All Posts

PCI DSS 4.0 Unlocked: Why It’s Time to Ditch the Checklist and Embrace Governance

December 5, 2024

Did we even need PCI DSS 4.0?

In March 2022 the PCI Security Standards Council, guardians of the landmark PCI DSS standard, released a major update of that standard from version 3.2.1 to 4.0. Compliance with this standard is required for anyone handling payment card data. While most new requirements were set for future implementation, the grace period for adopting these changes is set to expire on March 31, 2025, marking the end of the transition period from the previous version.This update brought in many changes, some significant, some less so. A minor revision to 4.0.1 was released in June 2024, but this is normal practice by the Council after a major release, to fix typos and clarify any terms or phrases that people were confused by. The substance of the change was all in 4.0. So, what changed and why did we need it?

Key Changes in PCI DSS 4.0

Improved Usability and Flexibility

One of the primary objectives of PCI DSS 4.0 was to enhance usability and provide greater flexibility in meeting security requirements. This approach acknowledges that security solutions can vary across organizations and that there may be multiple ways to achieve a security objective.

Introduction of the Customized Approach

A significant innovation in PCI DSS 4.0 is the introduction of the Customized Approach. This new concept allows organizations to move beyond the traditional Defined Approach where PCI tells you exactly what to do, offering more flexibility in selecting controls that best suit their specific environment and risk profile. The Customized Approach augments the previous Compensating Controls mechanism, providing a more structured and formalized method for alternative compliance strategies.

New and Updated Requirements

PCI DSS 4.0 introduces 64 new requirements, with 13 of these becoming effective immediately upon the adoption of the new standard. These new requirements address evolving threats and technological advancements in the payment industry. Some notable changes include:

  • Enhanced Authentication Controls: Stricter multi-factor authentication requirements for accessing the cardholder data environment.
  • Updated Password Requirements: Increasing the minimum password length from 7 to 12 characters and prohibiting the hard coding of user or system account credentials (service accounts) in files or scripts.
  • Phishing Protection: New measures to detect and protect staff against phishing attacks.
  • Expanded Encryption Requirements: Additional controls around encryption, masking and hashing.
  • Browser Script Controls: Protections around the authorization and integrity of scripts that are loaded into the user’s browser by webpages.
  • Expanded Access Control: Enhanced protection of user accounts and explicit inclusion of system accounts.

Clarification and Loophole Closure

Several existing requirements were clarified to close potential loopholes and ensure more consistent interpretation across organizations. For example, the term "testing or development" environments was changed to "pre-production" environments, providing clarity on the use of live primary account numbers in these settings.

Enhanced QSA Process

If you perform a large enough transaction volume, you are required to use a Qualified Security Assessor (QSA) to perform an independent, 3rd party assessment of your compliance annually resulting in a Report on Compliance (ROC). Never a small task, this process has been significantly expanded, potentially increasing the size and cost of such assessments. This change aims to provide more thorough and comprehensive assessments of an organization's security posture and reduce QSAs ability to ‘help’ their client’s pass the assessment.

Increased Focus on Governance and Risk

Perhaps the most profound change in PCI DSS 4.0 is the heightened emphasis on governance and risk management. This shift represents a drive towards a fundamental change in philosophy, trying to move people from a checklist-based approach to a more risk-based security strategy.How can this be the most significant change, you ask, when there are so many other changes that require actual changes to tools, technology and process? Well, that’s exactly my point. Everything else is just yet more of the same, however this is a drive to change your philosophy around security – not your implementation.

Security Policy Integration

Previously, organizations were only required to have a single overarching security policy. PCI DSS 4.0 now mandates that security policies also be explicitly addressed within each of the 12 core requirements. This is to ensure that security policy considers and addresses every aspect of the program.

Expanded Risk Assessment Requirements

The new standard significantly expands the scope of risk assessments. While previously a single annual risk assessment was sufficient, PCI DSS 4.0 now requires a risk assessment for every control that offers timing flexibility or uses a Customized Approach. Though a traditional Enterprise Risk Assessment is still recommended, PCI DSS now focuses on making sure that you risk assess all the places in the standard where you have decisions to make.

Broader Industry Trends

The shift towards governance and risk-based approaches in PCI DSS 4.0 aligns with broader trends in cybersecurity standards:

  • NIST CSF Update: In February 2024, NIST released version 2 of its Cybersecurity Framework, adding "Governance" as a sixth pillar to the existing five (Identify, Protect, Detect, Respond, and Recover).
  • CIS Controls Update: In June 2024, the Center for Internet Security (CIS) released a new version of its Controls, also incorporating a new function focused on governance.

These updates across multiple standards underscore a growing recognition of the critical role of good governance in effective cybersecurity management, while also revealing a widespread gap in its implementation across the industry.

Implications for Organizations

The changes in PCI DSS 4.0 represent more than just technical updates; they signify a philosophical shift in approach to security. Organizations are now encouraged to:

  1. Think Strategically: Move beyond a checklist mentality and develop a comprehensive understanding of their unique risk landscape.
  2. Prioritize Governance: Integrate security considerations into all levels of organizational decision-making.
  3. Continuous Risk Assessment: Implement ongoing risk assessment processes rather than relying on annual evaluations.

It is a call to retire the existing approach to managing risk which is based on risk management frameworks (RMF) alone at best, if not a total reliance on what vendors wish to sell you. Instead, you need to do the hard work of understanding where your risk is and actively deciding how to manage it.This is the foundational approach of pretty much any certification in cybersecurity that you might take. And yet having learned that approach, what do people actually do? A) The same thing they did last year, B) Whatever their favorite RMF list of controls says, or C) They buy the latest tools from compelling and persuasive vendors.How often do I see individuals working to adopt a risk management framework like PCI DSS or CIS Controls, only to skip over the valuable and insightful sections on program design and implementation strategies, rushing instead to the parts that list specific controls?Often people implement their security program and then write policy to justify it when the auditors are coming. Instead, you need to start by working out what matters, write policy about how to protect it and manage risk, select controls that you need, and then finally choose tools that work for you and your budget.

Conclusion

The transition to PCI DSS 4.0 represents a significant evolution in payment card security standards. While it introduces new technical requirements and clarifications, its most profound impact lies in its push towards a more thoughtful, governance-based approach to security. Organizations are challenged to move beyond mere compliance and towards a deeper understanding and active management of their security risks. This, I think, is why we really did need this update.As the grace period for adoption comes to an end, organizations handling payment card data must not only update their technical controls but also reassess their entire approach to security governance and risk management. This transition may be challenging, but it offers an opportunity for organizations to develop more robust, flexible, and effective security strategies that are better equipped to handle the evolving threat landscape of the digital age.Compliance is a tool – not a destination.

About the Author:

Andy Cottrell is the founder and CEO of Truvantis, a Cybersecurity and Privacy consultancy that helps organizations of all sizes Manage Risk, Build Business Resilience and Win Stakeholder Trust through Penetration Testing, Security Program Building and Compliance Assessments such as PCI DSS, CMMC, HIPAA and GLBA. A security thought leader for more than 25 years, his passion is helping organizations move beyond compliance to realize true business value from their cyber-defense budgets.

Download PDF

CONTACT US

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
To learn more or schedule a demo, reach out today!
© 2025 Anetac, Inc. All Rights Reserved.
Privacy PolicyTerms and Conditions