The Difference Between PCI DSS 4.0 and PCI DSS 4.0.1. Are You Ready?

Prepare now to meet the upcoming PCI DSS compliance deadline on March 31, 2025.

Published on January 24, 2025
pci-compliance

TL;DR Summary

PCI DSS 4.0.1 is the current active standard, replacing PCI DSS 4.0 as of December 31, 2024. While no new requirements were added, version 4.0.1 provides clarifications to help organizations better understand and implement the existing 64 new requirements introduced in 4.0.

Key updates include:

  • Clarified patching timelines: Only critical vulnerabilities must be patched within 30 days.
  • Phishing-resistant authentication: Can now substitute for MFA in some non-admin access scenarios.
  • Universal MFA: Still required for all access to the Cardholder Data Environment (CDE) by March 31, 2025.
  • Updated password rules: Minimum of 12 characters with complexity.
  • Script management: Organizations must track and authorize all scripts on payment pages (Requirement 6.4.3).

While compliance is essential, it’s just the beginning—organizations should aim for a proactive, strategic security posture. Fortra can help as you assess how these changes might impact your organization’s compliance roadmap.

PCI DSS 4.0.1 vs. PCI DSS 4.0

Because the cyber landscape is ever-changing, cybersecurity standards must also change constantly to keep up. In 2022, the Payment Card Industry Security Standards Council (PCI DSS) rolled out PCI DSS 4.0, the most recent update since 2018. Given a two-year transition period, PCI DSS 4.0 officially took effect on March 31, 2024. However, in response to questions and feedback, PCI DSS 4.0.1 was published on June 11, 2024, and went into effect immediately. 

PCI DSS 4.0.1 does not make any changes to the requirements in V4.0. It does, however, provide necessary clarity on the focus and intent of those requirements. PCI DSS 4.0 remained in effect until the end of last year, when it was officially retired on December 31, 2024. PCI DSS 4.0.1 is now the only active PCI DSS standard in effect. The official date to comply with PCI DSS 4.0.1 standards remains March 31, 2025, as there were no requirement changes from PCI DSS 4.0 to PCI DSS 4.0.1.

Keep in mind: the purpose of PCI DSS 4.0.1 was to make the PCI DSS 4.0 mandates clearer and easier to understand so organizations would have a better chance of successfully complying with them by the March 31 deadline. 

Here’s what you need to know. 

PCI DSS 4.0 Compliance

64 new PCI DSS 4.0 compliance requirements were introduced in V4.0 (that were not included in V3.2.1). These new PCI requirements remain the same for V4.0.1, and organizations are required to comply with all of them by March 31, 2025. While a full list of the requirements can be found in the PCI Security Standards Council document library, these new mandates center around four key goals:

Goal 

Purpose 

Examples of changes in V4.0 (now V4.0.1)

Continue to meet the security needs of the payment card industry. 

Keep pace with evolving threats to digital transactions.  

  • More stringent MFA requirements. 

  • Updated password requirements: now a minimum of 12 characters with numbers and letters included.

  • New requirements to address ongoing phishing threats.

Promote security as a continuous process.

Move from point-in-time compliance to ongoing monitoring and threat management.

  • Organizations must now assign roles and responsibilities for each requirement 

  • Additional clarity to help organizations understand how to implement and maintain security controls and processes.

Add flexibility for alternative methodologies.

Enable the leveraging of innovative methods to achieve desired security outcomes. 

  • Targeted risk analysis empowers organizations to establish recurring schedules for certain activities. 

  • Introduces the ability to create a new, customized approach to implementing and validating requirements.

Enhance validation methods and procedures.

Discourage criminal actors from fraudulent attempts. 

  • Increased alignment between information reported in a Report on Compliance or Self-Assessment.

  • Questionnaire and information summarized in an Attestation of Compliance.

The Difference Between V4.0 and V4.0.1 

While V4.0.1 does not add or remove any PCI requirements found in V4.0, there are a few changes to note in verbiage, which impact how those mandates can be achieved.

  • Under Requirement 6: Develop and Maintain Secure Systems and Software

    • The updated language clarifies that only critical vulnerabilities need to have patches and/or updates installed within 30 days. This happens to be the same as the language used in V3.2.1 and allows additional time for vulnerabilities that are less severe.

  • Under Requirement 8: Identify Users and Authenticate Access to System Components

    • Clarified verbiage here states that phishing-resistant authentication may be used instead of MFA for non-administrative access into the CDE (Cardholder Data Environment). This will strengthen the user verification process and harden it against phishing exploits (as opposed to only authentication-based attacks). This prevents users from disclosing sensitive information (like credentials) on fake websites or malicious applications.

Determining PCI DSS 4.0 Compliance

While the new PCI requirements must be implemented by March 31, 2025, it is important to understand which requirements are relevant to your organization so you can focus your resources accordingly. 

First, know which level you fall under. Different rules apply for each:

  • Level 1: A business with more than 6 million transactions annually, or one that has previously experienced a data breach

  • Level 2: A business that processes between 1 and 6 million transactions per year

  • Level 3: A business that handles between 20,000 and 1 million internet transactions annually

  • Level 4: A business that performs fewer than 20,000 internet transactions or less than one million physical transactions per year

Level 1 organizations are required to have a yearly internal audit and a quarterly PCI scan by an approved third party. Organizations that fall under Levels 2-4 must do a yearly assessment with a designated questionnaire and may also be required to do a PCI scan quarterly. Once you know where you fall and have a general idea of your high-level responsibilities, you can double down on preparing for any audits, scans, and assessments. Additionally, data classification tools for PCI compliance can help you draw a line around which data assets will fall under PCI DSS rules and which do not, allowing you to be even more strategic and efficient in your process planning. 

Looking to the Future of PCI DSS Compliance

As long as the cyber landscape continues to evolve, PCI DSS — along with other security standards — will remain a living, breathing document. Step #1 is to stay on top of these most recent changes and comply by the deadline. But once you have satisfied the current PCI requirements, it may be wise to keep an eye on what’s ahead for PCI DSS, possibly in the near future.

Based on today’s threats, it may not be unreasonable to predict that the next batch of changes will include things like a higher level of security scrutiny for third-party suppliers and strengthening strategies to fight against AI-mounted attacks. But perhaps more on that in the coming few months. 

 

Compliance Is Not Security, But It's a Start

Mature beyond checkbox compliance. Fortra® helps organizations around the world follow regulatory compliance mandates and align with security frameworks to strengthen their security posture.

FIND YOUR FRAMEWORK
Related Content