Learning Center
PCI Trends
Key PCI DSS v4.0 Requirements

Key PCI DSS v4.0 Requirements

Use this to help with your transition from 3.2.1 to PCI version 4.0.

Organizations will need to be compliant with PCI DSS version 4.0 by March 31, 2025. This will give you plenty of time to make the transition from PCI DSS 3.2.1, but only if you start now.

To help with this transition, we released a handout, Key PCI DSS v4.0 Requirements. Check out this handout to learn about:

  • Detailed list of new PCI DSS v4.0 requirements
  • What 4.0 requirements apply to merchants and service providers
  • When requirements need to be implemented by

Key PCI DSS v4.0 Requirements

View designed version here: https://www.securitymetrics.com/lp/education/checklist/key-pci-dss-v4-0-requirements-checklist
| New Requirement | Requirement Description | Applicable to | | Effective Date | | | :--- | :--- | :---: | :---: | :---: | :---: | | | | All Entities | Service Providers Only | Immediately for all v4.0 Assessments | 31 March 2025 | | **PCI DSS Requirement 2: Apply Secure Configurations to All System Components** | | 2.1.2 | Roles and responsibilities for performing activities in Requirement 2 are documented, assigned, and understood. | x | | x | | | **PCI DSS Requirement 3: Protect Stored Account Data** | | 3.1.2 | Roles and responsibilities for performing activities in Requirement 3 are documented, assigned, and understood. | x | | x | | | 3.2.1 | Any SAD stored prior to completion of authorization is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes. | x | | | x | | 3.3.2 | SAD stored electronically prior to completion of authorization is encrypted using strong cryptography. | x | | | x | | 3.3.3 | SAD stored by issuers is encrypted using strong cryptography. | | x | | x | | 3.4.2 | Technical controls to prevent copy and/or relocation of PAN when using remote-access technologies except with explicit authorization. | x | | | x | | 3.5.1.1 | Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN with associated keymanagement processes and procedures. | x | | | x | | 3.5.1.2 | Implementation of disk-level or partitionlevel encryption when used to render PAN unreadable. | x | | | x | | 3.6.1.1 | A documented description of the cryptographic architecture includes prevention of the use of cryptographic keys in production and test environments. | x | | x | | | **PCI DSS Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks** | | 4.1.2 | Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood. | x | | x | | | 4.2.1 | Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. | x | | | x | | 4.2.1.1 | An inventory of the entity’s trusted keys and certificates is maintained. | x | | | x | | **PCI DSS Requirement 5: Protect All Systems and Networks from Malicious Software** | | 5.1.2 | Roles and responsibilities for performing activities in Requirement 5 are documented, assigned, and understood. | x | | x | | | 5.2.3.1 | A targeted risk analysis is performed to determine frequency of periodic evaluations of system components identified as not at risk for malware. | x | | | x | | 5.3.2.1 | A targeted risk analysis is performed to determine frequency of periodic malware scans. | x | | | x | | 5.3.3 | Anti-malware scans are performed when removable electronic media is in use. | x | | | x | | 5.4.1 | Mechanisms are in place to detect and protect personnel against phishing attacks. | x | | | x | | **PCI DSS Requirement 6: Develop and Maintain Secure Systems and Software** | | 6.1.2 | Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood. | x | | x | | | 6.3.2 | Maintain an inventory of bespoke and custom software to facilitate vulnerability and patch management. | x | | | x | | 6.4.2 | Deploy an automated technical solution for public-facing web applications that continually detects and prevents webbased attacks. | x | | | x | | 6.4.3 | Manage all payment page scripts that are loaded and executed in the consumer’s browser. | x | | | x | | **PCI DSS Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know** | | 7.1.2 | Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood. | x | | x | | | 7.2.4 | Review all user accounts and related access privileges appropriately. | x | | | x | | 7.2.5 | Assign and manage all application and system accounts and related access privileges appropriately. | x | | | x | | 7.2.5.1 | Review all access by application and system accounts and related access privileges. | x | | | x | | **PCI DSS Requirement 8: Identify Users and Authenticate Access to System Components** | | 8.1.2 | Roles and responsibilities for performing activities in Requirement 8 are documented, assigned, and understood. | x | | x | | | 8.3.6 | Minimum level of complexity for passwords when used as an authentication factor. | x | | | x | | 8.3.10.1 | If passwords/passphrases are the only authentication factor for customer user access, passwords/passphrases are changed at least every 90 days or the security posture of accounts is dynamically analyzed to determine realtime access to resources. | x | | x | | | 8.4.2 | Multi-factor authentication for all