The day has finally arrived. Two years after its initial release, the Payment Card Industry Data Security Standard v4.0 (PCI DSS v4.0) is replacing its predecessor on March 31, 2024. 

There was a transition period during which organizations could complete assessments against either version — PCI DSS v3.2.1 and v4.0 — and familiarize themselves with the changes in the new standard. 

But that time is coming to a close, as PCI DSS v3.2.1 will officially retire and PCI DSS v4.0 will be the only active version of the standard. 

With new and changed requirements, implementation timelines, and a broader scope of compliance operations, PCI DSS v4.0 represents a significant shift in the way your data needs to be secured. By this point, all entities that work with payment account data should already be implementing the necessary changes and updates required to maintain their PCI DSS compliance.  

What’s new in PCI DSS v4.0: Summary of changes

PCI DSS v4.0 heralds the next evolution in payment security, with major changes that go beyond simply updating security controls. Designed to meet the evolving security needs of the payment industry, the new standard enhances validation methods and procedures, gives flexibility in achieving objectives, and promotes security as a continuous process.

There are three types of changes seen in PCI DSS v4.0:

1. Evolving requirement: Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements, testing procedures, or the removal of a prior requirement.
   
   
2. Clarification or guidance: Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
   
   
3. Structure or format: Reorganization of content, including combining, separating, and renumbering of requirements to align content.

While PCI DSS v4.0 maintains the 12 principal requirements from previous versions, it introduces 64 new sub-requirements. Out of these sub-requirements: 

• 13 must be implemented by March 31, 2024

• 51 must be implemented by March 31, 2025 (considered a best practice until then)

• 53 apply to all entities 

• 11 apply only to service providers

* See the full Summary of Changes from PCI DSS v3.2.1 to 4.0

Major areas of impact

Regardless of which requirements apply to you, the new PCI DSS v4.0 changes are focused on the following high-level areas:

Prioritized security as a continuous process

One of the major shifts in PCI DSS v4.0 compliance is that it promotes security as a continuous process rather than a point-in-time exercise performed once a year. By maintaining ongoing security, organizations can ensure their systems are always protected and significantly reduce the risk of data breaches or incidents. 

What does this mean for organizations? Continuous security involves engaging the entire organization to understand the importance of PCI DSS and adopt a security mindset. Define processes that integrate security as a business-as-usual practice that’s part of the organizational culture. It’s important that everyone who deals with account data understands the overall security objectives, requirements, and why specific controls are important to operations. 

Increased annual diligence 

Several new requirements were introduced that increase the documented review and overall due diligence of merchants and service providers. These include: 

• Document and confirm the PCI DSS in-scope environment at least every 12 months and upon a significant change, (PCI DSS 12.5.2), with service providers required every six months and upon significant change (PCI DSS 12.5.2.1-2)
  
  
• Conduct targeted risk analysis for any controls that use the customized approach at least every 12 months with written approvals by senior management (PCI DSS 12.3.2)
  
  
• Conduct a risk analysis, at least annually, for any controls where merchants and service providers have the flexibility with respect to the frequency of controls (PCI DSS 12.3.1 – best practice until 2025) 
  
  
• Review cipher suites and protocols, at least annually (PCI DSS 12.3.3 – best practice until 2025) 
  
  
• Perform a review, at least annually, of hardware and software technologies in use with a plan to remediate outdated technologies approved by senior management (PCI DSS 12.3.4 – best practice until 2025) 

Customized approach option

PCI DSS v4.0 allows entities to design custom security controls that can be used to meet the requirement’s objectives. With the customized approach, merchants and service providers can implement and validate a different control from the one used in the defined approach, provided the objective is still met.  

Note: Not all controls are eligible for the customized approach (i.e., PCI DSS 3.3.1). If you decide to take the customized approach, ensure you verify your implementation meets the additional risk analysis and documentation requirements.

Targeted risk analysis guidance 

The new version provides a sample Targeted Risk Analysis Template (PCI DSS Appendix E2), which is focused on a narrow scope, often an asset, threat, or control. While using the template is not required, it gives more guidance on how the PCI Security Standards Council expects a targeted risk analysis to be carried out. 

Enhanced validation methods and procedures 

To support transparency and granularity in validation and reporting processes, there’s an increased alignment between information reported in a Report of Compliance (ROC) or Self-Assessment Questionnaire (SAQ) and information summarized in an Attestation of Compliance (AOC). 

Learn more about the major changes in PCI DSS v4.0

PCI DSS 4.0 compliance using OneTrust 

PCI DSS v4.0 control implementation guidance has been available on OneTrust since October 3, 2022. Our platform provides the following (under the framework name "PCI DSS v4.0”) to help smoothen your transition into the new standard: 

• Readiness survey: Entities can create a new readiness project and respond to the survey questions for an updated list of controls, evidence tasks, and other changes. This helps identify your current standing and determine which controls, policies, and evidence tasks are in scope or need to be migrated as efficiently as possible. 
  
  
• Controls and control guidance: Quickly identify your exact PCI DSS controls, relevant timelines, and organizational requirements (depending on whether you’re a Merchant or Service Provider), so you can spend less time trying to connect the dots and more time achieving compliance. 
  
  
• Evidence tasks (ETs): A dynamic system of controls, policies, and evidence tasks apply all relevant PCI DSS v3.2.1 ETs to the latest requirements in PCI DSS v4.0, helping you stay up-to-date with the new standard requirements.
  
  
• Automatic evidence collection: Our existing APIs integrate directly into your tech stack to automatically collect the required evidence in scope and on time without interrupting your line of business. 
  
  
• Templates and policies: We’ve expanded our list of PCI DSS v4.0 templates and updated policies to comply with specific requirements in the new standard. While most of the existing policies in PCI DSS v4.0 remain unchanged, the following have been added: 
  
  
  • Acceptable Use Policy 
    
    
  • Network Security Policy 
    
    
  • Information Security Policy 
    
    
  • Access Control Policy 
    
    
  • Risk Assessment Policy 
    
    
  • Change Management Policy 
    
    
  • Logging and Monitoring Policy 
    
    
  • Software Development 
    
    
  • IT Asset Management 
    
    
  • Key Management and Cryptography Policy 
    
    
  • PCI - Card Data Security Policy 
    
    
  • Vulnerability and Penetration Testing Policy 
     
• Risk mapping: We’ve updated the mapping of PCI DSS v4.0 controls to our risk module. The new controls are mapped as mitigating controls to the risks in your risk register and appear under “Current Linked Controls”. 
  
  
• Golden questions and answers (Golden Q&A): For each control in PCI DSS v4.0, we created new golden Q&As to help organizations automatically fill out questionnaires. 

See a walkthrough of how OneTrust helps you seamlessly transition to PCI DSS v4.0

Learn more about how OneTrust helps you build, scale, and automate your security compliance program. Reduce your cost of compliance up to 60% and obtain certifications 50% faster.  Schedule a demo today.