PCI-DSS 4.0: Key Changes and What They Mean for Your Organization
Analysis of the major changes in PCI-DSS 4.0, effective March 31, 2024, and an action plan to update your compliance program.
PCI-DSS v3.2.1 was officially retired on March 31, 2024
All assessments must now be conducted under PCI-DSS v4.0. Some requirements have a transition period until March 31, 2025.
The 5 most impactful changes
Cardholder data protection
Obsolete encryption methods (DES, 3DES) must be replaced. Cryptographic keys must have a defined and documented lifecycle.
System and software security
Introduction of the Software Security Framework concept with a more flexible but more rigorous approach to application security. Penetration tests must cover APIs.
Authentication and access control
Multi-factor authentication (MFA) is now mandatory for ALL access to the Cardholder Data Environment (CDE), not just remote access.
Logging and monitoring
Automated detection of logging mechanism failures. Logs must be protected against unauthorized modification with tamper detection.
Policies and risk management
Risk assessment must be conducted at least annually AND upon any significant change. Third-party risk management requirements are strengthened.
Recommended action plan
Conduct a PCI-DSS v4.0 gap analysis against your current state
Identify best practice requirements becoming mandatory in March 2025
Prioritize MFA deployment for all CDE access
Update your cryptographic algorithm inventory
Revise your vendor contracts (strengthened third-party requirements)
Plan penetration testing covering APIs
Document your annual risk assessment process
Manage your PCI-DSS compliance in CapGRC
Pre-configured PCI-DSS framework, automated gap analysis and integrated corrective action plan tracking.