PCI DSS

7 min read

PCI DSS 4.0 Migration Guide: Key Changes, New Requirements & Compliance Deadlines

PCI DSS 4.0 was released in March 2022 as a major update to the payment card industry security standard, with the transition deadline of March 31, 2025 now past. Organizations that have not yet completed their migration face increased audit scrutiny and potential non-compliance findings. This guide covers the most significant changes in PCI DSS 4.0, the new requirements that demand immediate attention, and practical steps for organizations still working toward full compliance.

Overview of PCI DSS 4.0 Changes

PCI DSS 4.0 represents the most significant update to the standard since its creation. The PCI Security Standards Council designed version 4.0 around four key goals: ensuring the standard continues to meet the security needs of the payment industry, promoting security as a continuous process rather than a point-in-time assessment, adding flexibility for organizations to achieve security objectives using different methods, and enhancing validation methods and procedures. The standard introduces 64 new requirements, of which 51 are designated as future-dated requirements that became mandatory on March 31, 2025, and 13 were effective immediately upon the v4.0 release. The overall structure has been reorganized, with Requirement 8 significantly expanded for authentication controls, Requirement 6 updated for modern software development practices, and a new emphasis on targeted risk analysis throughout. One of the most fundamental changes is the introduction of the Customized Approach, which allows organizations to meet security objectives through alternative methods rather than being limited to the Defined Approach (previously the only option). The Customized Approach provides flexibility but requires more rigorous documentation and validation, making it more suitable for mature organizations with strong security programs.

PCI DSS 4.0 introduces 64 new requirements, with 51 that became mandatory on March 31, 2025
The Customized Approach allows organizations to meet security objectives through alternative methods
Four key goals: continuous security, industry needs, flexibility, and enhanced validation
Requirement 8 (authentication) and Requirement 6 (software development) are significantly expanded
Targeted risk analysis is now required throughout the standard rather than just annually

Key New Requirements in PCI DSS 4.0

Several new requirements in PCI DSS 4.0 demand significant implementation effort. Requirement 3.5.1.2 now mandates disk-level or partition-level encryption only for removable media; it is no longer acceptable as the sole mechanism for protecting stored cardholder data on fixed devices. Requirement 5.4.1 requires automated mechanisms to detect and protect personnel against phishing attacks, typically through email security solutions with anti-phishing capabilities. Requirement 6.4.2 requires a web application firewall (WAF) for all public-facing web applications, making it mandatory rather than an alternative to manual code reviews. Requirement 8.3.6 increases minimum password length from 7 to 12 characters (or 8 if the system cannot support 12), and Requirement 8.4.2 mandates multi-factor authentication for all access into the cardholder data environment, not just remote access. Requirement 10.7.2 requires the ability to detect, alert on, and promptly address failures of critical security control systems. Requirement 11.6.1 introduces a new requirement for deploying a change-and-tamper-detection mechanism on payment pages to detect unauthorized modifications. Requirement 12.3.1 requires organizations to perform targeted risk analyses for each PCI DSS requirement that allows flexibility in how frequently the requirement is performed, replacing the previous one-size-fits-all approach.

Disk-level encryption alone no longer satisfies stored cardholder data protection requirements
Automated anti-phishing mechanisms are now mandatory for all personnel
WAF is required for all public-facing web applications, no longer an alternative option
Minimum password length increased to 12 characters with MFA required for all CDE access
Change-and-tamper-detection mechanisms required on payment pages under Requirement 11.6.1

The March 2025 Deadline: What Happened and What to Do Now

The March 31, 2025 deadline marked the point at which PCI DSS 3.2.1 was officially retired and all 64 new requirements in PCI DSS 4.0 became mandatory. Organizations assessed after this date are evaluated entirely against the 4.0 standard. For organizations that completed migration before the deadline, the focus now shifts to maintaining compliance and preparing for upcoming assessments under the new standard. For organizations still working on migration, the situation requires immediate prioritization. While non-compliance does not automatically trigger fines, organizations assessed and found non-compliant face potential consequences including increased transaction fees from payment brands, placement in remediation programs with mandatory progress reporting, potential restrictions on payment processing privileges, and greater liability exposure in the event of a data breach. Organizations in this position should conduct an immediate gap assessment against PCI DSS 4.0, prioritize the highest-risk requirements including MFA for CDE access, anti-phishing controls, and payment page integrity monitoring. They should engage their Qualified Security Assessor or Internal Security Assessor early to understand the assessment timeline and develop a remediation plan with specific milestones. Documenting progress and demonstrating good-faith remediation efforts can significantly influence how acquirers and payment brands respond to non-compliance findings.

