Home » Preparing for PCI DSS Version 4

Publication date: June 7, 2024

Preparing for PCI DSS Version 4

Share this content

Written by Brian Black

Brian Black, CISSP. Brian is the Director of Cyber and GRC Consulting at Elevate.

The Payment Card Industry Data Security Standard (PCI DSS) and other associated Payment Card Industry Security Standards are detailed security protocols that exist to protect cardholders and secure payment transactions. 

These protocols are overseen by the Payment Card Industry Security Standards Council (PCI SSC), a diverse global body, that develops, maintains, and manages the standards for the protection of payment data.  

The Purpose of PCI Security Standards 

The primary purpose of the PCI DSS and the library of PCI Security Standards is to provide essential frameworks and methodologies for protecting cardholder data and ensuring the secure handling of credit card information by merchants and service providers. Cardholder data consists of the primary account number (PAN), cardholder name, expiration date, and service code, along with any sensitive authentication data such as full track data, PINs, and card verification codes (e.g., CVV2, CVC2),  

  • Entities that Store, Process, or Transmit Cardholder Data: Any organization handling payment card data must adhere to these standards to minimize data protection risks and reduce the risk of breaches.
  • Entities Accepting or Processing Payment Transactions: This includes merchants, payment processors, acquirers, and issuers who are involved in the lifecycle of payment transactions.
  • Developers and Manufacturers of Software and Devices: Companies that create and provide the software and hardware used in payment transactions must also comply with PCI standards. Examples include payment application developers, point-of-sale (POS) system manufacturers, and procedures of hardware security modules (HSMs).

Demonstrating the Breadth of PCI Standards

To address the various needs of organizations maintaining payment ecosystems the PCI SSC has developed, and continues to maintain, many standards that provide additional detail supplemental to the PCI DSS. The following are select examples of these standards as a reference to the holistic nature of the PCI SSC’s approach.

Table 1- PCI Standards 

The PCI SSC continues to develop new and evolve existing standards to adapt to industry changes and innovations. There are many other important standards, however the key standard when considering PCI implementation remains the PCI DSS. 

What is PCI DSS

The PCI DSS was established to promote the security of card payments and card account data. The goal is to drive the adoption and implementation of consistent data security practices worldwide. It is managed and promoted by major card brands such as Visa, MasterCard, Discover Financial Services, JCB International, and American Express.  

PCI DSS Compliance and Compliance Levels

To effectively implement the PCI DSS there are a couple of key areas to consider. These include:

  • Entities that Store, Process, or Transmit Cardholder Data: Any organization handling payment card data must adhere to these standards to minimize data protection risks or breaches
  • Entities Accepting or Processing Payment Transactions: This includes merchants, payment processors, acquirers, and issuers who are involved in the lifecycle of payment transactions.
  • Developers and Manufacturers of Software and Devices: Companies that create and provide the software and hardware used in payment transactions must also comply with PCI standards. Examples include payment applications, developers, point-of-sale (POS) system manufacturers, and procedures of hardware security modules (HSMs).

PCI DSS Compliance and Compliance Levels

To effectively implement the PCI DSS there are a couple of key areas to consider. These include:

  1. How the organization is involved with payment transactions.
  2. Whether the organization stores, processes, or transmits cardholder data.
  3. Which technical and business processes are tied to transaction-based activities.
  4. How many transactions in which the organization participates annually.

These items help an organization identify its PCI scope, one of the most important activities throughout the compliance lifecycle. As such, various types of organizations must achieve PCI compliance. This includes, but is not limited to, merchants, payment processors, financial institutions, and service providers that handle cardholder data.

To support these compliance efforts PCI is categorized into four merchant levels, determined by the annual volume of credit or debit card transactions, that help an organization focus on applicable requirements. The specific compliance level dictates the controls and measures an organization must implement to maintain compliance.

  1. Level 1: Merchants that process over 6 million card transactions per year across all channels. This level includes large-scale businesses with high transaction volumes.
    • To comply, businesses classified as level 1 must undergo an annual assessment by a Qualified Security Assessor (QSA) or internal auditor and complete quarterly network scans by an Approved Scanning Vendor (ASV).
  2. Level 2: This covers merchants that are processing 1 to 6 million transactions per year across all channels.
    • To comply, level 2 organizations must complete an annual Self-Assessment Questionnaire (SAQ) and a quarterly network scan by an ASV.
  3. Level 3: Merchants that handle 20,000 to 1 million digital and e-commerce transactions annually.
    • To Comply, covered entities must complete an annual SAQ and quarterly network scan by an Approved Scanning Vendor (ASV).
  4. Level 4: Merchants who are processing less than 20,000 e-commerce transactions per year.
    • To comply, they must complete an annual SAQ and conduct quarterly network scans by ASV.

PCI DSS Requirements

The PCI DSS consists of core requirements that are designed to build and maintain secure networks and systems, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, and maintain an information security policy.

