PCI DSS 4.0 Compliance: What Changed and How to Prepare
PCI DSS 4.0 is the most significant update to the Payment Card Industry Data Security Standard in over a decade. It introduces a customized approach to compliance, strengthens authentication requirements, expands encryption mandates, and requires targeted risk analysis. If you process, store, or transmit cardholder data, here is what you need to know.
What Is PCI DSS 4.0?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for any organization that handles payment card data. Version 4.0, released in March 2022 and enforced starting March 2025, replaces version 3.2.1 with modernized requirements that reflect current threat landscapes, cloud-native architectures, and continuous security monitoring.
The standard is organized into 12 requirements across six goals: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control, regularly monitor and test networks, and maintain an information security policy.
Key Changes in PCI DSS 4.0
Customized Approach
Organizations can now design their own controls that meet the intent of each requirement, rather than following prescriptive controls. Requires documented risk analysis and validation.
Targeted Risk Analysis
Several requirements now mandate targeted risk analysis to determine frequency of activities (scanning, log review, etc.) based on the organization's specific risk profile.
Enhanced Authentication
MFA required for all access to the cardholder data environment (not just remote access). Password length increased to 12 characters minimum. Phishing-resistant MFA recommended.
Expanded Encryption
Encryption of cardholder data on trusted internal networks now required (not just public networks). Disk-level encryption alone no longer meets the requirement.
Continuous Monitoring
Automated mechanisms to detect and alert on security-relevant events in real time. Periodic manual reviews are no longer sufficient for many requirements.
Web Application Security
WAF or equivalent automated technical solution required for public-facing web applications. Annual manual reviews of web apps are no longer an alternative.
Enforcement Timeline
| Date | Milestone | Impact |
|---|---|---|
| March 2022 | PCI DSS 4.0 published | Organizations can begin adopting v4.0 |
| March 2024 | PCI DSS 3.2.1 retired | All assessments must use v4.0 |
| March 2025 | Future-dated requirements enforced | 64 new requirements become mandatory |
| Ongoing | Annual assessments | Continuous compliance validation required |
PCI DSS 4.0 Checklist for Cloud-Native
Network Security (Req 1–2)
Data Protection (Req 3–4)
Vulnerability Management (Req 5–6)
Access Control & Monitoring (Req 7–12)
Automate PCI DSS Compliance with TigerGate
TigerGate maps your security controls to PCI DSS 4.0 requirements automatically. CSPM scans cloud configurations, SAST/SCA scans code, and eBPF provides continuous runtime monitoring evidence.