
Because the cyber landscape is ever-changing, cybersecurity standards must also change constantly to keep up. In 2022, the Payment Card Industry Security Standards Council (PCI DSS) rolled out PCI DSS 4.0, the most recent update since 2018. Given a two-year transition period, PCI DSS 4.0 officially took effect on March 31, 2024. However, in response to questions and feedback, PCI DSS 4.0.1 was published on June 11, 2024, and went into effect immediately.
PCI DSS 4.0.1 does not make any changes to the requirements in V4.0. It does, however, provide necessary clarity on the focus and intent of those requirements. PCI DSS 4.0 remained in effect until the end of last year, when it was officially retired on December 31, 2024. PCI DSS 4.0.1 is now the only active PCI DSS standard in effect. The official date to comply with PCI DSS 4.0.1 standards remains March 31, 2025, as there were no requirement changes from PCI DSS 4.0 to PCI DSS 4.0.1.
Keep in mind: the purpose of PCI DSS 4.0.1 was to make the PCI DSS 4.0 mandates clearer and easier to understand so organizations would have a better chance of successfully complying with them by the March 31 deadline.
Here’s what you need to know.
PCI DSS 4.0 Compliance
64 new PCI DSS 4.0 compliance requirements were introduced in V4.0 (that were not included in V3.2.1). These new PCI requirements remain the same for V4.0.1, and organizations are required to comply with all of them by March 31, 2025. While a full list of the requirements can be found in the PCI Security Standards Council document library, these new mandates center around four key goals:
Goal | Purpose | Examples of changes in V4.0 (now V4.0.1) |
Continue to meet the security needs of the payment card industry. | Keep pace with evolving threats to digital transactions. |
|
Promote security as a continuous process. | Move from point-in-time compliance to ongoing monitoring and threat management. |
|
Add flexibility for alternative methodologies. | Enable the leveraging of innovative methods to achieve desired security outcomes. |
|
Enhance validation methods and procedures. | Discourage criminal actors from fraudulent attempts. |
|
The Difference Between V4.0 and V4.0.1
While V4.0.1 does not add or remove any PCI requirements found in V4.0, there are a few changes to note in verbiage, which impact how those mandates can be achieved.
Under Requirement 6: Develop and Maintain Secure Systems and Software
The updated language clarifies that only critical vulnerabilities need to have patches and/or updates installed within 30 days. This happens to be the same as the language used in V3.2.1 and allows additional time for vulnerabilities that are less severe.
Under Requirement 8: Identify Users and Authenticate Access to System Components
Clarified verbiage here states that phishing-resistant authentication may be used instead of MFA for non-administrative access into the CDE (Cardholder Data Environment). This will strengthen the user verification process and harden it against phishing exploits (as opposed to only authentication-based attacks). This prevents users from disclosing sensitive information (like credentials) on fake websites or malicious applications.
Determining PCI DSS 4.0 Compliance
While the new PCI requirements must be implemented by March 31, 2025, it is important to understand which requirements are relevant to your organization so you can focus your resources accordingly.
First, know which level you fall under. Different rules apply for each:
Level 1: A business with more than 6 million transactions annually, or one that has previously experienced a data breach
Level 2: A business that processes between 1 and 6 million transactions per year
Level 3: A business that handles between 20,000 and 1 million internet transactions annually
Level 4: A business that performs fewer than 20,000 internet transactions or less than one million physical transactions per year
Level 1 organizations are required to have a yearly internal audit and a quarterly PCI scan by an approved third party. Organizations that fall under Levels 2-4 must do a yearly assessment with a designated questionnaire and may also be required to do a PCI scan quarterly. Once you know where you fall and have a general idea of your high-level responsibilities, you can double down on preparing for any audits, scans, and assessments. Additionally, data classification tools for PCI compliance can help you draw a line around which data assets will fall under PCI DSS rules and which do not, allowing you to be even more strategic and efficient in your process planning.
Looking to the Future of PCI DSS Compliance
As long as the cyber landscape continues to evolve, PCI DSS — along with other security standards — will remain a living, breathing document. Step #1 is to stay on top of these most recent changes and comply by the deadline. But once you have satisfied the current PCI requirements, it may be wise to keep an eye on what’s ahead for PCI DSS, possibly in the near future.
Based on today’s threats, it may not be unreasonable to predict that the next batch of changes will include things like a higher level of security scrutiny for third-party suppliers and strengthening strategies to fight against AI-mounted attacks. But perhaps more on that in the coming few months.
Meet the March 31, 2025 PCI DSS 4.0 Compliance Deadline
Learn in-depth how Fortra’s arsenal of solutions can enhance your PCI DSS 4.0 compliance posture today.