verified_user
Standardful
Homechevron_rightStandardschevron_rightPCI DSS 4.0
ActiveInternational Standardupdate Last Updated: March 2024

PCI DSS 4.0

Payment Card Industry Data Security Standard

apartmentPublishing Organization:Payment Card Industry Security Standards Council (PCI SSC)
GlobalFinance & BankingRetailTechnologyHealthcareServices

Standard Introduction

PCI DSS (Payment Card Industry Data Security Standard) is a global information security standard established by the PCI Security Standards Council (PCI SSC), founded in 2006 by major payment card brands including Visa, Mastercard, American Express, Discover, and JCB. Version 4.0, released in March 2022 and mandatory from March 31, 2024, represents the most significant update since PCI DSS 3.0. The standard applies to all entities that store, process, or transmit cardholder data, including merchants, payment processors, acquirers, issuers, and service providers. PCI DSS is organized into 12 core requirements across 6 control objectives: Build and Maintain a Secure Network, Protect Cardholder Data, Maintain a Vulnerability Management Program, Implement Strong Access Control Measures, Regularly Monitor and Test Networks, and Maintain an Information Security Policy.

PCI DSS 4.0 introduces a customized approach allowing organizations to meet security objectives through alternative controls, while maintaining the traditional defined approach. Key updates include enhanced authentication requirements (multi-factor authentication for all access to cardholder data environments), expanded encryption requirements, new e-commerce and phishing protections, and automated log reviews. Compliance validation depends on transaction volume: Level 1 merchants (over 6 million transactions annually) require annual on-site assessments by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV). Levels 2-4 may complete Self-Assessment Questionnaires (SAQs). Non-compliance can result in fines ranging from $5,000 to $100,000 per month, increased transaction fees, and potential loss of card acceptance privileges. The transition period for PCI DSS 4.0 future-dated requirements extends until March 31, 2025.

credit_card

Cardholder Data Protection

Focuses specifically on protecting credit/debit card account numbers, cardholder names, expiration dates, and service codes throughout the transaction lifecycle.

lan

Network Segmentation

Strongly encourages isolating the cardholder data environment (CDE) from the rest of the network to reduce scope and simplify compliance.

encrypted

Strong Cryptography

Requires encryption of cardholder data in transit over open networks and at rest, with defined key management procedures.

list_alt The 12 Requirements

  • Install and maintain network security controls
  • Apply secure configurations to all components
  • Protect stored account data
  • Encrypt cardholder data over open networks
  • Protect from malicious software
  • Develop and maintain secure systems
  • Restrict access by business need-to-know
  • Identify users and authenticate access

Who Needs to Comply?

groups

Any organization that stores, processes, or transmits payment card data — merchants, payment processors, acquirers, issuers, and service providers regardless of transaction volume.

Key Requirements

1

Cardholder Data Environment Scoping

Identify all system components, people, and processes that store, process, or transmit cardholder data. Proper scoping is the foundation — reducing scope reduces compliance burden.

2

Vulnerability Management

Run internal and external vulnerability scans quarterly (external by an ASV). Conduct penetration testing annually. Address critical vulnerabilities within defined timeframes.

3

Access Control

Restrict access to cardholder data to only those individuals whose job requires it. Implement multi-factor authentication for all access to the CDE and for remote network access.

4

Logging and Monitoring

Log all access to network resources and cardholder data. Review logs daily. Retain audit trail history for at least 12 months with 3 months immediately available.

5

Incident Response Plan

Establish, document, and test an incident response plan. Include procedures for containment, forensics, notification of card brands, and post-incident review.

Penalties & Enforcement

warning

Non-compliant organizations face fines from $5,000 to $100,000 per month from card brands. After a breach, costs include forensic investigation ($20K-$500K+), fraud liability, increased processing fees, and potential loss of card acceptance privileges.

Official Documentation

View All
picture_as_pdf

PCI DSS v4.0 Standard

PDF • PCI SSC • Official Payment Card Industry Data Security Standard

download
html

PCI SSC Document Library

External Link • pcisecuritystandards.org • Standards, Guidelines & Resources

open_in_new
folder_zip

QSA & ASV Directory

External Link • pcisecuritystandards.org • Find Qualified Security Assessors

open_in_new

Implementation Timeline

gavel
Sept 2006
PCI SSC founded - Payment Card Industry Security Standards Council established by Visa, Mastercard, Amex, Discover, and JCB
new_releases
March 2022
PCI DSS 1.0 released - First unified payment card data security standard published, replacing individual card brand programs
check_circle
March 2024
PCI DSS 2.0 released - Enhanced requirements for wireless networks, application security, and risk assessment
event
March 2025
PCI DSS 3.0 released - Major update introducing flexibility in security controls and expanded scope guidance

Related Categories

GlobalFinance & BankingRetailTechnologyHealthcareServices