PCI DSS v4.0: Navigating the Compliance Update

By David Tattersall, PCI DSS QSA

The Payment Card Industry Data Security Standard (PCI DSS) was published over 15 years ago and in that time has undergone a series of revisions as technology, the threat landscape and information security best practices have changed.

PCI DSS was introduced to help prevent increasing levels of credit and debit card fraud. PCI DSS v4.0 is the latest release since v3.2.1 in May 2018. Version 4.0 was released in Q2 of 2022 and has been updated to continue the effort and focus on securing cardholder data and the current (and future) state of the payment industry, whilst also promoting security and PCI as a continuous process. This release of PCI DSS also provides organisations with greater flexibility in reporting and clearer guidance and sets the stage to be the gold standard for the payment card industry’s security baseline.

If your organisation takes payment by card, or provides services to others that do, compliance to the PCI DSS likely applies to you and with the implementation deadline of 31 March 2024 for v4.0 fast approaching, it is essential that you are aware of the changes and how they may affect you.

Why the changes?

In the years since its introduction, card theft has become increasingly sophisticated and is now the domain of organised crime. The threat has not reduced and like other technology industries, the payment industry continues to adopt and integrate newer technologies at an accelerated pace. Therefore, we need to ensure that our security standards are keeping up with the pace. PCI DSS 4.0 update brings a fresh perspective to the security controls we need to have in place to protect cardholder data (CHD).

With the update to v4.0, the PCI Security Standards Council (PCI SSC) has corrected redundant requirements, clarified guidance and testing procedures, modified wording to include more technologies and added more efficient ways to report PCI Compliance. 

These changes are the result of feedback from the payment industry to the PCI SSC. The aim of v4.0 is to allow organisations to report their compliance in a way that best suits them, the technologies they use and the way their business deploys payment methods.

To sum it up, v4.0 is designed to make PCI DSS compliance simpler and more flexible to your organisation by eliminating stringent and specific requirements, adopting a mindset around the security objective that the requirement is designed to achieve and allowing you to demonstrate the specific controls you have in place to be compliant.

What has changed in PCI DSS v4.0?

PCI DSS v4.0 includes a number of changes which aim to meet four key objectives:

1. Ensuring the standard continues to meet the needs of the payment industry
2. Promoting security as a continuous process
3. Adding flexibility and support of additional methods to maintain payment security
4. Enhancing validation and reporting methods and procedures

1. Ensuring the standard continues to meet the needs of the payment industry

As time moves on and technology changes, so do the complexity and method of cyberattacks trying to compromise systems. It is important to keep up with these changes and the PCI SSC has therefore made three types of changes from v3.2.1 to v4.0:

• Evolving requirements – to ensure that the standard is up to date with emerging threats, technologies and changes in the payment industry
• Clarifications – updates to wording, explanations, definitions or further information on a particular topic
• Structure or format changes – reorganisation of content, including merging, separating or renumbering requirements.

Evolving requirements include amendments to existing requirements and also 64 brand new requirements, 13 of which are effective immediately (from 1 April 2024) and the remainder being future dated.

Before 31 March 2025, organisations are not required to validate these new requirements, although if they have already implemented the new controls, they should be encouraged to have them assessed earlier.

After 31 March 2025, the future dated requirements are mandatory and must be considered as part of the PCI DSS assessment.

2. Promoting security as a continuous process

From the beginning, PCI DSS requirements were created to help organizations develop security best practice habits that would be followed year round, rather than only during an annual assessment period.

PCI DSS v4.0 has introduced some new requirements to help organisations have an ongoing understanding of security and to promote security as continuous process.

• Assigning roles and responsibilities for each requirement
• Adding detailed guidance to help organisations better understand how to implement and maintain security
• New reporting to highlight areas for improvement and provide greater transparency for report reviewers

The new version of PCI DSS may cause anxiety for those already familiar with the current requirements. However, the 12 core PCI DSS requirements remain fundamentally the same; PCI DSS v4.0 is not a totally new standard.

3. Adding flexibility and support of additional methods to maintain payment security

Perhaps the most significant change within PCI DSS v4.0 is the implementation of a brand new method of validating a security control, by using a ‘customised approach’.

The customised approach provides organisations with the flexibility to meet the security objectives of the PCI DSS using new technology and innovative controls. This allows organisations to meet the strict PCI DSS requirements in a more customised and flexible way.

The assessor will validate that the customised controls meet the PCI DSS requirements by reviewing the entity’s customised approach documentation (including a controls matrix and targeted risk analysis) and developing a procedure for validating the controls.

