The Most Impactful Changes to PCI DSS v4.0

by Hannah Grace Holladay / April 3rd, 2023

Auditor Insights Webinar Recap

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards established to protect credit and debit card transactions from fraud and data breaches. The standard is updated regularly to adapt to new security threats and changes in technology.

Version 4.0 will be released and required by March 2025.  In this webinar hosted by PCI-expert Randy Bartels, we explore the most impactful changes in this updated version.  This blog will summarize the major changes, and the full recording of the webinar is available for you to watch at the end.

PCI DSS v4.0 Overview

There are four goals of this new version:

  • Continue to meet the security needs of the payment industry
  • Promote security as a continuous process
  • Add flexibility for different approaches
  • Enhance the validation methods

You can learn more about this version at Council’s Resource Hub and

KirkpatrickPrice’s PCI DSS Resource Page.

Summary of Changes

There are 64 new requirements in PCI version 4.0.  53 are applicable to everyone, and 11 are only applicable to service providers.   All of these new requirements must be in place by March 31, 2025, and it is recommended that any assessment after March 31, 2024, be performed against version 4.

Some notable changes to PCI DSS v4.0 include:

  • Retention of Sensitive Authentication Data (SAD)
  • Encryption of cardholder data (CHD)
  • Authenticated vulnerability scans
  • Application security
  • Targeted risk analysis
  • User access reviews
  • User authentication changes
  • Automated log reviews
  • Anti-phishing requirements
  • Virus scanning when inserting removable media
  • Detecting failures of critical security controls
  • Security awareness training enhancements
  • Incident response program enhancements

Let’s dive a little deeper into the specific changes we believe will be the most impactful:

Increased flexibility: Defined vs. Customized Approach

Version 4.0 aims to provide more flexibility in how organizations can implement the requirements while still maintaining the same level of security.  The defined approach is how PCI has always been conducted: a prescribed, point by point approach.  Compensating controls can be used if there are any constraints.  The new customized approach allows risk-mature organizations to use DIY controls to meet control objectives.  Appendix D & E provides additional documentation.

Improved scoping and segmentation

Version 4.0 provides more guidance on scoping and segmentation of the cardholder data environment to ensure that all systems and components are properly protected.  Control 12.5.2 states that, “PCI DSS scope is documented and confirmed at least once every 12 months.”  This means that scope comes first.  There are seven items that need to be validated annually or semi-annually for service providers.

Stronger Encryption of Stored Cardholder Data

If hashes are used, hashes must be based on keyed cryptographic hashing algorithms and backed by an encryption key that is managed per key management requirements. This applies to anywhere where a hash of the PAN is stored – databases, audit logs, backups, etc.

Additionally, disk encryption can no longer be the only means for encrypting CHD. Another method of encryption from requirement 3.5.1 will need to be employed.

Retention of Sensitive Authentication Data (SAD)

Retention of Sensitive Authentication Data after authorization has always been prohibited. Sensitive Authentication Data includes Track Data, security codes, and PIN blocks.  The new requirements apply to storing SAD before authorization. Data retention policies need to address the retention of SAD during pre-authorization.  All SAD stored during pre-authorization must be encrypted with strong cryptography.

Vulnerability Management

All internal vulnerability scans must now authenticate to the system.  The scanner should have privileged access.  Historically, internal vulnerability scans have been “anonymous, network-based scans.”  They query the IP address for open ports and then test each port for vulnerabilities.  With authenticated scans, the scanning tool logs into the system as a privileged user and directly queries.  This is a much more thorough scan, and that means there could be a significant increase in findings.

Application Security

A web application firewall is required. Change and tamper detection for all payment ages is now required.

Anti-Phishing Controls

With version 4, there are a new set of controls to help prevent phishing attacks. Technical controls need to be implemented to detect and prevent phishing attacks.  Additionally, phishing-  and social engineering-specific security awareness training needs to occur.

Multi-Factor Authentication

Currently, multi-factor authentication (MFA) is required for all non-console administrative access as well as all remote (e.g., SSLVPN) user access. Starting in 2025, all access to the Cardholder Data Environment must require MFA. Remote access MFA will still be required.

Targeted Risk Analysis

Many requirements now allow you to define the frequency of various controls, such as anti-virus scanning or password expiration limitations. To go along with this flexibility, the PCI Council also instituted what they’re calling a “targeted risk analysis” or TRA. This new TRA completely replaces the “enterprise-wide risk assessment” requirement in 12.2.  Many other security frameworks will still require such a thing, but PCI is now looking for something that speaks directly to the risks to CHD.  Make sure you listen to the full webinar record (link below) to walk through an example of how to perform a TRA for one of the six items it applies to.

Successfully Prepare for the PCI DSS Changes with KirkpatrickPrice

We understand that the upcoming PCI changes can feel intimidating.  We hope that our webinar, and its subsequent recap, help make it more manageable.  Overall, the changes to PCI DSS version 4.0 reflect the ongoing evolution of security threats and the need to adapt to new technologies and business practices while maintaining a strong security posture.

Check out the full recording of our webinar to dive even deeper into the changes coming to PCI.  If you still have questions, our PCI experts are ready to help.  

Connect with one of our experts today!

About the Author

Hannah Grace Holladay

Hannah Grace Holladay is an experienced content marketer with degrees in both creative writing and public relations. She has earned her Certificate in Cybersecurity (CC) certification from (ISC)2 and has worked for KirkpatrickPrice since November 2019, starting first as a Professional Writer before moving to the marketing team as our Content Marketing Specialist. Her experience at KirkpatrickPrice and love for storytelling inspires her to create content that educates, empowers, and inspires the cybersecurity industry.