Policy Explainer

Explainer: Payment Card Industry Data Security Standard v.4.0

The latest version of the Payment Card Industry Data Security Standard (PCI DSS) was announced last March with full compliance required by March 31, 2025. This means that those looking to shore up their security to ensure compliance with the new standard should be looking into solutions now and into early next year to best prepare for the changes.

We are here today to explain the most salient of those changes.


The most recent version of the PCI DSS was released in April 2016 in a very different cybersecurity environment. The new standard addresses exponentially growing cybercrime– specifically attacks deployed through phishing campaigns and skimming.

Version 4.0 was created by the Payment Card Council, an international governing body founded by Mastercard, Visa, American Express, and JCB, after three separate requests for comment periods in order to ensure industry buy-in and support. 


  • Keep up with changes in industry
  • Add flexibility
  • Encourage continuous cybersecurity improvement
  • Enhance validation methods and procedures

Major Changes

  1. Addition of the Customized Approach
    1. In order to add flexibility to the PCI DSS, the new version allows for a customized approach to compliance in addition to the traditional approach.
      1. The traditional approach requires entities to put in specific controls that an assessor validates following a defined validation system
        1. This approach is good for entities that need a clear pathway to compliance without a mature security program
      2. The customized approach allows organizations to deploy controls that fit the goal of each requirement. There is no defined validation procedure and assessors will work with organizations to develop appropriate tests.
        1. This approach allows organizations to follow new technology that adapts to the most current threats in the space.
        2. This approach is appropriate for entities with mature security programs
    2. The addition of the customized approach does not interfere with the existing compensating control option which allows for an entity to deploy a control outside of the traditional approach when it is unable to meet a requirement because of a documented technology or business constraint. 
  2. Stronger authentication requirements
    1. Passwords
      1. Extending password length requirements from 7 characters to 12 characters
      2. Passwords must be changed every 90 days
      3. These requirements are both made non-applicable if the entity uses multi-factor authentication (MFA) which is the most highly recommended method
    2. Group/shared accounts
      1. In the spirit of adding flexibility, the newest version will repeal the prohibition of using group and shared accounts. Instead, these accounts are permitted as long as they are managed.
    3. Targeted risk analysis
      1. Version 4.0 will allow for flexibility in the frequency of targeted risk analysis. Instead of prescribing this frequency, entities can decide what frequency makes sense for their organization
  3. Threat response
    1. In response to the most prevalent threats being seen in this industry, the PCI DSS v4.0 prescribes specific guidance for handling these threats
      1. Phishing
        1. Requirements for processes and automation to protect against phishing attacks
        2. Required security awareness training
      2. Skimming
        1. Merchants must manage all payment scripts
        2. Merchants must deploy mechanisms to detect indicators of activity on consumer browsers 
  4. Reporting requirements
    1. Compliance reporting will be based more heavily on evidence rather than solely a self-assessment in the new version
    2. In the reporting process, remediation guidance will be provided to improve security based on current status
  5. Guidance
    1. Clearly assigned roles and responsibilities for different security assignments will be provided by the new standard
    2. Guidance for understanding how to implement and maintain the organization’s program will be given

If you have any questions about how to prepare your organization for the newest version of the PCI DSS, we would love to chat.