What is PCI DSS v4.0?


19 Apr 2022

Over the next several months, the security experts at Eckoh will be diving into the new Payment Card Industry Data Security Standards (PCI DSS) released by the PCI Security Standards Council (PCI SSC). Here's a brief overview of the new standard.

What is PCI DSS v4.0

What are the goals of the new standard?

So much has changed since PCI Data Security Standard (PCI DSS) v3.2.1 was published in June of 2018. Technology has evolved and organizations are adopting cloud platforms to transmit and store cardholder data more than ever. In addition to the natural development of tech, the pandemic altered consumer behaviors and, in turn, the payment landscape.

E-commerce sales have risen roughly 30 percent compared to pre-Covid levels.1

Where consumers go, you can guarantee fraud will follow close behind. Attackers are becoming savvier and more aggressive about accessing sensitive consumer data and card-not-present fraud is estimated to be about $30 billion globally in 2021.

PCI v4.0 aims to set a standard for the payment industry that addresses all of these challenges. While continuing to meet security needs for payments, the following goals are at the heart of the new standard:

  • Promote security as a continuous process
  • Add flexibility for different methodologies
  • Enhance validation methods

What does the transition period look like?

Version 4.0 has been developed with great consideration over the past years and the PCI SSC did so with extensive global industry collaboration. There were three separate requests for comments on the content of the new standard where over 200 companies provided feedback. The SSC worked through over 6,000 individual pieces of feedback to establish the new standard.

Now that 4.0 is here, there will be some additional transitory milestones before it is fully implemented. The transition period from v.3.2.1 to v4.0 Is approximately two years with v3.2.1 retiring on March 31, 2024. Transitional training for assessors will begin in 2023, both v3.2.1 and v4.0 requirements will be active during the interim.

During this transitional phase, the PCI SSC will be working diligently to update all resources on their website, so FAQs and documents clearly state what is applicable to v3.2.1 and v4.0.

PCI 4.0 Implementation Timeline 1

A high-level view of the changes.

There are 64 total new requirements. (13 are in immediate effect to v4.0 audits and 51 are future-dated for March 2025.) The primary focus of these new requirements is to drive improvements in process and people, provide clarification on the allocation of Roles and Responsibilities, improve targeted risk analysis and bring heightened attention to awareness and training.

Across the standard 12 high-level PCI requirements, the addition of new requirements in each section are:

Requirement New Requirements
1. Install and maintain network security controls. 0
2. Apply secure configurations to all system components. 1
3. Protect stored account data. 8
4. Protect cardholder data with strong cryptography during transmission over open, public networks. Maintain a vulnerability management program. 3
5. Protect all systems and networks from malicious software. 5
6. Develop and maintain secure systems and software. Implement strong access control measures. 4
7. Restrict access to system components and cardholder data by business need to know. 4
8. Identify users and authenticate access to system components. 8
9. Restrict physical access to cardholder data. Regularly monitor and test networks. 2
10. Log and monitor all access to system components and cardholder data. 5
11. Test security of systems and networks regularly. Maintain an Information Security Policy. 6
12. Support information security with organizational policies and programs. 14
Appendices 4

Stay tuned to this series as we continue to analyze the new PCI DSS standard and take a deep dive into the changes and what they mean for your organization. Is there a particular topic that you want the security experts at Eckoh to discuss? Contact us at insight@eckoh.com to share your burning questions about v4.0.

Eckoh future-proofs contact centers for any new standard.

If there's one constant, it's that technology never stops evolving. As a consequence, the security standards for the payment industry must also continue to expand. At Eckoh, we design our solutions for security on a holistic level and not just to meet the PCI DSS requirements - although we do that as well. Extending beyond the requirements of the standards results in robust solutions that are future-proof, no matter where the moving target of PCI DSS may go.

Whether your contact center accepts card-not-present payments via IVR, phone-based agents, chat agents, chatbots, social channels or on the web, Eckoh has your back. That's why leading organizations around the world trust us to protect their customers' data - now and in the future.

Learn more about how Eckoh can help your team protect your customers and, ultimately, protect your most valuable asset - your brand - at eckoh.com.


1. McKinsey & Company

Get in Touch

Contact us today, our security experts can help your organization navigate PCI DSS v4.0.

Contact US 1