It’s important to understand that customised controls are not compensating controls. Compensating controls are mitigating controls that are required when an organisation is unable to meet a requirement for a legitimate and documented technical or business constraint. Customised controls, on the other hand, are a flexible alternative to meeting strict requirements.

Past validation methodologies will now be known as a Defined Approach. This is essentially what we have been doing for the past 17 years. Either approach option can be used for a PCI DSS requirement and approaches can even be mixed up within a single Report on Compliance (RoC).

4. Enhancing validation and reporting methods and procedures

The PCI SSC has looked at validation methods and procedures. SAQ and AOC processes and contents have been evaluated and enhanced to provide more commonality and the SAQ and RoC introduce more guidance for organisations when self-assessing and assessors when documenting results.

Note that the new customised approach methods are not supported in current SAQ validation methods.

What do these changes mean for organisations that are already PCI certified?

Organisations that are currently certified (to v3.2.1) should already be looking at the changes that may impact them within PCI DSS v4.0. The PCI SSC’s document, PCI DSS Summary of Changes, provides full details of the changes and new requirements and is a great starting point.

Organisations looking for guidance in relation to the changes they may need to make can reach out to the PCI team here at Razorthorn, where a PCI Qualified Security Assessor (QSA) will guide you through the changes and perform a gap analysis against v4.0 of the PCI DSS for your in-scope PCI environment.

What do these changes mean for organisations that are certifying against PCI DSS for the first time?

Organisations pursuing PCI DSS should take a similar approach with v4.0 as they would have with v3.2.1.

Start by contacting the PCI team at Razorthorn Security; our PCI DSS experts will help to determine the scope of the products, services and environment involved with payment data and help to understand which requirements must be met to become compliant to the PCI DSS.

PCI DSS v4.0 Summary of changes

The PCI SSC made significant changes to PCI DSS 4.0. The most notable type of change is evolving requirements, which refers to requirements that were added, updated, or deleted to ensure that the standard is up to date with emerging threats and technologies as well as changes in the payment industry. 

Below we’ve listed out all the new requirements in v4.0 that apply to all entities and to service providers only. For both groups, we’ve separated the new requirements that are effective immediately for v4.0 assessment and those that are effective on March 31, 2025. 

When Must I Comply with PCI DSS 4.0

You MUST comply with PCI DSS 4.0 by 1 April 2024, but any New Requirements have a grace period. These must be implemented by 1 April 2025.  Some of these new requirements may not be applicable if you comply to a reduced scope Self Assessment Questionnaire (SAQ).

Where Next?

The PCI DSS is being driven by increasing fraud activity and the targeting of organisations handling payment card data. The requirements are detailed and, for many organisations, challenging.

By getting the right advice at the earliest stage of your compliance programme, you can greatly increase your chances of success, whilst minimising the time and effort required.

This paper has been designed to help introduce you to some of the essential elements of compliance and also give you good advice to help you in the process.

If you feel that we can be of assistance, then we will be more than happy to come to see you to discuss your particular requirements and give you some initial guidance on developing an effective PCI DSS compliance programme.

How Can Razorthorn Security Help?

Razorthorn’s in house QSAs have completed additional training to allow them to guide and assess (audit) your compliance with PCI DSS version 4.0, as well as partnerships with key vendors for both security and compliance solutions. The combination of Razorthorn consultancy, testing and solution services addresses a broad range of PCI DSS 4.0 requirements.

Key services

• PCI DSS 4.0 Gap Analysis to evaluate your current PCI v4 compliance and identify any challenges in meeting the standard. Delivering a comprehensive report with recommendations for adjustments to achieve compliance.
• Ad hoc and ongoing support and advice, offering guidance to address immediate concerns and to sustain adherence to the standard over time.
• Razorthorn is a CREST accredited penetration testing company able to undertake penetration testing and vulnerability scanning in line with PCI DSS requirements
• Razor’s Edge, Razorthorn’s continuous testing platform, continuously monitors applications and networks for vulnerabilities and conducts targeted manual testing on identified vulnerabilities. Combining continuous scanning with expert validation and exploitation to ensure the security of systems and networks is secure throughout the year.
• Razorthorn’s managed phishing service is led by cybersecurity experts and supports organisations in strengthening their defence against phishing attacks while maintaining focus on core business objectives.
• Solution recommendations such as MFA, PAM, SIEM and SAST from our wide portfolio of vendors, in line with the business culture, technical environment and budget, including implementation advisory