What’s New in PCI DSS 4.0?

Get Ready for the 2024 PCI Compliance Update

The new, stringent, PCI DSS 4.0 will replace PCI DSS version 3.2.1 on March 31, 2024. At that time, you will be required to be compliant with the new specifications. (Do not become confused by the March 31, 2025, date which is when the requirements labeled “best practices” also become mandatory. The key date for 4.0 is March 31, 2024.) Until then you can continue to follow the 3.2.1 standard.


There are a few technical items within the new standard that are different:

  • Password length has been increased from 7 to 12 characters long
  • The way in which cardholder data is copied and stored
  • More “roles and responsibilities” must be assigned in different areas.

On that last point, one area that is more lenient is “shared accounts”. In some cases, this leniency is allowed. For example, assigning greater roles and responsibilities within this area can often be a barrier for database administrators.

Overall, the requirements of PCI DSS 4.0 are almost the same as PCI 3.2.1. To review all the changes, refer to this PCI document.

What If My Organization Doesn’t Achieve 100% PCI 4.0 Compliance by the Deadline?

To address the organization that is almost 100% compliant but is hung up on one or a few requirements, there is a new concept of implementing a customized approach in lieu of having a specified requirement in place.

The customization option is like a “get out of jail free” card. You can use it, but sparingly, and this flexibility helps organizations that absolutely cannot meet some PCI DSS 4.0 requirements due to business reasons.

The process of applying a Customized Approach is very similar to a Compensating Control. A special form must be completed that states the problem, and the solution, including a risk analysis and procedures for testing, monitoring, and updating the Customized Approach.

The Biggest Change to Expect with PCI 4.0

The much more stringent change in PCI DSS 4.0 is in the manner in which the RoCs are written by the QSA.

Instead of the QSA explaining what an organization does, as in PCI 3.2.1 requirements, the QSA will instead be required to reference all evidence by numbers. 4.0 has eliminated the tendency for the QSA to do quick summary checks.

The string “Identify the evidence reference number(s)” appears more than 700 times in the 4.0 RoC template! Every document, interview, and piece of supporting evidence gathered during the assessment must be saved in files that can be referenced by a number in the RoC. Everything will have to be very carefully documented for each requirement. That is why there will be over 700 pieces of evidence.

This evidence gathering is going to produce some very interesting assessments, because a lack of organization could make assessments very painful. What we envision is more exhaustive assessments with lots of documents, but for those familiar with 3.2.1, it will be almost the same steps.

At DirectDefense, we are ready for PCI DSS 4.0. We now offer a PCI 4.0 pre-assessment service to organizations that want to prepare for this new, stringent standard. For more details on the pre-assessment service or PCI DSS assessments contact us today.