A practical guide to seamless PCI DSS v4.0 compliance

What is PCI DSS v4.0?

The Payment Card Industry Data Security Standard (PCI DSS) is the global data security standard for organizations handling cardholder data. Version 4.0, known as PCI DSS v4.0 or DSS v401, was introduced by the PCI Security Standards Council to address emerging risks and modernize compliance measures.

At its core, PCI DSS v4.0 strengthens requirements around network security, multi-factor authentication, sensitive authentication data, and the monitoring of all systems that store, process, or transmit cardholder information. The goal is not only to protect consumers but also to give service providers and merchants a more flexible, risk-based approach to compliance.

While earlier versions such as PCI DSS v3.2.1 (dss v321) focused heavily on traditional IT infrastructures, PCI DSS v4.0 expands controls to reflect cloud adoption, remote work, and the rise of digital-first business models.

Key PCI DSS v4.0 updates for compliance

1. Expanded multi-dactor authentication (MFA)

Under PCI DSS v3.2.1, MFA was only required for administrators accessing the cardholder data environment (CDE). PCI DSS v4.0 expands this requirement, mandating MFA for all users accessing systems that handle payment card data.

• What this means: Every employee, contractor, or service provider connecting to the CDE must authenticate with at least two factors (e.g., password + token, password + biometric).
• Why it matters: MFA significantly reduces the risk of compromised credentials being used in a data breach.
• Compliance tip: Review your authentication methods and ensure all access points, whether through VPNs, cloud environments, or remote logins, are covered by MFA.

2. Stronger password requirements

Weak or reused passwords remain one of the most common causes of data leaks and unauthorized access. PCI DSS v4.0 tightens password requirements to align with industry best practices.

• Key updates:
  • Minimum length of 12 characters (or at least 8 if strong complexity rules are enforced).
  • Prohibition of commonly used or previously breached passwords.
  • Defined rotation intervals that balance usability with security.
• Why it matters: By setting higher standards, organizations reduce exposure to potential threats like brute force or credential stuffing attacks.
• Compliance tip: Audit existing password policies, and integrate password filtering tools to prevent weak or known-compromised credentials.

3. Risk-based testing options

One of the biggest shifts in PCI DSS v4.0 is the introduction of two approaches to meeting each PCI DSS requirement:

• Defined approach: A prescriptive checklist similar to older versions, with specific security measures to implement.
• Customized approach: A flexible, risk-based model allowing businesses to design controls that achieve the same security outcome but in a way tailored to their environment.
• Why it matters: This option acknowledges that not all organizations are alike. Cloud-first service providers, for instance, may have different technical constraints than retailers running on-premises systems.
• Compliance tip: Work with a Qualified Security Assessor (QSA) to determine whether the defined or customized approach is right for your business.

4. Stronger network security controls

PCI DSS v4.0 replaces the term “firewall and router” with network security controls (NSCs), reflecting the wide range of tools available today.

• Key updates:
  • Organizations must implement NSCs to protect the cardholder data environment and segment it from untrusted networks.
  • Greater emphasis on monitoring, logging, and auditing of NSCs to prove effectiveness.
• Why it matters: Modern network architectures include cloud, hybrid, and distributed models. The update ensures network security controls remain effective in all contexts.
• Compliance tip: Map out your current NSCs, including firewalls, intrusion prevention systems, and cloud-native defenses, and verify they align with the new requirement.

5. Encryption and sensitive authentication data

With the rising sophistication of attacks, PCI DSS v4.0 strengthens requirements around protecting sensitive authentication data (SAD) and cardholder information.

• Key updates:
  • Stricter encryption requirements for data in transit across both public and private networks.
  • Enhanced safeguards for SAD, including PINs, CVVs, and magnetic stripe data, ensuring it is never stored unless absolutely necessary.
• Why it matters: Unencrypted or weakly protected data remains one of the biggest targets for attackers seeking a data security standard violation.
• Compliance tip: Review encryption protocols and key management processes to confirm they meet the latest standards.

6. Increased oversight for service providers

Service providers such as payment processors, managed security providers, and cloud hosting companies face new requirements under PCI DSS v4.0.

• Key updates:
  • More stringent accountability for compliance, including documented roles and responsibilities.
  • Requirement to demonstrate how security measures are consistently applied across all customers.
  • Additional testing obligations to validate effectiveness of controls.
• Why it matters: Many organizations rely heavily on service providers to store or process cardholder data. Stronger oversight ensures compliance extends beyond in-house systems.
• Compliance tip: If you work with third-party service providers, request updated compliance documentation, including their Report on Compliance (ROC) or Attestation of Compliance (AOC).

