What is PCI DSS v4.0?

What Is PCI DSS v4.0?

PCI DSS v4.0 is the latest version of the Payment Card Industry Data Security Standard, the global security framework that governs how organisations handle card payment data. Released in March 2022 by the PCI Security Standards Council, version 4.0 represents the most significant update to the standard since its creation. All organisations that process, store, or transmit cardholder data were required to fully transition to v4.0 by 31 March 2025.

The update was necessary because the payments landscape has changed dramatically since the previous version. Cloud computing, mobile payments, remote working, and increasingly sophisticated cyber threats all demanded a more flexible, modern approach to payment security.

What Changed in v4.0

PCI DSS v4.0 introduces several important changes compared to the previous version, v3.2.1. The headline shift is a move from a prescriptive, checkbox approach to one that allows organisations more flexibility in how they meet the standard's objectives.

Customised Approach

Perhaps the most significant change is the introduction of the "customised approach." Under previous versions, organisations had to meet specific, defined controls. Under v4.0, businesses can now design their own controls as long as they demonstrably meet the security objective of each requirement. This gives larger, more sophisticated organisations the freedom to use security measures that fit their specific environment rather than forcing a one-size-fits-all approach.

The traditional defined approach still exists for organisations that prefer clear, specific instructions on what controls to implement.

Stronger Authentication Requirements

v4.0 significantly strengthens requirements around authentication. Multi-factor authentication is now required for all access to the cardholder data environment, not just remote access as in previous versions. Password requirements have been updated too, with a minimum length increased to 12 characters where systems support it.

Enhanced Encryption and Monitoring

• Encryption standards have been tightened, with outdated protocols explicitly prohibited
• Automated log review mechanisms are now required, rather than manual daily reviews
• Web application firewalls or equivalent controls are mandatory for public-facing applications
• Internal vulnerability scans must be performed with authenticated scanning

Targeted Risk Analysis

Rather than prescribing specific frequencies for security activities like log reviews or password changes, v4.0 requires organisations to perform a targeted risk analysis to determine appropriate frequencies based on their specific risk profile. This recognises that a small merchant with low transaction volumes faces different risks than a large payment processor.

Why v4.0 Matters for Businesses

For businesses of all sizes, the transition to v4.0 has significant practical implications. The new requirements around authentication, encryption, and monitoring may require technology upgrades, process changes, and staff training. The cost of compliance has increased for organisations that handle card data directly.

However, v4.0 also reinforces the value of descoping strategies. Businesses that can remove cardholder data from their environment, through tokenisation, hosted payment pages, or secure telephone payment solutions, can dramatically reduce their v4.0 compliance obligations. The fewer systems that touch card data, the fewer requirements apply.

PCI DSS v4.0 and Telephone Payments

The impact of v4.0 on telephone payment environments is substantial. Contact centres that handle card data directly now face stricter requirements around authentication, monitoring, and access control. Agent workstations that can access cardholder data must meet enhanced security standards. Call recording systems that capture card data require additional protections.

For many contact centres, the practical response to v4.0 has been to descope entirely. By using DTMF suppression technology or payment links, businesses can ensure that card data never enters the contact centre environment. This removes the telephony infrastructure from PCI DSS scope and avoids the increased compliance burden that v4.0 introduces.

This descoping approach is not just about avoiding compliance costs. It is genuinely better security. Rather than trying to protect card data as it flows through agents, recordings, and network segments, the data simply never enters those systems in the first place.

Practical Considerations

• Self-Assessment Questionnaires have been updated for v4.0. Make sure you are using the correct version for your assessment
• Future-dated requirements became mandatory on 31 March 2025. These include authenticated internal scanning and automated log review
• Qualified Security Assessors have been trained on v4.0 requirements. If you use a QSA, ensure they are assessing against the current version
• Documentation requirements have increased. The customised approach requires detailed documentation of how each control meets the security objective
• Third-party service providers must also be compliant with v4.0. Review your provider agreements and request updated compliance attestations

PCI DSS v4.0 is a more mature, flexible standard than its predecessors, but it also raises the bar for organisations that handle card data. For many businesses, the most practical path forward is to reduce the amount of card data in their environment rather than trying to meet every new requirement across their entire infrastructure.

Preparing for What Comes Next

PCI DSS v4.0 is not a one-time event. The PCI Security Standards Council continuously evaluates the threat landscape and will release updates and guidance as new risks emerge. Organisations that build flexible, adaptable security programmes, rather than rigid compliance checklists, will be better positioned for future changes. The shift towards outcome-based requirements in v4.0 is a clear signal that the council expects organisations to think about security as a continuous practice, not an annual exercise.