastercard, Visa, and Europay, has also implemented 3DS Core Security Standard for authorising financial transactions. In addition, businesses can now also build their authentication standards to meet regulatory requirements.

Stronger security standards

The new version has strengthened security standards by restructuring the requirements. The idea is to provide more safety to customer data when it is stored and transmitted by the business. Senior management needs to consider the changes so that the budgets and resources are allocated towards meeting the requirements.

Best practices for protecting network transmissions

One of the biggest threats to the payment industry is network infiltration by hackers. The new version of PCI DSS includes guidelines and best practices for protecting network transmissions. PCI DSS 4.0 gives insights on encryption to provide better information security over the networks.

Accommodating technology advancements

With increased technology adoption, businesses are creating pluggable options for their information systems. These solutions help companies deploy faster. The new version of PCI DSS considers this shift and includes the relevant requirements in the framework so businesses can take care of compliance.

DESV requirements might be included

The Designated Entities Supplemental Validation (DESV) requirements were a part of PCI DSS. They were mandatory only for companies with security compromised at some point. However, the new version may take DESV requirements more seriously.

How can businesses prepare for the changes?

In light of the new changes, companies must start preparing to comply with PCI DSS 4.0. While the compliance mandate is still a good two years away, it’s never too early to begin preparing for the change. Below are some steps to help you start your PCI DSS v4.0 journey.

  1. First of all, go over the complete requirements of PCI DSS 4.0 to identify and understand the compliance criteria relevant to your business.
  2. Compare the existing policies and practices with the new requirements to identify the gaps.
  3. Remove sensitive information from the systems which are not necessary or relevant. Remember to delete the information according to the guidelines.
  4. Review password protection and authorisation to systems that store sensitive data.
  5. Check the network perimeter for vulnerabilities and threats that could lead to a data breach.
  6. Monitor all data security activities and document them. 
  7. Keep the senior leadership informed of security activities.
  8. Factor these changes into internal training, future budgets and company strategy.

Having a dedicated team for identifying and implementing the new requirements is a good idea. Once implemented, PCI DSS 4.0 will further enhance cardholder data security from a range of existing and emerging threats.

The 6clicks platform provides an automated solution to comply with the PCI DSS standard. To know more, visit our PCI DSS compliance page.  

You can also get a complete tour of the 6clicks platform that lets you manage multiple compliances with intelligent automation and AI. Ready to see how we are revolutionising compliance? Click below!Get started with 6clicks


Andrew Robinson

Written by Andrew Robinson

Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.