The shift from PCI DSS 3.2.1 to 4.0 brings critical security enhancements to protect payment card data against evolving cyber threats. If your organization processes payments, these changes will impact you.
The below table highlights changes for each requirement:
| Requirement | PCI DSS v3.2.1 | PCI DSS v4.0 (Changes & Enhancements) |
|---|---|---|
| 1: Install and maintain a firewall configuration to protect cardholder data | Required the use of firewalls to segment networks and protect cardholder data from unauthorized access. | Expanded scope to include Network Security Controls (NSCs) instead of just firewalls, allowing organizations to use modern security solutions like cloud-based security tools. Requires more granular firewall rules review and justification for allowed traffic. |
| 2: Do not use vendor-supplied defaults for system passwords and security parameters | Mandated changing vendor default credentials before deploying any system on the network. | Strengthened requirements to include all security configurations, not just passwords. Introduced new guidance on securely configuring cloud-based and containerized environments. MFA is required for non-console administrative access to all system components. |
| 3: Protect stored cardholder data | Required encryption, truncation, masking, and hashing to protect stored cardholder data. | Enhanced cryptographic storage requirements, ensuring that stored cardholder data is protected with stronger encryption methods (e.g., AES-256). Introduced stricter key management controls and better protection of encryption keys from unauthorized access. |
| 4: Encrypt transmission of cardholder data across open, public networks | Required the use of secure transmission protocols such as TLS 1.2 and SSH. | Explicitly prohibits outdated encryption protocols (e.g., SSL, early TLS). Mandates continuous monitoring of encryption methods, requiring organizations to automate monitoring for transmission security failures. |
| 5: Protect all systems and networks from malicious software | Required antivirus software on all systems commonly affected by malware. | Shifted to a risk-based approach, allowing organizations to implement Endpoint Detection and Response (EDR), behavioral monitoring, and AI-driven security instead of just traditional antivirus. Introduced specific anti-malware protections for cloud workloads. |
| 6: Develop and maintain secure systems and applications | Required organizations to apply critical security patches within a defined timeframe. | Expanded to require a Secure Software Development Lifecycle (SDLC). Strengthened multi-factor authentication (MFA) requirements for application developers and administrators. Introduced specific guidance for cloud security, API security, and DevOps security. |
| 7: Restrict access to cardholder data by business need to know | Required access control measures based on job roles and responsibilities. | Strengthened Identity and Access Management (IAM) controls, introducing Zero Trust principles. Requires organizations to review access privileges more frequently and document justifications for access. |
| 8: Identify and authenticate access to system components | Required strong authentication methods and passwords for access to system components. | MFA now required for all access to cardholder data, not just admin accounts. Introduced stronger password requirements, including longer minimum password lengths and adaptive authentication measures such as risk-based authentication. |
| 9: Restrict physical access to cardholder data | Required security controls for physical access, such as badges, cameras, and visitor logs. | Introduced real-time logging and alerting for physical access. Strengthened visitor access controls and mandated the logging of all physical access attempts, even unsuccessful ones. |
| 10: Track and monitor all access to network resources and cardholder data | Required logging of user activities and retention of logs for at least 12 months. | Expanded requirements to include real-time security event monitoring using SIEM (Security Information and Event Management) solutions. Mandated automated log correlation and anomaly detection to improve security response times. |
| 11: Regularly test security systems and processes | Required annual penetration testing and quarterly vulnerability scanning. | Introduced continuous security testing requirements, including automated scanning and real-time penetration testing approaches. Mandated organizations to demonstrate a robust security testing methodology instead of just periodic testing. |
| 12: Support information security with organizational policies and programs | Required organizations to implement a comprehensive security policy that is reviewed annually. | Strengthened security awareness training, requiring ongoing training programs instead of just annual training. Mandated the inclusion of social engineering testing in security awareness programs. Required organizations to perform risk assessments annually and implement a customized approach if standard controls cannot be met. |
The below table highlights changes for each category.
| Category | PCI DSS v3.2.1 | PCI DSS v4.0 | Key Changes & Implications |
|---|---|---|---|
| Authentication & Access Control | Multi-Factor Authentication (MFA) required for admin access to the Cardholder Data Environment (CDE). | MFA is required for all accounts accessing the CDE, including non-admin users. | Expanded MFA enforcement reduces the risk of unauthorized access. |
| Password Requirements | Minimum password length: 7 characters. Passwords changed every 90 days. | Minimum password length: 12 characters (or 8 characters if additional security measures are implemented). | Stronger password policies to enhance security. |
| Encryption Standards | Use of TLS 1.2 or higher required for data encryption. Legacy encryption protocols allowed in certain cases. | Stronger cryptographic requirements with TLS 1.2+ mandatory. Weak encryption methods phased out. | Ensures encryption is in line with evolving security threats. |
| Risk-Based Approach | Compliance was prescriptive—specific controls must be followed. | Introduces a Customized Approach, allowing organizations to implement alternative security measures if they meet the same security objective. | Greater flexibility while maintaining security effectiveness. |
| E-commerce & Web Security | Basic guidelines for securing online transactions. | Expanded requirements for phishing protection, e-commerce security, and web application firewalls (WAFs). | Addresses modern cyber threats like account takeovers and web-based attacks. |
| Security Awareness Training | General security training required for employees. | More emphasis on phishing, social engineering, and security best practices. | Strengthens the human factor in cybersecurity. |
| Monitoring & Logging | Logs must be reviewed daily, but requirements were less stringent. | Enhanced logging and real-time threat detection using automated tools. | Helps organizations detect and respond to threats faster. |
| Penetration Testing | Annual penetration testing required. | Risk-based penetration testing required, considering emerging threats. | Adaptive security testing based on real-world risks. |
| Third-Party Security (Vendors & Partners) | Vendors handling payment data must comply with PCI DSS. | Stricter third-party risk management requirements, including security assessments. | Strengthens supply chain security to prevent breaches. |
| Incident Response & Threat Detection | Incident response plans were required but lacked clear testing guidelines. | Incident response plans must be tested regularly and include ransomware & emerging threats. | Improves preparedness for cyberattacks like ransomware. |
| Cloud Security | Limited guidance on cloud environments. | Expanded cloud security requirements, ensuring security responsibilities are clearly defined between cloud providers and clients. | Addresses modern cloud adoption trends and shared security responsibilities. |
| Firewall & Network Security | Firewalls required for segmentation of payment environments. | More detailed requirements for firewall rule reviews and automated network security monitoring. | Improves security for complex network architectures. |
| Scope Definition & Risk Assessment | Scope definition was relatively fixed. | Enhanced scoping guidance to ensure organizations identify all assets handling cardholder data. | Reduces hidden risks and overlooked assets in compliance assessments. |
The revised PCI DSS 4.0 standard was published on March 31, 2022. The key deadlines are March 31, 2024 which is the date on which the previous version (PCI DSS 3.2.1) is retired. Compliance with PCI DSS 4.0 is compulsory after this date. However, some of the requirements of PCI DSS 4.0 are flagged as best practice until March 31, 2025, at which point they too become mandatory.
Information Security Blogs 