Table 2: PCI DSS Requirements

PCI DSS Version 4.0 Readiness

The Payment Card Industry Data Security Standard (PCI DSS) Version 4.0 is the latest update, which became mandatory on March 31, 2024. This latest version introduces new requirements, updated requirements, and an enhanced approach to compliance with the standard. This aims to ensure that the standards remain effective in safeguarding the payment ecosystem and adapting to new technologies and platforms. The following timeline graphics provide a high-level overview of the PCI DSS v4 implementation dates. As seen, there was a transition period from v3.2.1 to v4 to provide organizations time to adapt and change. Note that a select few requirements remain future-dated for Q1 2025 (e.g., extended at-rest encryption, anti-phishing protection, continual user account review.)

Figure 1 – PCI DSS v4.0 Timeline


Ensure PCI DSS Compliance with Version 4

The PCI DSS v4.0 was created to address the evolving security needs of the payment industry, incorporating feedback from global stakeholders and adapting to changes in technology and the threat landscape. Compliance with PCI DSS 4.0 remains crucial for organizations that handle cardholder data. As such, here are a few items we recommend for an organization to effectively move forward with PCI DSS v4.0:

  1. Understand the New Requirements and Changes: Put effort into becoming familiar with key updates in the latest version. Some of these updates include:
    • Increased Flexibility and Customization: Organizations now have the option to choose between a defined approach (traditional) and a customized approach. The customized approach allows organizations more flexibility in meeting security objectives with their own controls.
    • Enhanced Security Requirements: Several requirements were updated to address evolving threats. This includes changes to authentication (e.g., multi-factor authentication, shared and generic accounts, password requirements), cryptographic controls, and network security.
    • Focus on Risk Management: PCI DSS v4.0 places greater emphasis on risk management, requiring organizations to identify, assess, and manage risks that are specific to their environment.
    • Improved Guidance and Clarity: The guidance provided as part of the standard has been expanded to help organizations understand the requirements and how to implement them. This includes more detailed explanations and examples.
  2. Review the PCI DSS 4.0 Documentation: Take the time to review the PCI DSS v4.0 documentation thoroughly to understand the requirements and implications for your organization.
    • Consider attending training sessions, webinars, and workshops offered by accredited organizations to understand the nuances of the new requirements.
  3. Determine or Reasses PCI Scope: Scoping the organization’s PCI environment remains a crucial step for compliance. We recommend:
    • Identifying cardholder data flows that demonstrate where such data is stored, processed, or transmitted within the organization.
    • Define the cardholder data environment (CDE) so relevant systems and networks are included in the scope.
    • Review network segmentation practices and the effectiveness of isolating the CRD from non-sensitive environments to reduce scope.
    • Involve stakeholders from IT, security, and business units early to validate the identified scope and validate sufficient coverage.
  4. Perform a Gap Analysis: Conducting a comprehensive gap analysis is crucial to determine your organization’s current compliance status and identify areas for improvement. It may be useful to compare the current PCI v3.2.1 compliance status with the new v.4.0 requirements
  5. Develop a Transition Plan: Develop a detailed project plan outlining the steps to transition to PCI DSS v4.0. This may include timelines, milestones, specific tasks, and responsible individuals or groups.  
  6. Update Policies and Procedures: Review and update your organization’s policies and procedures to align with the new requirements of PCI DSS Version 4.0. This includes updating incident response plans, access control policies, and data protection protocols. 
  7. Implement New Security Controls: Implement or upgrade security technologies, solutions, or tools as required to meet the new standards such as enhanced authentication mechanisms, encryption, and continuous monitoring. This may also include strengthening existing controls to meet updated requirements (e.g., multi-factor authentication or vulnerability management procedures).  
  8. Conduct Training and Awareness: Conduct training sessions for employees to make sure they understand their roles in maintaining PCI DSS compliance. This also includes security awareness programs to keep personnel informed about security practices.  
  9. Performa Regular Assessments: Conduct regular internal assessments to verify compliance with PCI DSS v.4.0 (e.g., readiness assessment). It may be helpful to engage third-party experts to support both remediation items above as well as assessment activities. This helps promote an impartial, expert perspective.  
  10. Engage with Quality Assessors: Work with competent assessors to conduct scheduled assessments and vulnerability scans. 
  11. Monitor and Test Continuously: Establish a process for continuous monitoring and testing of your security environment to support ongoing compliance with PCI DSS Version 4.0. Regularly assess and update your security measures to address emerging threats and vulnerabilities. 

These best practices and key action items will certainly support your organization on its path to PCI DSS v.4.0 compliance. Achieving and maintaining compliance can be a complex, time-consuming, and challenging effort. For this reason, we recommend taking full advantage of expert resources for success. 

At Elevate we specialize in helping organizations navigate the intricacies of PCI DSS compliance and implementing best practices to enhance security posture to an appropriate level for compliance. Compliance is an ongoing process, and we provide support throughout the compliance lifecycle (e.g., remediation, readiness assessment, external audit support). For any questions, please reach out to speak with one of our PCI compliance experts. 

Related posts

Contact Us
(888) 601-5351

Office Hours
9am – 5pm EST

Skip to content