PCI DSS v4.0: What Changed and What You Need to Do Before the Deadline

PCI DSS v4.0 was released in March 2022, with a transition deadline of March 31, 2024. If you're still operating under v3.2.1 controls, you're out of compliance. Here's what changed and what you need to do.

The Big Picture: What v4.0 Is About

PCI DSS v4.0 represents the most significant update to the standard in over a decade. The core themes are:

• •Stronger authentication requirements — MFA is now required in more places
• •Increased focus on e-commerce security — targeting Magecart-style attacks
• •More flexibility through customized implementation — but with more documentation requirements
• •Continuous security as a process — not just point-in-time compliance

Key Changes in v4.0

Requirement 8: Authentication

This is the biggest change for most organizations. MFA is now required for all access into the cardholder data environment (CDE) — not just remote access. This means:

• •MFA required for all non-console administrative access to CDE systems
• •MFA required for all user access to the CDE
• •Passwords must be at least 12 characters (up from 7)
• •Passwords must contain both numeric and alphabetic characters

Requirement 6: E-Commerce Security (New)

v4.0 added specific requirements targeting payment page skimming attacks (Magecart). If you have a payment page:

• •Inventory all scripts on payment pages and justify each one
• •Implement a Content Security Policy (CSP) for payment pages
• •Monitor payment pages for unauthorized script changes
• •Review payment page scripts at least once every 7 days

Requirement 12: Targeted Risk Analysis

v4.0 introduces a new concept: Targeted Risk Analysis (TRA). For certain requirements, you can now set your own frequency for activities (like log reviews or vulnerability scans) — but you must document a risk analysis justifying your chosen frequency.

New Requirements with Future Dates

Some v4.0 requirements were marked as "future dated" — they became mandatory on March 31, 2025. These include:

• •Requirement 5.3.3: Anti-malware scans for removable media
• •Requirement 6.4.3: Payment page script management
• •Requirement 7.2.4: Review of all user accounts and access privileges
• •Requirement 10.7.2: Failures of critical security controls detected and reported promptly
• •Requirement 11.6.1: Change and tamper detection mechanism for payment pages

Your Action Plan

1. 1.Assess your current state against v4.0 requirements — not v3.2.1
2. 2.Prioritize MFA implementation across all CDE access
3. 3.Implement payment page script inventory and monitoring if applicable
4. 4.Document your Targeted Risk Analyses for flexible-frequency requirements
5. 5.Update your policies and procedures to reference v4.0
6. 6.Schedule a v4.0 assessment with a QSA

The Bottom Line

PCI DSS v4.0 is more demanding than v3.2.1, but it's also more aligned with modern security practices. The MFA requirements and e-commerce security controls address real attack vectors that have caused significant breaches.

If you haven't already transitioned to v4.0, you're overdue. The good news: if you have a mature security program, most of the new requirements are things you should already be doing.