PCI Updates V3.2.1 to V4.0 – What You Need to Know

PCI Updates V3.2.1 to V4.0 – What You Need to Know


In 2022, a new version of PCI Data Security Standard (DSS) was released updating the current V3.2.1 to V4.0. PCI DSS Version 4.0 (PCI DSS V4.0) seeks to enhance the security of cardholder data and align with evolving threats. Organizations have until March of 2025 for mandatory compliance with the newest changes; however, the recommended transition period is already underway for planning and implementing needed changes.  In this article, we’ll discuss how your organization can stay ahead of potential challenges by being prepared for the updated requirements and having a plan for compliance.

What has Changed?

Below are some of the key changes in PCI DSS V4.0 as your organization transitions to the new standard. 
  • Increased Emphasis on Risk-Based Approach: Stronger focus on assessing risks and implementing controls based on the specific threats faced by an organization. Organizations will need to adopt a more dynamic and customized security approach. 
  • Revised Framework Structure: Structure of the standard has been modified to provide clearer guidance and ease of implementation. It includes new introductory materials and updated requirements and testing processes. 
  • Enhanced Authentication and Password Security: Emphasis on the importance of strong authentication mechanisms and multi-factor authentication. Detailed guidelines for secure password management, including the removal of outdated practices, are included in the updates. 
  • Changing Encryption Requirements: New requirements for encryption to ensure the secure transmission and storage of cardholder data. Use of modern cryptographic algorithms and key management practices are emphasized. 
  • Scope and Focus on Service Providers: Expands the scope of PCI DSS requirements to include more service providers. Specific criteria for third-party engagements and greater accountability for securing cardholder data throughout the card data environment is promoted. 
  • Continuous Monitoring and Testing: Need for continuous monitoring and regular security testing to identify and address vulnerabilities effectively is highlighted. It encourages organizations to adopt technologies and processes that provide real-time threat detection and response. 
  • Stronger Controls for Cloud and Virtualization: Acknowledgement of the increasing use of cloud technologies and virtualization, including guidance for securing these environments in regard to PCI DSS requirements. Transitioning from 3.2.1 to 4.0 requires organizations to reassess their security practices, identify gaps, and implement necessary changes.
Because PCI Security Standards Council (SSC) may continue to make some updates in PCI DSS V4.0, it is essential to stay updated with the latest guidance, engage with a QSA, and perform a thorough review of systems and processes to ensure compliance with the new requirements.

A Suggested Road Map to 4.0 Compliance

We recommend organizations develop a transition plan to achieve compliance under PCI DSS V4.0, ensuring your plan considers the following elements:
  • Gap Analysis: Conduct a thorough assessment of your organization’s current security practices, policies, and controls in relation to PCI DSS V4.0 requirements. Identify gaps and areas that need improvement to meet the updated standards.
  • Compliance Roadmap: Based on the gap analysis, develop a roadmap or action plan for the organization to transition from the current version to PCI DSS V4.0. This roadmap should outline the steps, priorities, and timelines for implementing necessary changes.
  • Interpretation of Requirements: PCI DSS standards can be complex, and understanding their applicability to specific systems and processes can be challenging. Ensure that your organization has a clear understanding of the requirements in the context of your environment, helping ensure accurate implementation.
  • Security Controls and Remediation Guidance: Be knowledgeable about industry best practices and implementing appropriate security controls and remediation measures. Designing and implementing effective controls aligned with PCI DSS V4.0.
  • Documentation Review: Review your organization’s documentation, such as policies, procedures, and security plans, to help ensure they align with the updated requirements of PCI DSS V4.0.
  • Readiness Audits: Conduct pre-assessment audit to evaluate the organization’s readiness for a formal PCI DSS V4.0 compliance assessment. This helps identify any remaining gaps or areas that need attention before the final assessment.
  • Compliance Validation: Finally, perform the official PCI DSS V4.0 compliance assessment ensuring the timelines noted in the section below are met.

Key Dates for Adopting PCI DSS V4.0

  • Transition period is from March 31, 2022 through March 31, 2024. Organizations are not required to use the PCI v4.0 standard until March 31, 2024.  During the transition period an organization’s Cardholder Data Environment (CDE) can be assessed using PCI DSS v3.2.1 or v4.0. The transition period may be used by an organization to become familiar with the new PCI DSS v4.0 standards, implement changes needed for the updated requirements, and update documentation.      
  • PCI v3.2.1 retires on March 31, 2024. After this date, all assessments must be performed using PCI DSS v4.0.
    • PCI v4.0 includes certain future dated new requirements and testing procedures.  These future dated new requirements are designated as best practice until March 31, 2025, and organizations don’t have to implement them immediately.  After March 31, 2025, the future dated new requirements are mandatory and must be considered during a PCI DSS assessment.
Reach out to your AARC-360 team (james.spence@www.aarc-360.com or neil.gonsalves@www.aarc-360.com) for further guidance or with any questions as you develop your plan to transition into the newest PCI standard.
Co-Authored By
James Spence (PCI Practice Leader , AARC-360)
Neil Gonsalves (Founder and CEO, AARC-360)
Mihika Madhavan (Client Relationship Associate, AARC-360)