What Changed in PCI DSS 4.0
PCI DSS 4.0 was finalized in March 2022, giving organizations three years to implement the changes before the March 31, 2025 enforcement date. Despite this runway, assessment findings in early 2025 indicate that a significant portion of organizations subject to the standard have not completed remediation of the new requirements, particularly the 64 requirements that were designated as future-dated until March 2025.
The Most Significant New Requirements
Targeted Risk Analysis for Customized Implementations
Version 4.0 introduces a new approach to compliance called the customized approach, which allows organizations to implement security controls using their own methods rather than the prescriptive controls defined in the standard. To use this approach, organizations must perform and document a targeted risk analysis demonstrating how their implementation meets the security objective of the requirement. This is significantly more demanding than checking a box against a prescribed control.
Multi-Factor Authentication for All CDE Access
PCI DSS 4.0 expands the MFA requirement beyond remote access to all access to the cardholder data environment, including access from within the organization's network. This change closes a gap that allowed internal network access to the CDE without a second authentication factor, a gap that has been exploited in numerous payment card breaches.
Enhanced Password and Authentication Requirements
Requirement 8 has been substantially updated. Passwords for user accounts must now be at least 12 characters. Service accounts must follow defined complexity rules. All accounts inactive for 90 days must be disabled. These requirements apply to accounts that access systems in the CDE scope.
Phishing-Resistant Authentication for Administrative Access
Requirement 8.6.3 requires the use of phishing-resistant authentication mechanisms for all non-console administrative access and all remote access originating from outside the entity's network. This is among the most operationally challenging new requirements for organizations that have relied on traditional push MFA for administrative functions.
Network Security Controls Documentation
Organizations must now maintain an up-to-date inventory of all network security controls, with documented business justification for each rule. This requirement creates ongoing operational obligations that go beyond the point-in-time reviews many organizations conducted under version 3.2.1.
Organizations that are currently assessed as compliant under PCI DSS 3.2.1 are no longer considered compliant as of April 1, 2025. Compliance with the new version must be demonstrated at the next scheduled assessment.
Prioritizing Remediation Efforts
Organizations that have not completed PCI DSS 4.0 remediation should prioritize based on the risk profile of the specific gaps. The expanded MFA requirement and the enhanced authentication requirements for administrative access represent the highest operational risk if not addressed, because they close gaps that are actively exploited in payment card breaches. Documentation and risk analysis requirements, while important for compliance, represent lower immediate security risk and can be addressed in parallel with technical remediation.
- Implement MFA for all CDE access immediately, including internal network access
- Audit user and service account passwords against the new complexity and length requirements
- Build or update your network security control inventory and business justification documentation
- Engage your QSA early to understand which customized approach options are available to your organization
- Document your targeted risk analysis processes before your next scheduled assessment