PCI DSS v4.0, which took effect on April 1, 2024, introduced 47 new requirements. A 12-month transition period allowed organizations to adopt these new requirements. As of March 31, 2025, these formerly “best-practice” requirements become mandatory. For many whose report on compliance (ROC) was issued before that deadline, these requirements were simply marked as Not Applicable by your assessor. If you haven’t considered them, now is the time to do so to avoid a lapse in compliance.
The purpose of this blog is to highlight some of these requirements and provide considerations on implementation.
PCI 4.0 Sensitive Authentication Data (SAD) Requirements
Refers to PCI DSS Req 3.2.1, 3.3.2, 3.3.3
While PCI DSS has always required the implementation of data retention and disposal policies and procedures, it now mandates encrypting and defining the retention and disposal periods and processes for SAD stored prior to completing authorization. The policies and procedures should specify how long the data is kept and where it is stored to ensure it can be securely destroyed or deleted once it’s no longer needed. Your assessor will need to verify that your implementation complies with your organization’s policies. For encryption, your organization should consider using different cryptographic keys to encrypt both SAD and PAN (Primary Account Number).
PCI DSS 4.0 Primary Account Number Protection
Refers to PCI DSS Req 3.4.2, 3.5.1.1, 3.5.1.2,, 3.6.1.1, 4.2.1, 4.2.1.1
Technical controls must be implemented to prevent PAN from being copied or relocated unless there is a documented, explicitly authorized business need. A virtual desktop typically has tools to disable copying functionality.
If hashes are used to render PAN unreadable, the hashes must be “keyed cryptographic hash”, or a hash function with a randomly generated secret key to help prevent brute-force attacks.
If disk or partition-level encryption is used to render PAN unreadable, it must be combined with another mechanism, such as a one-way hash, truncation, or index tokens, because disk and partition encryption usually encrypt the entire space with the same key and decrypt all data automatically when accessed.
Finally, assessors must verify that certificates used to encrypt PANs transmitted over public networks are valid, unexpired, and not revoked. While this may seem obvious to some, it is now an official requirement.
Enhanced Anti-Malware Requirements in PCI 4.0
Refers to PCI DSS Req 5.3.2.1, 5.3.3, 5.4.1
While most organizations now use next-gen, real-time threat detection and response, those that rely on periodic malware scans base the frequency on targeted risk analysis – a new concept introduced in PCI DSS v4.x. See the section below for more details on targeted risk analysis.
The scope of malware scans has also been expanded to include portable media devices, as attackers can preload malware onto these devices to spread threats.
Additionally, organizations are required to establish processes and automated mechanisms to detect and protect personnel against phishing. Examples of anti-phishing strategies include using Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) to block phishing emails and malware before they reach inboxes.
Expanded Vulnerability Management & Detection
Refers to PCI DSS Req 6.3.2, 6.4.2, 6.4.3
To effectively manage vulnerabilities and patches, it is essential to identify and document all of the organization’s bespoke and custom software, along with third-party software integration with bespoke and customer software. That is why maintaining a software inventory is now mandatory.
Additionally, to ensure a prompt response to threats, the manual vulnerability security assessment option in requirement 6.4.1 has been phased out and replaced by strictly automated technical solutions, such as a web application firewall (requirement 6.4.2). All superseded requirements should be marked as not applicable.
Access Control Requirements Under PCI DSS 4.0
Refers to PCI DSS Req 7.2.4. 7.2.5, 7.2.5.1
Regular access reviews help detect excessive account permissions. Therefore, all human and application/system accounts and their associated privileges are to be reviewed. Human accounts are to be reviewed every six months, while the frequency of the review of application/system accounts can be determined through a target risk analysis.
Strengthened Authentication Controls
Refers to PCI DSS Req 8.3.6, 8.3.10.1, 8.4.2, 8.5.1, 8.6.1, 8.6.2, 8.6.3
Requirement 8.3.1 mandates multi-factor authentication (MFA) for in-scope systems. Requirement 8.3.6 states that if passwords or passphrases are used as one of those factors, they must be at least 12 characters long and include both numeric and alphabetic characters.
For service providers, if passwords or passphrases are the only authentication factor for customer user access to cardholder data, then service providers must enforce customer users’ passwords/passphrases to change every 90 days, unless they have a mechanism to dynamically analyze the accounts’ security posture for immediate detection and response to potentially compromised credentials.
Additionally, MFA is required for all non-console access into the cardholder environment (CDE), and the MFA systems should be implemented to protect against replay attacks. Methods to defend against replay attacks include, but are not limited to, unique session identifiers and session keys, timestamps, and time-based one-time passwords.
System or application accounts should disable interactive logins to prevent abuse. However, if they can be used for interactive logins, a business justification must be documented, and credentials should be managed, for example, through password vaults.
