Aug 11, 2023
7 min read

How To Prepare For New PCI DSS 4.0 Requirements

New PCI DSS guidance will apply to all companies that process or store credit card information

The Payment Card Industry Data Security Standard, commonly known as PCI DSS, is a set of security standards established to reduce credit card fraud and protect cardholder data. PCI DSS provides a framework to help businesses and organizations that handle credit card transactions to implement security measures and best practices that safeguard sensitive cardholder information.

In March of 2022, the PCI Security Standards Council released PCI DSS 4.0, which updated these regulations to address current technologies and threats. The new standard goes into effect on March 31, 2024, and the time to begin preparing is now. 

A few notable changes to PCI DSS 4.0 include: 

  • Increasing the required password length

  • Broadening the use of multi-factor authentication (MFA)

  • Extending the standard to include mobile, Internet of Things (IoT), and cloud applications

  • Emphasizing roles, responsibilities, and reporting requirements   

For some organizations, these updates and increased compliance requirements may feel at best like check-the-box exercises and at worst like a maze of red tape. However, achieving PCI DSS compliance helps companies more than it hinders them by: 

  • Guarding against data breaches and protecting customer data from fraud fosters trust and builds brand loyalty. 

  • Protecting themselves from fines, fees, and loss of business. 

If you work for an organization that accepts, handles, stores, or transmits cardholder data, here’s what you need to know to transition from PCI DSS 3.2.1 to PCI DSS 4.0.

The Fine Print of PCI DSS

PCI DSS consists of 12 requirements (plus additional sub-requirements) that dictate how organizations must protect cardholder data and render it unreadable. 

  1. Install and maintain network security controls to prevent unauthorized access to systems, likely in the form of a firewall set to deny by default.

  2. Apply secure configuration to all system components, e.g., strong passwords and security controls for all systems and applications — NOT the default settings of the manufacturer/vendor.

  3. Protect stored cardholder data through encryption and secure storage.

  4. Use strong cryptography when transmitting cardholder data across open, public networks, including over the internet, intranets, and extranets.

  5. Protect systems and networks from malicious software using regularly updated anti-virus tools.

  6. Develop and maintain secure systems and applications, including controls like input validation, output encoding, and session management.

  7. Restrict access to cardholder data by business need-to-know, i.e., role-based access control.

  8. Identify users and authenticate access to system components, perhaps through passwords, biometrics, and other validation measures.

  9. Restrict physical access to cardholder data.

  10. Log and monitor all access to network resources and cardholder data to identify suspicious activity and conduct post-incident investigations.

  11. Regularly test security systems and processes through penetration tests, vulnerability assessments, and other security audits. 

  12. Maintain a policy that addresses information security and communicate that policy to all employees, including procedures for reporting and responding to breaches and incidents.

Simple Due Diligence Leads to Security Success

With the impending requirement to adhere to PCI DSS 4.0, the age-old dilemma between security and convenience is sure to rear its head. The tension arises from the temptation to adopt lax firewall rules, default configurations, and over-permissioned access settings in order to facilitate business operations and alleviate security teams from mundane tasks. However, PCI DSS requirements, particularly those outlined in sections 1, 2, and 6, underscore the criticality of prioritizing security rather than treating it as an afterthought.

While similar security challenges exist across many industries, the financial sector–with its constant flow of sensitive information–demands a steadfast commitment to security due diligence. Organizations now face the arduous task of defining a robust and proactive security strategy that can coexist with seamless business productivity. Striking this balance will entail meticulous planning for maintaining, testing, and regularly updating the systems and controls to safeguard sensitive customer data. PCI DSS 4.0 seeks to elevate security standards for cardholder data, encouraging businesses to take a more mature approach to information security.

Implementing Access Control

Implementing stronger access controls is another key way to prepare your organization for PCI DSS 4.0. Achieving the balance between security and productivity requires a comprehensive understanding of each user's specific requirements and workflow. By tailoring access controls to grant precise levels of access to accomplish tasks, organizations can ensure that users can perform their duties unhindered. This approach should also extend to third-party vendors and contractors, who should be segmented and assigned roles and profiles according to their responsibilities. 

Furthermore, organizations must establish clear policies for onboarding and offboarding users, ensuring access rights are promptly adjusted when employees leave or change roles. By proactively managing access permissions, organizations can bolster security and streamline operations, ultimately creating a more secure and productive environment for all users.

Securing Users and Assets, Not Just Networks

Preparing for PCI DSS 4.0 should go beyond merely safeguarding your network; it should also encompass securing users and valuable assets. With the prevalence of remote work and customers conducting banking activities from diverse locations, ensuring the protection of data transmission and reception is paramount for PCI DSS compliance. The heart of this endeavor lies in verifying the authenticity of users and their actions. 

Unlike the traditional castle and moat security approach that grants broad lateral access and implicit trust upon network entry, today's security demands more precise and granular validation methods. This includes requiring multiple authentication measures based on the following factors: 

  • Something they know (password)

  • Something they are (biometric)

  • Something they have (device)

This level of verification and continuous authorization is perhaps the most challenging, as financial systems typically run on legacy infrastructure that can’t readily accommodate modern controls like multi-factor authentication (MFA). For financial institutions and other businesses that issue cards or accept card payments, extensive downtime for patching and upgrades is impractical and disruptive to their customers' activities. Once again, the answer lies in striking a balance between enhanced security and frictionless user experience. This often necessitates innovative solutions to fortify security measures without compromising operational efficiency.

Upping the Emphasis on Visibility and Reporting

While it is essential to limit user access (and thus, exposure to risk) by adhering to the principle of least privilege, having full visibility into user activities is equally crucial. This allows organizations to be more proactive in detecting and combating malicious behavior. Identifying suspicious behavior and investigating an incident is crucial in informing improvements to security policies and strategies — not to mention what can be done to contain or remediate a breach after one occurs.

Real-time monitoring of user activity allows for the immediate identification of suspicious actions, enabling swift action to revoke access and contain potential threats before they escalate. By enhancing visibility and reporting capabilities, organizations can strengthen their security posture, detect threats early, and respond promptly to safeguard their sensitive data and assets, including cardholder information.


The themes examined here represent the general winds of the security world even beyond the sectors required to comply with PCI DSS 4.0. Banks and other payment-processing enterprises would do well to accept that security is now a business-critical function, and they should use PCI DSS as a framework for business enablement and agility rather than a box-checking compliance measure. Strategies that seek to do the bare minimum to meet compliance rather than solve the security problem will ultimately fail to prevent incidents, fines, and loss of customer trust.

Cyolo supports a number of critical and thorny requirements demanded by PCI DSS, especially those around role-based access, stronger authentication, and visibility.

Subscribe to Our Newsletter