access into the CDE. | x | | | x | | 8.5.1 | Multi-factor authentication systems are implemented appropriately. | x | | | x | | 8.6.1 | Manage interactive login for accounts used by systems or applications. | x | | | x | | 8.6.2 | Passwords/passphrases used for interactive login for application and system accounts are protected against misuse. | x | | | x | | 8.6.3 | Passwords/passphrases for any application and system accounts are protected against misuse. | x | | | x | | **PCI DSS Requirement 9: Restrict Physical Access to Cardholder Data** | | 9.1.2 | Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood. | x | | x | | | 9.5.1.2.1 | A targeted risk analysis is performed to determine frequency of periodic POI device inspections. | x | | | x | | **PCI DSS Requirement 10: Log and Monitor All Access to System Components and Cardholder Data** | | 10.1.2 | Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood. | x | | x | | | 10.4.1.1 | Audit log reviews are automated. | x | | | x | | 10.4.2.1 | A targeted risk analysis is performed to determine frequency of log reviews for all other system components. | x | | | x | | 10.7.2 | Failures of critical security control systems are detected, alerted, and addressed promptly. | x | | | x | | 10.7.3 | Failures of critical security control systems are responded to promptly. | x | | | | | **PCI DSS Requirement 11: Test Security of Systems and Networks Regularly** | | 11.1.2 | Roles and responsibilities for performing activities in Requirement 11 are documented, assigned, and understood. | x | | x | | | 11.3.1.1 | Manage all other applicable vulnerabilities (those not ranked as highrisk or critical). | x | | | x | | 11.3.1.2 | Internal vulnerability scans are performed via authenticated scanning. | x | | | x | | 11.4.7 | Multi-tenant service providers support their customers for external penetration testing. | x | | x | | | 11.5.1.1 | Covert malware communication channels detect, alert and/or prevent, and address via intrusion-detection and/or intrusion-prevention techniques. | x | | x | | | 11.6.1 | A change-and-tamper-detection mechanism is deployed for payment pages. | x | | | x | | **PCI DSS Requirement 12: Support Information Security with Organizational Policies and Programs** | | 12.3.1 | A targeted risk analysis is documented to support each PCI DSS requirement that provides flexibility for how frequently it is performed. | x | | | x | | 12.3.2 | A targeted risk analysis is performed for each PCI DSS requirement that is met with the customized approach. | x | | x | | | 12.3.3 | Cryptographic cipher suites and protocols in use are documented and reviewed. | x | | | x | | 12.3.4 | Hardware and software technologies are reviewed. | x | | | x | | 12.5.2 | PCI DSS scope is documented and confirmed at least once every 12 months. | x | | x | | | 12.5.2.1 | PCI DSS scope is documented and confirmed at least once every six months and upon significant changes. | x | | x | | | 12.5.3 | The impact of significant organizational changes on PCI DSS scope is documented and reviewed and results are communicated to executive management. | x | | x | | | 12.6.2 | Security awareness training includes awareness of threats that could impact the security of the CDE, to include phishing and related attacks and social engineering. | x | | x | | | 12.6.3.1 | Security awareness training includes awareness about acceptable use of enduser technologies. | x | | | x | | 12.6.3.2 | Security awareness training includes awareness about acceptable use of enduser technologies. | x | | | x | | 12.9.2 | TPSPs support customers’ requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP. | x | | x | | | 12.10.4.1 | A targeted risk analysis is performed to determine frequency of periodic training for incident response personnel. | x | | | x | | 12.10.5 | The security incident response plan includes alerts from the change- and tamper-detection mechanism for payment pages. | x | | | x | | 12.10.7 | Incident response procedures are in place and initiated upon detection of PAN. | x | | | x | | **Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers** | | A1.1.1 | The multi-tenant service provider confirms access to and from customer environment is logically separated to prevent unauthorized access | x | | x | | | A1.1.4 | The multi-tenant service provider confirms effectiveness of logical separation controls used to separate customer environments at leave once every six months via penetration testing. | x | | x | | | A1.2.3 | The multitenant service provider implements processes or mechanisms for reporting and addressing suspected or confirmed security incidents and vulnerabilities. | x | | x | | | **Appendix A3: Designated Entities Supplemental Validation (DESV)** | | A3.3.1 | Failures of the following are detected, alerted, and reported in a timely manner: Automated log review mechanisms Automated code review tools | x | | | x | | **Totals** | | 53 | 11 | 13 | 51 | | **Grand Total:** | **64** |
Handout
Episode
Updated
May 15, 2023
Posted
November 16, 2022
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000