Preparing for PCI DSS v4.0.1 Audit: Essential updates for 2025 compliance

As the payment industry evolves, so do the security standards that protect sensitive information. PCI DSS 4.0.1, released in 2024, refines the substantial changes introduced in version 4.0 and clarifies critical requirements as organizations as of the March 2025 deadline for implementing best practices. Understanding these updates is essential to ensure your organization maintains the highest level of security while efficiently navigating compliance requirements.

The Payment Card Industry Security Standards Council (PCI SSC) is responsible for the development and management of the PCI Data Security Standard (PCI DSS). The new PCI DSS v4.0.1 aims to:

• Meet the changing security needs of the payment industry, including data security standards
• Promote security as a continuous process
• Add flexibility
• Enhance procedures for organizations using different approaches to reach their security objectives

This new version has been designed to tackle emerging threats and technologies better than its predecessor, PCI DSS v3.2.1.

With version 4.0.1 now providing additional clarifications, organizations have a clearer path to implementing these significant changes.

Key takeaways

• The fundamental goal of PCI DSS continues to be to protect account data, with version 4.0.1 providing enhanced guidance on implementing controls in increasingly complex technology environments
• Understand the new and updated requirements of PCI DSS 4.0.1 to ensure compliance with best practices by March 31, 2025 (PCI DSS v4.0 has been replaced by v4.0.1 as the current active version)
• Utilize technology, industry experts, and advisors for robust security measures and ongoing trust with customers
• Details on updates can be found in the Summary of Changes from PCI DSS Version 3.2.1 to 4.0.1 document, which can be accessed through document library of the PCI website
• Focus on key areas of refinement in 4.0.1, including clarifications to encryption requirements, supply chain security, and continuous monitoring expectations

Key dates and deadlines for PCI DSS v4 compliance

PCI DSS 4.0 was officially released in Q1 2022, followed by version 4.0.1 in 2024, which includes important clarifications and guidance updates.

The retirement of v3.2.1 occurred on March 31, 2024. After this date, PCI DSS 4.0.1 became the only active version of the standard, replacing version 4.0.

The more recent deadline of March 31, 2025 was when all organizations must implement the best practices identified in PCI DSS 4.0.1.

As Rob, an information security lead who recently completed PCI DSS compliance, advises from the recent Thoropass webinar:

Here’s an easy at-a-glance visual to help grasp the timelines:

Overview of new and updated requirements in PCI DSS 4.0

This new version has been designed to tackle emerging threats and technologies better than its predecessor, PCI DSS v3.2.1 A significant update in PCI DSS 4.0 is the introduction of 64 new requirements, which focus on areas such as:

• Network security
• Secure configurations
• Account data
• Strong cryptography
• Malware protection
• System components and cardholder data

Moreover, PCI DSS 4.0 introduces a Customized Approach that allows organizations to adapt the standard to their specific needs as long as the intent of the requirement is met. This approach encourages organizations to consider the specifics and whether they meet the requirements when deciding if they should use the Customized Approach.

PCI DSS 4.0.1 provides essential clarifications to both technical and operational requirements, helping organizations implement effective controls with greater precision and efficiency. While it doesn’t introduce new requirements beyond those in 4.0, these clarifications significantly impact implementation approaches.

For a comprehensive understanding of the specific clarifications in PCI DSS 4.0.1, refer to the PCI DSS v4.0 to v4.0.1 Summary of Changes document available on the PCI SSC website. This document details how these refinements improve the implementation of the security controls introduced in version 4.0.

Change types

PCI DSS 4.0 introduces various changes compared to its predecessor, v3.2.1. These changes can be categorized into three main types:

1. Evolving requirement
2. Clarification or guidance
3. Structure or format

PCI DSS 4.0.1 focuses primarily on “Clarification or Guidance” type changes, with some “Structure or Format” adjustments. According to the official Summary of Changes document, there were no “Evolving Requirement” changes in this version. The majority of the updates in 4.0.1 aim to clarify existing 4.0 requirements and align them with other PCI publications released since version 4.0.

