PCI-DSS – Out With the Old (v3.2), In With the New (v4.0)

Posted by: Bill Bradley
April 01, 2024
Best CC sender
Getting your Trinity Audio player ready...

Perhaps PCI-DSS 4.0 launched yesterday, March 31 – a Sunday – to avoid being labeled an April Fool’s Joke to the world? Regardless of why the PCI Security Standards Council (PCI SSC) picked the odd timing for the launch of the new version, security teams must be ready to meet this updated set of requirements starting, well, yesterday. 

What has Changed in PCI DSS v4?

This new version introduces many changes, updates, and additions to the way organizations must comply with the standard. The first thing you need to know is that this new version is very different than the previous iteration of PCI. Depending on how detailed you need to get, here is a summary of changes document that goes line by line through the previous version of the standard and gives guidance on the change to the particular element of the standard. 

These changes come in three different types:

  • Evolving requirement – Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry.
  • Clarification or guidance – Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
  • Structure of format – Reorganization of content, including combining, separating, and renumbering of requirements to align content.

For those who just want to know what’s new, there are 64 new items in v4.0 of the standard, which are broken down into those that apply to All Entities (53) and those that are for Service Providers Only (11). Despite there being over 60 new items, only 13 of them take effect on March 31, 2024. The other 51 are slated to be enforced starting March 31, 2025.

Why Make These Changes?

In a word – evolution. 

This new version reflects the evolving payment industry and is focused on continuous security processes and stresses the need for validation. And as cyber threats continue to evolve and become more sophisticated, diverse, and often easier to leverage, this updated version of PCI reflects these changes to the cybersecurity threat landscape. While adhering to compliance alone is rarely a good way to get ahead of attackers, PCI seeks to set a common ground upon which an organization can build their information security program. Think of this new iteration, like most compliance standards as the place to start, not the place to stop.

PCI DSS 4.0 addresses these evolving threats by introducing updated requirements and controls that reflect the current cybersecurity landscape. Cybersecurity leaders need to stay ahead of these threats, and compliance with PCI DSS 4.0 ensures that organizations are implementing the necessary security measures to protect sensitive cardholder data.

What are Some of the New/Enhanced Themes in the Changes?

The Move to a Customized Approach – One of the main changes introduced is that of the “Customized Approach”, which means that organizations now have the flexibility to pick the controls that fit their needs best. This doesn’t do away with the “Defined Approach” of the previous versions though – organizations can use either approach. 

Focus on a Risk-Based Approach – Version 4.0 introduces a Targeted Risk Analysis, or TRA, as one of the 60+ new requirements. The TRA is a best practice until March 2025 and reads, organizations are “to perform a targeted risk analysis for any PCI DSS requirement that provides flexibility for how frequently it is performed.”  To get your TRA started, here is a template from the PCI Security Standards Council.

Emphasis on Continuous Compliance – PCI DSS compliance is an ongoing part of the risk and compliance teams’ responsibility. Threats are evolving and emerging, so security controls, teams, and operational processes must evolve too. This should include the implementation, or the upgrading of regular assessments, audits, and monitoring to ensure ongoing adherence to the standard. (This new focus dovetails very nicely with the Continuous Threat Exposure Management (CTEM) approach we advocate for here at XM Cyber, which is all about reducing risk and improving security posture.)


PCI DSS 4.0 represents the next step in the effort to protect cardholder data and mitigate cyber threats. Cybersecurity leaders play a key role in ensuring that their organizations understand and comply with the requirements of PCI DSS 4.0. By embracing the new standard, organizations can enhance their security posture, mitigate the risk of data breaches, and safeguard the integrity of payment card transactions.


To learn more about the XM Cyber platform and our continuous approach to reducing risk, book a custom demo with us and we’ll help you answer questions like, “Where are we most at risk?” & “How has security posture improved over time?”


Bill Bradley

Bill is Sr Director of Product Marketing for XM Cyber and brings a diverse background of sales, product management, and marketing to the role. He knows enough of cybersecurity to be dangerous, but also when to seek expert guidance.

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.