Finally, passwords or passphrases for any application and system accounts (regardless of interactive login capability) must be changed periodically according to the frequency specified in the relevant risk analysis.
Automated Logging & Monitoring Requirements
Refers to PCI DSS Req 10.4.1.1, 10.4.2.1, 10.7.2, 10.7.3
Manual log reviews are no longer practical due to the volume of data generated. Therefore, PCI DSS now mandates automated audit log reviews for all CDE components using tools like security information and event management (SIEM) solutions. Organizations implementing comprehensive logging and monitoring strategies can better detect threats and maintain continuous compliance. For system components outside of CDE, organizations must conduct a targeted risk analysis to determine the appropriate frequency of periodic log reviews.
The previous version of PCI DSS required service providers to detect, address, and respond to failures of critical security control systems. The updated version expands this requirement to all entities and broadens the detection scope to include change detection and audit logging mechanisms.
Comprehensive Security Testing Mandates
Refers to PCI DSS Req 11.3.1.1,11.4.7, 11.5.1.1, 11.6.1
The prior version requires remediation and rescans of all high-risk or critical vulnerabilities detected through internal vulnerability scans. The new version expands the requirement to remediation of lower-risk vulnerabilities based on targeted risk analysis.
Multi-tenant service providers are required to support their customers for external penetration testing. All service providers are required to employ intrusion-detection and/or prevention mechanisms to detect malware communication channels. Examples of such mechanisms include real-time endpoint scanning, egress traffic filtering, and data loss prevention tools.
Finally, to detect and respond to unauthorized changes on payment pages, organizations are required to deploy a change- and tamper-detection mechanism to evaluate the received HTTP headers and payment pages, and to alert personnel of unauthorized modifications at least weekly or at the frequency determined through a target risk analysis.
PCI 4.0 Scope Validation for Service Providers
Refers to PCI DSS Req 12.5.2.1
Since service providers usually handle higher transaction volumes and have more complex networks, they must document and confirm their PCI DSS scope every six months and whenever there are significant technical changes to their environment. Additionally, major organizational shifts within service providers require a written review of how these changes impact the PCI DSS scope, which must be communicated to senior management.
Updated Security Awareness Training Requirements
Refers to PCI DSS Req 12.6.2, 12.6.3.1, 12.6.3.2
As the saying goes, humans are the weakest link in cybersecurity. As such, security awareness training is a crucial component of threat defense. The security awareness program is to be reviewed at least once every 12 months and updated to address new threats and vulnerabilities. The program should also address how to identify, react and report phishing and social engineering attempts, and the acceptable use of end-user technologies.
Improved Incident Response Requirements
Refers to PCI DSS Req 12.10.4.1, 12.10.5
While a security incident response plan has always been a PCI DSS requirement, version 4 expanded the monitoring and alert to include change- and tamper-detection mechanisms for payment pages, as required by requirement 11.6.1. Further, personnel with incident response responsibilities must be trained at the frequency defined in the targeted risk analysis.
New Risk Assessment Framework
Refers to PCI DSS Req 12.3.1, 12.3.3, 12.3.4
To reduce the risk of outdated, weak cryptographic cipher suites, hardware, and software, organizations should review their inventory at least every 12 months.
For certain PCI DSS requirements that specify the completion of a targeted analysis, the analysis must be performed and reviewed every 12 months to determine whether the results are still valid using the template provided by the PCI Council under the published guidance. This allows an entity flexibility about how frequently a given control should be performed based on its risk exposure.
Next Steps for Achieving PCI DSS 4.0 Compliance
If your entity accepts, processes, transmits, or stores payment card data, whether directly or indirectly, the PCI DSS standards may apply to your entity. Navigating PCI DSS 4.0’s complex requirements doesn’t have to be overwhelming. As a Qualified Security Assessor Company, Linford and Company specializes in guiding organizations through PCI DSS compliance audits alongside our comprehensive services – from SOC 1 audits and SOC 2 audits to ISO/IEC 27001:2022, HITRUST assessments, and more. Ready to ensure your organization meets these critical requirements? Contact our team to discuss your compliance strategy.
Jenny has been in risk advisory and compliance since 2008. She spent 7 years at Ernst & Young where she was responsible for both audit and advisory engagements across financial services, energy, technology, and healthcare sectors. Since 2015, she has been focusing on serving SaaS-based companies, assessing their control environments as part of SOC reporting, HIPAA compliance, and HITRUST certification initiatives. She is a certified information systems auditor (CISA), HITRUST assessor (CCSFP), information systems security professional (CISSP), and AWS cloud practitioner. Jenny received her Bachelor of Science and Master’s degrees in Information Systems Management from Brigham Young University.