PCI DSS 3.2.1 was officially retired on March 31, 2025, making all 4.0 requirements mandatory
Non-compliance can result in increased fees, remediation programs, and processing restrictions
Immediate gap assessment and prioritization of high-risk requirements is essential
Documented remediation progress demonstrates good faith and can influence brand responses
Engaging QSA or ISA early helps organizations understand assessment timelines and expectations

Customized Approach vs Defined Approach

PCI DSS 4.0 introduces the Customized Approach as an alternative to the traditional Defined Approach (previously the only option). The Defined Approach remains the standard compliance path where organizations implement the specific technical and operational controls described in each requirement exactly as written. The Customized Approach allows organizations to design and implement controls that meet the stated security objective of a requirement through means other than those described in the Defined Approach. For example, instead of implementing the specific password complexity rules in the Defined Approach, an organization using the Customized Approach might implement a risk-based authentication system that achieves the same security objective through different technical means. However, the Customized Approach is not easier; it is more rigorous. Organizations must document their customized control, explain how it meets the security objective, perform a targeted risk analysis, and undergo more detailed assessor validation. The assessor must independently verify that the customized control achieves the stated objective, which requires deeper technical evaluation than checking compliance with prescriptive requirements. The Customized Approach is best suited for organizations with mature security programs, dedicated security teams, and the resources to document and defend alternative approaches. Smaller merchants or organizations seeking straightforward compliance should generally follow the Defined Approach.

The Customized Approach allows organizations to meet security objectives through alternative controls
It requires more rigorous documentation, risk analysis, and assessor validation than the Defined Approach
Organizations must explain how their customized control meets the stated security objective
Best suited for mature organizations with dedicated security teams and strong documentation
Smaller merchants should generally follow the Defined Approach for simpler compliance

Targeted Risk Analysis Requirements

PCI DSS 4.0 introduces targeted risk analysis as a recurring theme throughout the standard, replacing the previous approach of fixed frequencies for many requirements. Requirement 12.3.1 mandates that organizations perform a targeted risk analysis for each requirement that provides flexibility in how frequently the requirement is performed. This means organizations must evaluate their specific threat landscape, vulnerability exposure, and risk appetite to determine appropriate frequencies for activities such as log reviews, vulnerability scans, access reviews, and security awareness training. Each targeted risk analysis must document the assets being protected, the threats and vulnerabilities identified, the likelihood and impact of threat exploitation, the resulting risk level and the frequency or approach chosen, and the justification for why the chosen frequency adequately addresses the identified risk. The analysis must be reviewed and updated at least annually or upon significant changes to the environment. This approach is more demanding than simply following prescribed frequencies because it requires organizations to understand their own risk profile and make defensible decisions. However, it also provides meaningful flexibility, allowing organizations to allocate more resources to higher-risk areas and potentially reduce effort on lower-risk activities. Assessors will evaluate whether the risk analysis methodology is sound and whether the resulting decisions are reasonable given the identified risks.

Targeted risk analysis replaces fixed frequencies for many PCI DSS requirements
Organizations must evaluate their specific threats, vulnerabilities, and risk appetite
Each analysis must document assets, threats, likelihood, impact, and resulting frequency decisions
Analyses must be reviewed annually or when significant environmental changes occur
Assessors evaluate the methodology soundness and reasonableness of frequency decisions

