PCI DSS v 4.0 Everything to know before Mar 31, 2024

The clock is ticking for organizations to adhere to the latest PCI Data Security Standard (PCI DSS) version, 4.0. This version forces nearly every organization to update policies, procedures, and potentially much more.

Is your organization ready?

The PCI Security Standards Council announced Version 4.0 of the PCI Data Security Standard on March 31, 2022. Version 4.0 brings the total PCI DSS requirements organizations must adhere to from 370 to over 500. 

An overwhelming amount of content is dedicated to 4.0, so much so that finding what you’re looking for can be challenging. To simplify your research, we’ve condensed dozens of articles from around the web. This blog highlights how Version 4.0 was created and the new requirements impacting PCI-compliant organizations over the next two years.

The creation of PCI DSS version 4.0

The PCI Security Standards Council has enforced version 3.2.1 since 2018, but the world has changed drastically since then. Even before a global pandemic pushed the world’s population to purchase online instead of in-store to limit COVID-19 exposure, increasing payment card usage highlighted several weaknesses for the next version to close. 

In light of the world’s increased utilization of payment cards and by leveraging feedback from a 2017 request for comment (RFC) period, the PCI Security Standards Council set forth to launch its first draft of 4.0 in 2019. 

The PCI Security Standards Council makes a concerted effort to involve the industry in creating PCI DSS. After three years, multiple drafts, and two RFCs that more than 200 organizations worldwide participated in and provided 6,000+ feedback items to, the PCI Security Standards Council announced PCI DSS version 4.0 in March 2022 (image 1). 

PCI blog image 1

According to the announcement, Version 4.0 seeks to “address emerging threats and technologies and enable innovative methods to combat new threats.” The updated version marks just the third significant version change to the Standard since its creation in 2004. 

What’s new in Version 4.0

Changes to requirements from version 3.2.1 and requirements new to 4.0 fall into one of three broad categories as defined by the PCI Security Standards Council in their Summary of 4.0 changes:

  • Evolving Requirement - Changes to ensure that the standard is up to date with emerging threats, technologies, and changes in the payment industry. 

  • Clarification or Guidance - Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.

  • Structure or Format - Reorganization of content, including combining, separating, and renumbering of requirements to align content.

While Version 4.0 brought 100+ changes into the three categories, each of the 64 new requirements fell into “Evolving Requirement.” Diving deeper into the new requirements, nearly 22% apply to Requirement 12: to maintain a policy that addresses information security for all personnel (figure 2).

PCI blog image 2

Version 4.0 launched with 24 months for organizations to adhere to the first 13 requirements, but we’re less than a month away as we approach the first of two effective dates on March 31, 2024.

Requirements enforced after March 2024

If you’re reading this and realizing you haven’t started addressing 4.0’s requirements and have just over a month until they go into effect, all hope is not lost! Your organization likely has more time to finish addressing them than the effective date implies. While the requirements go into effect in March, assessments will not include them until after. If your organization just had its assessment or won’t have another until the latter half of the year, you’ll have added precious time to comply!

PCI blog image 3

The first 13 requirements of Version 4.0 center around operational policies. 10 of 13 requirements (2.1.2, 3.1.2, 4.1.2, 5.1.2, 6.1.2, 7.1.2, 8.1.2, 9.1.2, 10.1.2, and 11.1.2) focus on identifying individuals' "roles and responsibilities" in IT and security teams. By formalizing these policies, organizations empower themselves with documentation on who is responsible for addressing distinct aspects of their PCI compliance. The final three requirements may require some lead time, so it is best to get started ASAP if you haven’t already.

What is requirement 12.3.2?

Version 4.0 introduces the much-requested addition of a “customized approach” to solving their security requirements. In this context, a customized approach refers to an organization’s ability to meet the intended outcome of a requirement via alternative means. Requirement 12.3.2 ensures that each customized approach to solve a requirement is documented and that a targeted risk analysis is performed to determine the effective implementation of the control. 

What is requirement 12.5.2?

Requirement 12.5.2 dictates that your organization’s PCI DSS scope is documented and confirmed at least once every 12 months. This includes your organization’s Cardholder Data Environment, the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.  As you can imagine, this can be quite a task, especially for large and global organizations! 

What is requirement 12.9.2?

Requirement 12.9.2 only applies to Service Providers. If your organization is just a merchant, you have one less requirement to worry about! This requirement dictates that third-party service providers (TPSPs) support customers’ requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP. 

Preparing for March 2025

51 requirements in Version 4.0 are denoted as “future-dated,” meaning that the PCI Security Standards Council understands these requirements will likely take organizations more time and effort. Of the 51 requirements, the team at Fastly has seen an influx of questions around the new 6.4.2 requirement, which states:

For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks with at least the following:

  • Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.

  • Actively running and up to date as applicable.

  • Generating audit logs.

  • Configured to either block web-based attacks or generate an alert that is immediately investigated.

Now, every WAF worth evaluating will cover the applicable minimum requirement bullets (including ours), but there’s a massive difference in the quality of protection and maintenance burden for security teams. Legacy WAFs will only deploy into specific environments, silo data, and require multiple full-time resources to manage. As your organization prepares to address this requirement, Fastly’s Next-Gen WAF is the solution to procure due to its flexibility, integrations with your DevOps and DevSecOps toolchain, and ease of use. 

Procuring a WAF is mandatory. Keeping it in logging mode because it’s challenging to use or breaks your application is preventable.

Solve PCI DSS Requirements with Fastly

Whether you’re looking to solve requirements new to PCI DSS like 6.4.2 or improve solutions to existing requirements, Fastly can help! Contact us to see a demo or learn more about how Fastly simplifies satisfying PCI DSS requirements.

David King
Product Marketing Manager, Security

5 min read

Want to continue the conversation?
Schedule time with an expert
Share this post
David King
Product Marketing Manager, Security

David King is a Product Marketing Manager for Fastly's Security Products.

Ready to get started?

Get in touch or create an account.