A Living Standard

These new requirements highlight the evolution of PCI DSS into a living standard. Instead of a static checklist, PCI DSS v4.0 adapts to new attack methods, new technologies, and new compliance requirements set by the Security Standards Council.

For organizations, this means compliance is no longer just an annual event, it’s an ongoing process of maintaining strong security measures, updating policies, and continuously monitoring for potential threats.

When did PCI DSS v4.0 come into effect?

The PCI Security Standards Council released PCI DSS v4.0 in March 2022. However, organizations were given a transition period to move from PCI DSS v3.2.1 to the new version.

• March 31, 2024: PCI DSS v3.2.1 officially retired. All entities were required to validate against PCI DSS v4.0.
• March 31, 2025: The deadline for adopting all requirements introduced in PCI DSS v4.0. Until this date, organizations were expected to be compliant with the “core” requirements, while preparing for full implementation.

This staggered approach ensured businesses had time to adopt stronger security measures while adjusting processes, training staff, and implementing new technologies.

The 12 PCI DSS v4.0 requirements

PCI DSS v4.0 retains the familiar 12 PCI DSS requirements but with expanded flexibility and depth. These requirements form the foundation of all PCI DSS v4.0 compliance programs:

1. Install and maintain network security controls, replacing “firewalls and routers” to reflect modern network security technologies.
2. Apply secure configurations to all system components.
3. Protect stored account data using strong encryption and tokenization methods.
4. Protect cardholder data during transmission across open or public networks.
5. Protect all systems and networks from malicious software with advanced detection and response.
6. Develop and maintain secure systems and applications to mitigate vulnerabilities.
7. Restrict access to cardholder data by business need-to-know.
8. Identify users and authenticate access to system components using multi-factor authentication and strict password requirements.
9. Restrict physical access to cardholder data and facilities.
10. Log and monitor all access to system components and cardholder data.
11. Test security systems and processes regularly, including penetration testing and vulnerability scanning by approved scanning vendors.
12. Support information security with organizational policies and programs that clearly define roles, responsibilities, and compliance measures.

Together, these 12 requirements align businesses with the data security standard and protect both merchants and consumers against evolving cyber risks.

PCI DSS compliance checklist 

The updated PCI DSS v4.0 requirements highlight the need for securing and governing all channels where sensitive data is shared. Use this checklist to prepare your business: 

1. Scope: Identify system components and networks involved in storing, processing, or transmitting cardholder data.
2. Assess: Conduct a thorough assessment of compliance for all system components, including overlooked collaboration tools. For example, use a record checker tool to assess your DMARC policy readiness.
3. Report: Document compliance efforts using the Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).
4. Attest: Fill out the Attestation of Compliance (AOC) to confirm your compliance status.  
5. Submit: Submit required documentation, including SAQ, ROC, AOC, and supporting materials, like ASV scan reports, to the appropriate entities.
6. Remediate: Address deficiencies, implement necessary changes, and submit an updated compliance report where required. 

Is PCI compliance required by law?

A common misconception is that PCI compliance is legally mandated. In reality, PCI DSS is a security standard created by the PCI Security Standards Council, not a law. However, compliance is enforced contractually by major payment card brands (Visa, Mastercard, American Express, Discover, JCB).

For organizations that handle cardholder data, meeting the PCI DSS requirements is a compliance requirement tied to their ability to process payments. Non-compliance may result in:

• Fines up to $100,000 per month.
• Increased transaction fees or loss of ability to process card payments.
• Reputational damage following a data breach or data leak.

In addition, many regulatory bodies align with PCI DSS. For example, failing to meet PCI DSS v4.0 compliance could expose businesses to legal liabilities if sensitive authentication data is compromised.

Thus, while not a law itself, PCI DSS is a mandatory security measure for any organization processing payment cards.

Close compliance gaps with Mimecast 

Most businesses focus on email security but leave communication platforms like Teams, Slack, and Zoom vulnerable to data breaches. But since 1 in 17 messages in collaboration tools contain sensitive data, the fast-approaching PCI DSS 4.0 requirements don't just cover email - they mandate protection across all communications platforms.  

Mimecast’s unified compliance solutions provide seamless governance and security for all communication channels, allowing you to meet PCI DSS v4.0 requirements efficiently. 

Request a demo today to safeguard your organization and take the stress out of compliance.

**This blog has been updated from a previous version.