PCI DSS 4.0: How to Prepare for the New Requirements

New requirements are on the horizon for organizations that must comply with the Payment Card Industry Data Security Standard (PCI DSS).

In 2022, the PCI Security Standards Council (SSC) unveiled PCI DSS 4.0—an updated standard that introduced dozens of new controls and a more flexible, risk-based approach to compliance. 

As the sun sets on PCI DSS 3.2.1, the clock is ticking for organizations to implement the changes and updated requirements outlined in the 4.0 version. Here’s what you need to know ahead of the March 31, 2025 deadline.

What is PCI DSS?

PCI DSS is a globally recognized compliance framework developed by major credit card companies to reduce fraud and protect consumers’ payment card information. All organizations that process, transmit, or store consumers’ payment card data, or that could impact the security of the cardholder data environment (CDE), must comply with PCI DSS.

PCI DSS compliance involves three main components: 

• Handling customer credit card data securely from start to finish, including ensuring that sensitive card details are collected and transmitted appropriately;
• Storing data securely as outlined by the 12 security domains of the PCI DSS standard, which include encryption, ongoing monitoring, and security testing of access to cardholder data; and,
• Validating that required security controls are in place on an annual basis through security questionnaires, external vulnerability scanning services, and third-party audits.

Undergoing an independent assessment by a qualified security assessor (QSA) firm like BARR Advisory empowers organizations of all sizes to demonstrate their commitment to data security and ensure their ongoing compliance with the global standard.

“For organizations that process payment card transactions, or are a service provider for companies that handle cardholder data, PCI DSS is an essential piece of a holistic compliance program,” said Cameron Kline, director of BARR’s attest services practice.

Changes on the Horizon

The latest version of PCI DSS comprises roughly 260 controls, including 64 that are new additions. Of these, 51 are designated as “future-dated controls,” which organizations are required to implement by the end of March 2025. This gives teams ample time to adapt to the new requirements—if you get started now.

Some of the biggest changes introduced in PCI DSS 4.0 include:

• Additional authentication controls, including strict multifactor authentication (MFA) requirements when accessing the cardholder data environment; 
• Updated password requirements, including increasing password length requirements from eight to 12 characters; 
• Revised requirements around shared, group, and generic accounts; 
• Clearly defined roles and responsibilities needed for each requirement; and, 
• New requirements to prevent and detect threats against the payment industry, such as phishing, e-commerce, and skimming attacks.

PCI DSS 4.0 also introduces a new, customized method of meeting the standard’s requirements that offers organizations the flexibility to adjust their implementation process in a way that fits their unique control environment. During a PCI DSS assessment, a QSA will validate that the customized controls meet the PCI DSS requirements by reviewing an organization’s unique documented approach and developing a procedure for validating the controls. 

Next Steps for Businesses

If your organization complies with PCI DSS, you must implement the new requirements by March 31, 2025. It is a common misconception that implementation can be deferred until the next assessment by a QSA. These changes must be fully implemented before the March 31 deadline, regardless of the timing of your annual audits.

However, not all of the future-dated controls are applicable to all organizations. The new requirements are treated like any other—if they are not relevant to your specific Cardholder Data Environment (CDE), they will not apply during your assessment. 

Working with a QSA firm like BARR Advisory will help ensure a clear understanding of which requirements are applicable to your organization and how they should be implemented to maintain compliance with PCI DSS.

Still have questions about implementing PCI DSS 4.0? We can help. Contact us today to schedule a free consultation.