Articles & Blogs

PCIDSS 4.0 from PCIDSS 3.2.1- Part 1

June 2, 2022 | By Accorian

Written by Kiran Murthy & Eishu Richhariya


PCI-DSS stands for Payment Card Industry Data Security Standard. This standard first came into the picture in 2004, and it was formed by Visa, MasterCard, Discover Financial Services, JCB International, and American Express. It is governed by PCI SSC, i.e., Payment Card Industry Security Standards Council.

Applicability– PCI-DSS applies to companies/organization which accepts, store, process and/or transmits cardholder data.

When will the new version PCIDSS v4.0 take effect?

Until March 31, 2024, PCI assessments will choose the version (v3.2.1 or v4.0) for conducting the assessment. After this date, v3.2.1 will be retired, and v4.0 will become the singular standard.

PCI-DSS v4.0 New Requirements

The new version contains a substantial number of new requirements—64 in total.

  • When using v4.0, only 13 out of 64 are mandatory.
  • Until March 2025 additional 51 remain “best practices”; after the retirement of v3.2.1, it will be mandatory to complete a PCI DSS assessment.

Changes in the Security Objective of PCI-DSS v4.0?

PCI-DSS v3.2.1 PCI-DSS v4.0
Build and Maintain Secure Network and Systems
Build and Maintain Secure Network and Systems
Protect Card Holder Data

Protect Account Data

Maintain a Vulnerability Management Program
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Maintain an Information Security Policy

Change in the Names of 12 PCI-DSS v4.0 Requirements

PCI-DSS v3.2.1 PCI-DSS v4.0
Install and maintain a firewall configuration to protect cardholder data

Install and maintain Network Security Control

Do not use vendor-supplied defaults for system passwords and other security parameters

Apply secure configuration to all system components

Protect stored cardholder data

Protect stored account data

Encrypt transmission of cardholder data across open, public networks

Protect cardholder data with strong cryptography during transmission over open public networks

Use and regularly update anti-virus software or programs

Protect all systems and network from malicious software

Develop and maintain secure systems and applications

Develop and maintain secure systems and software

Restrict access to cardholder data by business need to know

Restrict access to system components and cardholder data by business need to know

Assign a unique ID to each person with computer access

Identify users and authenticate access to system component

Restrict physical access to cardholder data
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data

Log and monitor all access to system component and cardholder data

Regularly test security systems and processes

Test security systems and networks regularly

Maintain a policy that addresses information security for all personnel

Support information security with organizational policies and programs

Type of Changes

Change Type Description

Evolving Requirements

This change is to make sure that the standard is up to date with emerging threats, technologies and changes in the Payment industry.

Clarification or Guidance

Updated wording, explanation, definition, and guidance to increase understanding.

Structure or Format

Reorganization of content.

Two Approaches

New flexibility has been provided for organizations to satisfy the PCI DSS security objectives. The two distinct techniques for PCI DSS evaluations that will be permitted under version 4.0 demonstrate this flexibility:

  1. Defined Approach- The organization is expected to comply with the stated requirements, and assessors will conduct testing procedures as mentioned within the standard.To fill gaps, compensating controls are implemented. This has been consistent since the release of PCI-DSS v3.0.

  2. Customized Approach- There is no written testing procedure to be followed by assessors, and the testing procedure will be developed by the assessor to validate the solution the entity has implemented. This approach is focused on “risk mature entities”.

Recent Blog

    Ready to Start?

    Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

    © 2023 Accorian. All Rights Reserved.

      Ready to Start?

      Download Case study

      Download SOC2 Guide

      Human Resources Director

      Posted On: 09 May, 2022

      Drop your CVs to

        Interested Position
        First Name
        Last Name
        Total Experience
        Mobile Number
        Upload Resume