PCI DSS v4

The fundamental aim of PCI DSS is to safeguard and optimise the security of credit, debit, and cash card transactions and prevent cardholders’ personal information from being exploited, such as credit card numbers, expiration dates, and security codes.

Compliance with PCI DSS helps businesses minimise the risk of data breaches, fraud, and identity theft. It achieves this by providing a framework for adhering to industry best practices when processing, storing, and transmitting credit card data.

The PCI Security Standards Council created six major goals for PCI DSS:

• Build and maintain a secure network and systems

• Protect cardholder data

• Maintain a vulnerability management programme

• Implement strong access control measures

• Regularly monitor and test networks

• Maintain an information security policy

In March 2022, the PCI DSS underwent its most significant update in almost four years with the release of version 4. In November 2023, the first minor revision, v4.0.1, was published. Following a transition period, the new requirements became effective on 1 April 2025.

The previous version, PCI DSS v3.2.1, was released in 2018. Since then, the cybersecurity landscape has undergone rapid evolution. 

The latest major iteration, PCI DSS v4, introduces notable changes in requirements, focusing on maintaining continuous security and implementing new methods to meet shifting requirements. This update aims to ensure the standard meets the evolving needs of the payment card industry and adapts to the new technologies being implemented on a daily basis.

PCI DSS v4 includes a raft of updates that aim to meet four key objectives:

• Continue to meet the security needs of the payment industry

• Promote security as a continuous process 

• Add flexibility for different methodologies

• Enhance validation methods

The implementation of a new method for meeting requirements, known as the customised approach, stands out. This instils the flexibility for organisations to comply with the security objectives of PCI DSS requirements using new technology and innovative controls. 

Published in June 2024, the PCI DSS v4.0.1 update is a minor revision intended to clarify and correct the existing v standard. It neither introduces nor deletes requirements. It simply corrects formatting and typos and clarifies some requirements and guidance. This ensures a more accurate and consistent understanding and application of the existing version.

Implications for Organizations

These updates are designed to simplify the implementation of PCI DSS without increasing the compliance burden. If your organization is already aligned with v4, transitioning to v4.0.1 primarily involves reviewing clarified guidance and updating documentation. However, it's essential to reassess controls around patching, MFA, and legal exceptions to ensure alignment.

The future of PCI DSS will continue to be shaped by evolving cybersecurity threats, regulatory landscapes, and technological advancements in payment processing. As threats evolve, PCI DSS will continue to align with global standards and embrace innovations to safeguard payment data amid shifting priorities.