What Are the Key Steps to Achieve PCI DSS 4.0 Compliance?

PCI DSS 4.0: What Changed and Why It Matters

The Payment Card Industry Data Security Standard (PCI DSS) sets the baseline for how organizations protect cardholder data. Version 4.0, which introduced major updates as of March 2025, provides a significant shift in how businesses implement, assess, and maintain security—especially as payment systems become increasingly cloud-based and distributed.

With new updates in 2025, organizations must understand the new requirements and adjust security practices to remain compliant.

Who Must Comply With PCI DSS?

PCI DSS applies to any organization that stores, processes, or transmits cardholder data. This can include:

• Retailers and e-commerce businesses
• Payment gateways and processors
• Cloud service providers hosting payment environments
• Financial institutions and third-party vendors supporting payment systems

Compliance obligations vary based on transaction volume.

Key Changes Introduced in PCI DSS 4.0

PCI DSS 4.0 builds on version 3.2.1 but introduces a more flexible and dynamic approach with over 50 updates—the first major update to the standard in over a decade. Several changes include:

• Customized Approaches: Organizations can implement alternative controls if they achieve the original requirement
• Mandatory Multi-Factor Authentication (MFA): Required for all users accessing the cardholder data environment (CDE)
• Password Length: Password length is expanded to 12 characters
• Vulnerability scans: Some ecommerce entities using the Self-Assessment Questionnaire A are to conduct vulnerability scans at least monthly and address all findings—even those not ranked critical
• Expanded Logging and Monitoring: More log requirements are included in the latest version, including requirements to respond promptly to failures of security control systems
• Cryptographic Enhancements: Stronger encryption review requirements with reviews at least once annually

In total, PCI DSS 4.0 introduces 64 new or revised requirements, 51 of which became active in March of 2025. The latest version also adds several service provider requirements, including a requirement to document PCI DSS scope every six months and a requirement (in some cases) to change passwords every 90 days.

Step-by-Step Path to Compliance

Step 1: Determine Applicability

Confirm whether your business handles cardholder data directly or indirectly. If so, PCI DSS compliance applies. Even if cardholder data flows through a third-party system, shared responsibility models still require your attention.

Step 2: Conduct a Gap Assessment

Before making changes, assess how your PCI DSS 3.2.1 controls align with 4.0 and subsequent updates. Map your existing posture to new requirements, including the ones that went into effect in March of 2025, and identify areas where:

• Compensating controls no longer qualify
• Access policies need to be restructured
• Vendor environments must be reassessed
• Other security control and basic cyber hygiene processes must be updated

Step 3: Enforce Strong Authentication and Access Controls

PCI DSS 4.0 mandates MFA for all users accessing the CDE—including third-party vendors. Additional access control requirements are included in the standard, such as password length requirements.

Integrating Identity Providers (IdPs) and Privileged Access Management (PAM) tools can help organizations meet requirements.

Step 4: Encrypt Cardholder Data

Organizations must review cryptographic cipher suites at least one a year. For Primary Account Numbers (PAN), organizations must ensure certificates used over open, public networks are not expired or revoked.

Step 5: Improve Logging and Monitoring

Organizations should maintain diligent logs and audit current practices against benchmarks in the standard. Organizations must:

• Automate log reviews

• Promptly address all failures of critical security control systems, such as anti-malware solutions or IDS/IPS

• Note all access to audit logs, as hackers can tamper with audit logs to hide their tracks
• Monitor for unauthorized access and anomalous behavior
• Retain logs for a minimum of 12 months

Step 6: Evaluate Service Provider Risk

Third-party vendors with access to cardholder data can pose significant risk. As a result, companies that outsource payment operations to third parties are still responsible for ensuring protection of card information with third parties.

• Consider conducting enhanced vendor assessments and due diligence to clearly define PCI DSS responsibilities
• Run ongoing monitoring, not just point-in-time checks
• Third-party service providers must undergo annual PCI DSS assessments, and if they fail to do so, they must complete multiple, on-demand assessments

Step 7: Consider the Customized Approach

Organizations may choose a customized control model, which the standard acknowledges could allow more flexibility in implementation and enable organizations to innovate with security controls. However, it requires detailed documentation, testing, and targeted risk analysis. To adopt the customized approach, organizations must:

• Document the security objective
• Demonstrate equivalent or better risk reduction
• Test the customized control to prove its effectiveness
• Perform a targeted risk analysis for each customized control

There are several other steps required for organizatoins implementing the customizable approach, which are detailed more thoroughly in the standard. Organizations should document any compensating controls so they can be reviewed and validated by the assessor as well.

Organizations may mix and match the customized and defined approaches where appropriate.

Final Thoughts

PCI DSS 4.0 marks the most significant update to PCI DSS in over a decade. It reflects the shift towards cloud infrastructure, third-party reliance, and real-time monitoring. Success hinges not just on passing assessments, but on adopting a proactive, risk-based security culture. Organizations that embrace continuous compliance and not just annual checklists will be best positioned to protect cardholder data and meet evolving regulatory demands.

SecurityScorecard can help organizations align with PCI DSS 4.0 obligations by continuously monitoring vendor risk, surfacing noncompliant configurations, and supporting validation efforts with data-driven evidence.

Tune in to a webinar discussion here to learn about important compliance measures that can help organizations safeguard sensitive data, maintain customer trust, and avoid costly penalties.

Transform Third-Party Risk into a Supply Chain Resilience

With SecurityScorecard’s Supply Chain Detection and Response (SCDR), gain actionable insights into your vendors’ security postures. Our platform empowers you to make informed decisions, ensuring compliance and strengthening your supply chain’s cybersecurity.

🔗 Explore SCDR