Author: Verizon Payment Security Practice
Date published: March 26, 2025
PCI DSS v4.0 (the “Standard”) is one of the most significant updates since the Payment Card Industry Data Security Standard (PCI DSS) was introduced in 2004. For two decades the PCI Security Standards Council (PCI SSC), a global payment security forum of major card brands, has maintained a collection of industry security standards as part of a global regulation to protect customer account data. The flagship standard in the collection, the PCI DSS, establishes the requirements designed to promote a secure environment with an expansive set of technical and operational security requirements. PCI DSS applies to all organizations involved in storing, transmitting, and/or processing payment card account data. The accurate interpretation, implementation and maintenance of PCI DSS requirements is an important task for financial services chief information security officers (CISOs).
Organizations across the globe are looking closely at the latest major update of the Standard, which was designed to address emerging threats and enable innovative methods to combat new threats to customer payment data.
PCI DSS v4.0 is aimed at improving security requirements and how compliance is measured to determine whether the intent of the Standard is being met. Since its release in March 2022, organizations began focusing on the 13 new requirements that became effective immediately in March 2024 as well as the future-dated 51 requirements that needed to be in place by March 31, 2025. In December 2024, the Standard underwent a minor update to become version 4.0.1.
The PCI DSS mandates a rigorous set of requirements for any organization that accepts, stores, processes, or transmits payment card data. Organizations that implement and maintain these security standards, especially those that exceed the baseline security requirements, are likely to be more resilient to cardholder data breaches (CHD). Verizon’s Payment Security Report has documented compliance trends in the payment security industry for more than a decade; the 2024 Payment Security Report found that only 14.3% of global organizations maintained full compliance with the PCI DSS at interim validation, and the report also found that there is a clear downward trend in full PCI DSS compliance since its 2016 peak.1
This highlights the continued challenges many organizations face with respect to PCI security compliance. And at the same time, compliance has never been more important, in light of fast-moving technology and threat landscapes. Financial institutions continue to invest in digital transformation. These investments often increased the size of the corporate cyber-attack surface. This created new risks, including:
Misconfigured assets, such as cloud databases
Threat actors are quick to take advantage of such changes. According to the 2024 Data Breach Investigations Report (DBIR), Verizon’s annual publication that provides a deep analysis on global cybersecurity breaches, most threat actors targeting the industry during 2023 were external, financially motivated, and primarily focused on stealing personal and bank data as well as credentials. Alongside miscellaneous errors, system intrusion and social engineering represented the majority (78%) of breaches in this sector, according to the 2024 DBIR. Sign up to be notified about cybersecurity tips for businesses here.
After consulting representatives from various industries for three years, the PCI SSC created version 4.0 of PCI DSS to ensure the Standard stays relevant as defensive measures and attack techniques evolve. The PCI SSC states that the update focuses on:
A summary of the key changes from v3.2.1 to v4.0 and v4.0.1 can be found here. Some key changes highlighted by the PCI SSC include:
The sheer volume of information required to understand the impact of PCI DSS v4.0x can seem overwhelming. What is the right approach to identify the kinds of risks that PCI DSS was designed to mitigate? That's why Verizon publishes the Payment Security Report to track annual compliance, make recommendations to help ease the complexity of PCI security compliance and explain the PCI DSS requirements. The PSR guidance focuses on how to prioritize, helping you to establish your goals and requirements, and helping you to remove constraints for continuous, sustainable compliance. Here are a few important points outlined in the 2024 PSR:
One of PCI DSS v4.0’s major areas of focus is on moving businesses from checkbox compliance with annual assessments to running continuous security processes, driven by sustainable goals and improved validation procedures.2
The goal of implementing PCI DSS as a business-as-usual activity is to map and integrate PCI data security requirements to pre-existing processes and distribute responsibilities and accountability across the business. This approach helps organizations with the proper implementation and embedding of PCI DSS security controls into their overall security strategy, thereby incorporating PCI DSS controls into their normal operations.
This approach not only helps to develop and maintain compliance but also fosters a culture of security awareness and continuous improvement into your security program. The new Standard also can help organizations improve cyber resilience while helping them enable the collection of industry data, such as PCI DSS compliance among financial services organizations.
Financial services organization security leaders need to carefully examine each updated requirement in PCI DSS v4.0 and what it means for their specific organization. Before assigning compliance tasks, understand the scope of the project in terms of goals, requirements and constraints.3
An important goal of PCI security compliance is to establish and maintain effective security controls. You need to frequently evaluate whether the implemented security controls are functioning as intended and continue to protect sensitive data. Confirm that sufficient resources are allocated to your PCI security program to maintain critical processes and compliance efforts. All compliance-related documentation should be kept up to date and accurately reflect the current state of your organization's security strategy.
PCI DSS v4.0 introduced enhanced security requirements including stricter encryption rules, expanded multi-factor authentication requirements and stronger network security measures with the goal of improving payment data protection. A customized approach should be based on understanding the goals, requirements and constraints needed to maintain a robust vulnerability management program aimed to encourage a sustainable payment security strategy.
Organizations should work with their Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) to agree on and develop tailored third party testing procedures. An organization’s existing QSA is not allowed to participate in such testing sessions because that assessor developed the procedures. Independent third-party reviewers should look for deficiencies including blind spots and unintended consequences stemming from customized controls.
Find out more about strategies that may help you protect your payment security information in the 2024 Payment Security Report. You can also learn more about Verizon's PCI security assessments here. Security and compliance teams can also download the 2023 Payment Security Report insights white paper on the value of advanced PCI security program management design and the 2024 Payment Security Report for information on essential PCI security program measurements, metrics and performance evaluation to help you improve payment security and compliance outcomes.
Call sales
888-789-1223
Chat with us
Start live chat
Have us contact you
Request a call
Get updates
Sign up for insights
Already have an account? Log inExplore support