Delinix Logo Delinix
Back to Blog
PCI-DSS

PCI-DSS v4.0: What's New and How to Prepare

September 28, 2025
9 min read
PCI-DSS v4.0 Updates concept

PCI-DSS v4.0 represents the most significant update to the Payment Card Industry Data Security Standard in over a decade. Released in March 2022 with full enforcement beginning March 2025, version 4.0 introduces a more flexible, customized approach to security while addressing modern threats and technologies. This guide breaks down the key changes and provides actionable steps to ensure your organization is prepared.

Important Timeline

PCI-DSS v3.2.1 was retired on March 31, 2024. All organizations must now comply with v4.0 requirements. Some requirements have phased implementation dates extending to March 2025.

Key Philosophy Changes

PCI-DSS v4.0 introduces a more flexible approach with two types of requirements:

Defined Approaches: Traditional prescriptive requirements specifying exactly what must be implemented

Customized Approaches: Allows organizations to implement alternative controls that meet the stated objective, providing flexibility for innovative security solutions

Major New Requirements

1. Enhanced Multi-Factor Authentication (MFA)

MFA is now required for all access to the CDE, not just remote access:

  • Requirement 8.4.2: MFA must be implemented for all personnel with administrative access
  • Requirement 8.4.3: MFA required for all access into the CDE (effective March 2025)
  • MFA must use at least two different authentication factors (something you know, have, or are)
  • Authentication factors must be independent and cannot be compromised by the same vulnerability

2. Password Security Updates

Requirement 8.3.6: Minimum password length increased from 7 to 12 characters (or 8 characters if complexity is enforced)

Requirement 8.3.10: Passwords must be changed at least every 90 days (down from the previous recommendation of 90 days)

Password history must prevent reuse of the last four passwords

3. Enhanced Encryption Requirements

v4.0 strengthens encryption standards to address evolving threats:

  • Requirement 4.2.1: Strong cryptography required for all transmission of PAN over open, public networks
  • Requirement 3.5.1: Encryption keys must be stored securely with limited access
  • Deprecation of SSL/early TLS - only TLS 1.2 and higher are acceptable
  • Organizations must maintain an inventory of algorithms and protocols in use

4. Targeted Risk Analysis

Many requirements now include a "Targeted Risk Analysis" component:

Organizations can determine the frequency of certain activities based on risk assessment

Risk analyses must be documented and reviewed annually

Results must justify the chosen frequency or approach

5. Enhanced E-commerce and Phishing Protection

New requirements specifically address web-based threats:

  • Requirement 6.4.3: Detection and reporting mechanisms for unauthorized modifications to payment pages (effective March 2025)
  • Requirement 5.4.1: Technical controls to prevent phishing attacks
  • Regular review of public-facing web applications for vulnerabilities

6. Expanded Logging and Monitoring

Requirement 10.4.1.1: Automated mechanisms must detect failures of critical security control systems

Requirement 10.7.2: Detection and alerting must be in place for failures in automated log review mechanisms

Enhanced requirements for timely detection of security events

Phased Implementation Deadlines

Some v4.0 requirements have extended implementation dates:

  • March 31, 2025: All "future-dated" requirements must be implemented
  • Organizations should prioritize these requirements in their compliance roadmap
  • Early implementation demonstrates security maturity and reduces last-minute pressure

Steps to Prepare for v4.0

  1. 1. Conduct a Gap Assessment:

    Compare your current controls against v4.0 requirements. Identify areas requiring updates or new implementations.

  2. 2. Prioritize Future-Dated Requirements:

    Create a roadmap for implementing requirements with the March 2025 deadline. Start with the most complex or time-intensive changes.

  3. 3. Update Documentation:

    Review and update all security policies, procedures, and documentation to reflect v4.0 language and requirements.

  4. 4. Enhance MFA Implementation:

    Extend MFA to all CDE access points. Evaluate and implement appropriate authentication technologies.

  5. 5. Strengthen Password Policies:

    Update password requirements across all systems to meet new minimum standards.

  6. 6. Implement Automated Monitoring:

    Deploy solutions for automated detection of security control failures and unauthorized payment page modifications.

How Delinix Can Help with v4.0 Transition

Delinix Weblogic LLP offers comprehensive v4.0 transition services:

  • Detailed gap assessments comparing v3.2.1 to v4.0 requirements
  • Customized remediation roadmaps with prioritized timelines
  • Implementation support for enhanced controls and monitoring
  • SumTower™ integration for automated compliance monitoring

Conclusion

PCI-DSS v4.0 represents a significant evolution in payment card security, offering both challenges and opportunities for organizations. The new flexibility through Customized Approaches allows innovative security solutions, while enhanced requirements address modern threat landscapes. Organizations that approach v4.0 systematically and proactively will not only achieve compliance but also strengthen their overall security posture.

Need assistance navigating the transition to PCI-DSS v4.0? Contact Delinix today for a comprehensive gap assessment and transition planning consultation.