PCI DSS v4.0 — the latest version of the Payment Card Industry Data Security Standard — became the only active version as of March 2024, replacing PCI DSS v3.2.1. For any Indian organisation that processes, stores, or transmits payment card data — including merchants, payment processors, banks, and service providers — compliance with v4.0 is now mandatory.
Version 4.0 represents the most significant update to PCI DSS in over a decade, introducing new requirements, new flexibility in how compliance can be achieved, and a stronger focus on continuous security rather than point-in-time compliance.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard developed by the PCI Security Standards Council (PCI SSC) — the joint body of Visa, Mastercard, American Express, Discover, and JCB. Any organisation that accepts, processes, stores, or transmits cardholder data must comply.
Compliance is assessed through annual audits by Qualified Security Assessors (QSAs) or, for smaller merchants, Self-Assessment Questionnaires (SAQs) combined with quarterly network scans.
Key Changes in PCI DSS v4.0
- New Customised Approach
Perhaps the most significant structural change: v4.0 introduces a 'Customised Approach' alongside the traditional 'Defined Approach.' The Customised Approach allows organisations to implement alternative controls to meet each requirement's stated objective, rather than following the prescriptive control specifications. This is particularly valuable for large organisations with mature security programmes that have outgrown the one-size-fits-all prescriptive requirements.
- Multi-Factor Authentication (MFA) Expansion
MFA is now required for all access into the cardholder data environment (CDE) — not just for remote access. This extends MFA requirements to all administrators accessing the CDE from any location, including internal network access.
- Password Requirements Updated
Minimum password length increases from 7 to 12 characters. Passwords must be changed only when there is suspicion of compromise (not mandatory periodic changes) — aligning with NIST guidance. However, more frequent changes are still allowed.
- Phishing-Resistant Authentication
New requirements for phishing-resistant authentication (such as FIDO2 passkeys or hardware tokens) for personnel with administrative access — recognising that traditional MFA can be bypassed through phishing attacks.
- Targeted Risk Analysis
Organisations can now perform targeted risk analysis to justify customised control frequencies — for example, determining how often specific security activities need to be performed based on risk rather than fixed timeframes.
- E-Commerce and Payment Page Security (New Requirements)
Requirement 6.4.3 and 11.6.1 introduce significant new requirements for organisations that process payments via e-commerce pages: all scripts on payment pages must be managed and authorised, and a change/tamper detection mechanism must be in place to detect unauthorised modifications. These requirements specifically address Magecart/web skimming attacks.
- Network Security Documentation
Enhanced requirements for network diagrams — they must now show all connections between the CDE and other networks, including wireless networks and cloud environments.
- Penetration Testing Enhancements
Penetration testing requirements are strengthened, with clearer scope definitions and requirements for testing all applicable segmentation controls.
PCI DSS v4.0 Requirements Overview
| Requirement |
Topic |
Key v4.0 Changes |
| 1 |
Network Security Controls |
Enhanced documentation requirements |
| 2 |
Secure Configurations |
Updated minimum standards |
| 3 |
Protect Account Data |
Disk encryption clarifications, key management |
| 4 |
Protect Data in Transit |
TLS 1.2+ mandatory, inventory of trusted certificates |
| 5 |
Protect Against Malware |
Anti-phishing controls, removable media |
| 6 |
Secure Systems & Software |
Payment page script management (new) |
| 7 |
Restrict Access |
Just-in-time access, enhanced documentation |
| 8 |
User Identification |
MFA expansion, phishing-resistant auth, 12-char passwords |
| 9 |
Physical Access Controls |
POI device inspection requirements |
| 10 |
Log and Monitor |
Automated log review, 12-month retention |
| 11 |
Test Security |
Tamper detection for payment pages (new), pen test enhancements |
| 12 |
Organisational Policies |
Targeted risk analysis, roles & responsibilities |
Key Immediate-Effect vs Future-Dated Requirements
PCI DSS v4.0 split requirements into two categories: those effective immediately upon adoption (by March 2024) and those with a future effective date of March 31, 2025.
| Category |
Examples |
Effective Date |
| Immediate requirements |
MFA for all CDE access, 12-character passwords, updated documentation |
March 2024 |
| Future-dated requirements |
Payment page script inventory (6.4.3), tamper detection (11.6.1), automated log reviews, phishing-resistant auth |
March 31, 2025 |
Steps to Achieve PCI DSS v4.0 Compliance
- Conduct a v4.0 Gap Assessment — Compare your current v3.2.1 controls against new v4.0 requirements. Focus on new and changed requirements.
- Determine Your Compliance Path — Decide whether to follow the Defined Approach (traditional prescriptive) or the Customised Approach for specific requirements.
- Implement MFA Expansion — Roll out MFA for all CDE administrative access, not just remote access.
- Update Password Policies — Change minimum password length to 12 characters across all CDE systems.
- Implement Payment Page Security Controls — If you operate e-commerce payment pages, implement script inventory and tamper detection before March 2025.
- Conduct Targeted Risk Analysis — Document the methodology and perform risk analysis to justify control frequencies where applicable.
- Update Documentation — Revise network diagrams, data flow diagrams, and security policies to meet enhanced documentation requirements.
- Engage a QSA — Work with a Qualified Security Assessor to validate your compliance posture and prepare for your annual assessment.
How Vedtam Can Help
Vedtam's PCI DSS Consulting Services help organisations navigate the transition to v4.0 with minimal disruption. Our QSA-partnered team conducts gap assessments, implements required controls, and prepares you for successful PCI DSS assessments.
Explore PCI DSS Consulting Services →
Start your PCI DSS v4.0 compliance programme today. Free consultation: vedtam.com/contact-us | +91 70651 11015