1. Evolving requirements

These refer to modifications made to existing requirements and/or new requirements. These changes often reflect the evolving nature of the payment card industry, including emerging threats and technologies. For example:

2. Clarification or guidance

Clarification or guidance are changes made to make the language or intent of a requirement clearer. These changes do not necessarily alter the underlying requirement but provide further explanation or guidance. For example:

3. Structure or Format

Structure or format changes involve adjustments to the way the standards are presented or organized. These changes aim to improve the readability and usability of the standards, making it easier for organizations to understand and implement them. For example:

Understanding these change types can help organizations better navigate the transition from PCI DSS v3.2.1 to v4.0, ensuring they fully understand and can effectively implement the new and updated requirements.

Summary new requirements

While PCI DSS 4.0.1 doesn’t introduce additional new requirements beyond those in version 4.0, it includes specific clarifications for several of these requirements. For example, it updates language around sensitive authentication data (SAD) storage from “not retained” to “not stored” after authorization, clarifies what constitutes a “legitimate and documented business need” for SAD storage, and provides additional guidance on implementing cryptographic controls to protect stored cardholder data through appropriate hashing functions and encryption algorithms.

PCI DSS 4.0 introduced several new requirements that organizations must adhere to in order to maintain compliance. Here are some of the key new requirements:

• Defining Roles: Organizations are now required to define the roles of their team members and ensure that everyone understands their responsibilities when it comes to maintaining PCI DSS compliance.
• Documenting scope: It is now required for organizations to document the scope of their cardholder data environment (CDE), including all people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.
• Securing network infrastructure files: PCI DSS 4.0 introduces a new requirement for organizations to secure their network infrastructure files. This includes ensuring that these files are stored securely and only accessible to those who need them.
• Documenting shared requirements with third-party service providers: If an organization uses third-party service providers, they are now required to document any shared responsibilities related to PCI DSS requirements. This is to ensure that both parties understand their responsibilities and there are no gaps in compliance.

These are just some of the new requirements introduced in PCI DSS 4.0. Organizations are encouraged to review the full list of requirements to ensure they are fully prepared for compliance.

New requirements included in PCI DSS v4.0 are either:  

• Effective immediately for all PCI DSS v4.0 assessments, OR
• Best practices until 31 March 2025, after which they become effective

A complete summary with applicability and effective dates can be found in the PCI DSS v4.0 Change Summary document available on the PCI SSC website.

Below summarizes the list of new requirements as outlined in the Change Summary document published by the PCI Security Standards Council:

PCI DSS 4.0.1 includes specific clarifications for several of these requirements. For example, it updates language around sensitive authentication data (SAD) storage from “not retained” to “not stored” after authorization, clarifies what constitutes a “legitimate and documented business need” for SAD storage, and provides additional guidance on implementing cryptographic controls like hashing functions and encryption algorithms.

Organizations should pay particular attention to Requirement 11.2.1, which addresses detection of unauthorized wireless access points. PCI DSS 4.0.1 clarifies that this requirement remains relevant even when organizations have policies prohibiting wireless technologies, as unauthorized devices may still be present without management knowledge.

How non-compliance can impact your organization

Failing to comply with PCI DSS 4.0 can seriously affect your organization. Non-compliance can result in financial repercussions, such as fines and loss of contracts, which may indicate unaddressed vulnerabilities and increased risk. Ensuring compliance with PCI DSS 4.0 is paramount not just for protecting your organization’s sensitive data but also for preserving a solid reputation and trust with customers and partners in the payment card industry.

In the event of a data breach, your organization may face financial penalties depending on your compliance status. This highlights the importance of staying up-to-date with the latest PCI DSS requirements and implementing the necessary security measures to protect your organization and its stakeholders.

Proper implementation of PCI DSS requirements to restrict access to cardholder data remains one of the most critical aspects of the standard. Organizations should implement role-based access controls with least privilege principles to ensure only authorized individuals can access sensitive information.

Navigate the transition to v4.0 with confidence and ease

By understanding the changes, staying up-to-date with deadlines, implementing the necessary technology, and leveraging available resources and expertise, your organization can navigate the transition to PCI DSS 4.0 compliance with confidence and ease.

Remember, the journey to PCI compliance is not a one-time event, but a continuous process that requires ongoing vigilance and dedication. By staying informed, proactive, and adaptable, your organization will not only meet the requirements of PCI DSS 4.0 but also maintain a strong reputation and trust with customers and partners in the payment card industry.