Migration Steps and Prioritization

Organizations working toward PCI DSS 4.0 compliance should follow a structured migration approach. Begin with a comprehensive gap analysis comparing your current controls against all PCI DSS 4.0 requirements, paying particular attention to the 64 new requirements. Categorize gaps by implementation complexity and risk impact to establish priorities. High-priority items that should be addressed first include multi-factor authentication for all access to the cardholder data environment, automated anti-phishing mechanisms for personnel, payment page change-and-tamper-detection controls, updated authentication standards with 12-character minimum passwords, and web application firewall deployment for public-facing applications. Medium-priority items include targeted risk analysis documentation for flexible-frequency requirements, updated security awareness training programs, enhanced logging and monitoring capabilities, and updated incident response procedures. Lower-priority items include documentation updates, policy revisions, and procedural enhancements that do not directly affect security posture. Throughout the migration, maintain a detailed project plan with milestones, assigned owners, and target completion dates. Regular progress reviews with executive leadership ensure adequate resource allocation and organizational commitment. Engage your QSA or ISA early to validate your interpretation of requirements and confirm that your planned controls will satisfy the standard.

Start with a comprehensive gap analysis against all PCI DSS 4.0 requirements
Prioritize MFA, anti-phishing, payment page monitoring, and WAF as high-priority items
Targeted risk analysis documentation is medium priority but requires significant effort
Maintain a detailed project plan with milestones, owners, and regular executive reviews
Engage QSA or ISA early to validate requirement interpretation and planned controls

Key Takeaways

PCI DSS 4.0 introduced 64 new requirements, all mandatory since March 31, 2025
The Customized Approach provides flexibility but requires more rigorous documentation and validation
MFA for all CDE access, anti-phishing controls, and payment page monitoring are critical new requirements
Targeted risk analysis replaces fixed frequencies, requiring organizations to justify their chosen approach
Organizations not yet compliant should prioritize high-risk gaps and document remediation progress
Disk-level encryption alone no longer satisfies stored cardholder data protection requirements
Engaging assessors early helps validate interpretation and avoid costly rework

Related Resources

pci dss info security pci dss access control pci dss network security pci dss incident response pci dss risk assessment pci dss cardholder data environment penetration testing network segmentation qualified security assessor

Other Compliance Guides

PCI DSS

HIPAA Violation Examples

Frequently Asked Questions

When did PCI DSS 4.0 become mandatory?

PCI DSS 4.0 became the only active version on March 31, 2025, when version 3.2.1 was officially retired. All 64 new requirements, including the 51 future-dated requirements, became mandatory on this date. Organizations assessed after this date are evaluated entirely against PCI DSS 4.0.

What are the biggest changes in PCI DSS 4.0?

The biggest changes include MFA required for all CDE access (not just remote), mandatory anti-phishing mechanisms, WAF required for all public-facing web apps, payment page change-and-tamper-detection, increased password length to 12 characters, targeted risk analysis replacing fixed frequencies, and the introduction of the Customized Approach.

What is the PCI DSS 4.0 Customized Approach?

The Customized Approach allows organizations to meet PCI DSS security objectives through alternative controls rather than following the prescriptive requirements of the Defined Approach. It requires more rigorous documentation, targeted risk analysis, and assessor validation, making it more suitable for mature security programs.

What happens if I am not PCI DSS 4.0 compliant?

Non-compliance after March 31, 2025 can result in increased transaction fees, placement in mandatory remediation programs, potential restrictions on payment processing, and increased liability in the event of a breach. Organizations should conduct immediate gap assessments and document remediation progress.

Do I need a WAF under PCI DSS 4.0?

Yes. Requirement 6.4.2 now mandates a web application firewall for all public-facing web applications. Under PCI DSS 3.2.1, a WAF was an alternative to manual code reviews. Under 4.0, it is required regardless of whether code reviews are also performed.

What is targeted risk analysis in PCI DSS 4.0?

Targeted risk analysis under Requirement 12.3.1 requires organizations to evaluate their specific risk profile to determine appropriate frequencies for security activities. Each analysis must document assets, threats, vulnerabilities, risk levels, and the justification for chosen frequencies. It replaces the previous fixed-frequency approach for many requirements.

PCI DSS Overview Requirements Guides Compliance Glossary Compare Frameworks

Generate PCI DSS policies automatically

PoliWriter creates all the policies you need for PCI DSS compliance, customized to your organization. AI-powered, audit-ready, hours not months.

Get Started Free