Introduction
PCI DSS v4.0 — the latest version of the Payment Card Industry Data Security Standard — became the only active version as of March 2024, replacing PCI DSS v3.2.1. For any Indian organisation that processes, stores, or transmits payment card data — including merchants, payment processors, banks, and service providers — compliance with v4.0 is now mandatory.
Version 4.0 represents the most significant update to PCI DSS in over a decade, introducing new requirements, new flexibility in how compliance can be achieved, and a stronger focus on continuous security rather than point-in-time compliance.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard developed by the PCI Security Standards Council (PCI SSC) — the joint body of Visa, Mastercard, American Express, Discover, and JCB. Any organisation that accepts, processes, stores, or transmits cardholder data must comply.
Compliance is assessed through annual audits by Qualified Security Assessors (QSAs) or, for smaller merchants, Self-Assessment Questionnaires (SAQs) combined with quarterly network scans.
Key Changes in PCI DSS v4.0
1. New Customised Approach
Perhaps the most significant structural change: v4.0 introduces a 'Customised Approach' alongside the traditional 'Defined Approach.' The Customised Approach allows organisations to implement alternative controls to meet each requirement's stated objective, rather than following the prescriptive control specifications.
2. Multi-Factor Authentication (MFA) Expansion
MFA is now required for all access into the cardholder data environment (CDE) — not just for remote access.
3. Password Requirements Updated
Minimum password length increases from 7 to 12 characters. Passwords must be changed only when there is suspicion of compromise.
4. Phishing-Resistant Authentication
New requirements for phishing-resistant authentication (such as FIDO2 passkeys or hardware tokens) for personnel with administrative access.
5. Targeted Risk Analysis
Organisations can now perform targeted risk analysis to justify customised control frequencies.
6. E-Commerce and Payment Page Security (New Requirements)
Requirement 6.4.3 and 11.6.1 introduce significant new requirements for organisations that process payments via e-commerce pages.
7. Network Security Documentation
Enhanced requirements for network diagrams.
8. Penetration Testing Enhancements
Penetration testing requirements are strengthened.
PCI DSS v4.0 Requirements Overview
| Requirement | Topic | Key v4.0 Changes |
|---|---|---|
| 1 | Network Security Controls | Enhanced documentation requirements |
| 2 | Secure Configurations | Updated minimum standards |
| 3 | Protect Account Data | Disk encryption clarifications, key management |
| 4 | Protect Data in Transit | TLS 1.2+ mandatory |
| 5 | Protect Against Malware | Anti-phishing controls |
| 6 | Secure Systems & Software | Payment page script management (new) |
| 7 | Restrict Access | Just-in-time access |
| 8 | User Identification | MFA expansion, 12-char passwords |
| 9 | Physical Access Controls | POI inspection |
| 10 | Log and Monitor | 12-month retention |
| 11 | Test Security | Tamper detection (new) |
| 12 | Organisational Policies | Targeted risk analysis |
Key Immediate-Effect vs Future-Dated Requirements
| Category | Examples | Effective Date |
|---|---|---|
| Immediate requirements | MFA for all CDE access, 12-character passwords, updated documentation | March 2024 |
| Future-dated requirements | Payment page script inventory, tamper detection, automated log reviews | March 31, 2025 |
Steps to Achieve PCI DSS v4.0 Compliance
- Conduct a v4.0 Gap Assessment
- Determine Your Compliance Path
- Implement MFA Expansion
- Update Password Policies
- Implement Payment Page Security Controls
- Conduct Targeted Risk Analysis
- Update Documentation
- Engage a QSA
How Vedtam Can Help
Vedtam's PCI DSS Consulting Services help organisations navigate the transition to v4.0 with minimal disruption. Our QSA-partnered team conducts gap assessments, implements required controls, and prepares you for successful PCI DSS assessments.
Visit vedtam.com/consulting/pci-dss-consulting-services/ for more information.
Start your PCI DSS v4.0 compliance programme today.
Free consultation: vedtam.com/contact/ | +91 98915 55588
Published by Vedtam Cybersecurity Team | Vedtam Tech Solutions, Ghaziabad, India
