PCI DSS Version 4.0.1 Simplified Guide

As many organisations continue transitioning from PCI DSS version 3.2.1 to version 4.0, the Payment Card Industry Data Security Standard (PCI DSS) has undergone a new revision with the release of version 4.0.1. As the standard continues to evolve, it’s important for organisations to stay up to date with the latest requirements to maintain compliance and safeguard sensitive cardholder data. It’s important to note that version 4.0 remains valid until December 31, 2024. After this date, version 4.0.1 will be the only active version. 

The changes introduced in PCI DSS version 4.0, particularly the 64 new requirements, remain relevant in version 4.0.1. These requirements include significant updates like: Payment Page Integrity (Requirement 6.4.3), Tamper-Detection Mechanism (Requirement 11.6.1), The introduction of Multi-Factor Authentication (MFA) for all access to the Cardholder Data Environment (CDE), the need for Authenticated Vulnerability Scans, Targeted Risk Analyses (TRA). 

All new requirements from version 4.0, which are currently regarded as best practices until March 31, 2025, are still incorporated in version 4.0.1, with the timeline remaining unchanged. At Data Protection People, we understand that navigating through the complexities of PCI DSS can be daunting. That’s why our team of Qualified Security Assessors (QSAs), with deep expertise in cyber security and data protection, have put together this simplified guide to help you understand the key changes from version 4.0 to 4.0.1. While this guide is intended to provide an easy-to-understand overview, we’ve ensured that all critical changes are included, so you won’t miss any essential updates. 

For those looking for a more in-depth, technical analysis, we recommend downloading the official full guide from the PCI Security Standards Council (PCI SSC). Click here to download. 

What’s New in PCI DSS Version 4.0.1? 

The new PCI DSS version 4.0.1 introduces important clarifications, updates, and corrections to ensure that the standard remains current with emerging threats and technologies. These changes primarily focus on making the guidance clearer while reinforcing best practices for handling cardholder data. Below, we summarise the most notable changes. 

General Updates: 

• Clarification of Guidance: Changes were made to clarify definitions, update references, and improve overall understanding. Many of the updates ensure that key terms are aligned across the document. 

• Correction of Minor Errors: Typographical and formatting errors were corrected, ensuring consistency and clarity throughout the document. 

• Updated Testing Procedures: Testing procedures were updated to reflect new wording in the requirements, ensuring that assessments align with the revised standards. 

• Glossary References: Additional glossary terms were included for easier reference, improving the accessibility of definitions and reducing duplication across sections. 

Changes in the Scope of Requirements: 

• Third-Party Service Providers (TPSPs): Clarifications were added regarding the responsibilities of third-party service providers when handling cardholder data. TPSPs must now provide customers with documentation outlining their PCI DSS responsibilities, ensuring there is no confusion about accountability. 

• Applicability Notes: Several sections have been updated to clarify how the requirements apply to specific entities, particularly issuers and companies supporting issuing services. 

Key Updates to Specific Requirements: 

• Requirement 1 (Firewalls and Routers): A previously missing purpose was added, ensuring the requirement has a clear rationale. 

• Requirement 3 (Protecting Stored Cardholder Data): Several updates provide clearer guidance on when sensitive authentication data (SAD) storage is allowed and under what circumstances. Specific business needs must be documented and legitimate to store SAD, and non-persistent memory storage has been addressed. 

• Requirement 6.3.3 (Security Patches/Updates): The requirement was updated to revert to the v3.2.1 language, specifying that it applies to patches/updates for critical vulnerabilities. The phrase “high-security patches/updates” introduced in version 4.0 has been removed. Additionally, the example stated in the second bullet of the requirement for installing all other patches/updates “within three months of release” was moved to the Guidance section under Examples for more flexibility. It was also clarified that other patches should be installed based on the entity’s assessment of the risk to the environment. A Targeted Risk Analysis (TRA) is recommended to determine the appropriate frequency of patch installations. 

• Requirement 8 (Strong Authentication Controls): Multiple changes were made to clarify the use of multi-factor authentication (MFA) and ensure that user accounts accessing sensitive areas are appropriately authenticated. 

• Requirement 11.6.1 (Tamper-Detection Mechanism) was updated to apply to “security-impacting HTTP headers and script contents” of payment pages, with checks now required weekly instead of every seven days to align with Table 4 of the PCI DSS standard. Three new applicability notes were added to cover entity webpages and third-party embedded payment forms. Expanded guidance explains what can be detected when comparing HTTP headers and content, and entities should ensure TPSPs provide evidence of compliance. The examples clarify that various detection techniques can be used, offering flexibility in implementation. 

Why These Changes Matter 

While many of the changes are considered minor updates or clarifications, their importance lies in ensuring that organisations like yours have clear, concise guidance to remain compliant. As cyber threats continue to evolve, the PCI DSS must also evolve to provide sufficient protection for both cardholders and businesses alike. 

Our team at Data Protection People is here to help you implement these changes effectively and ensure that your organisation remains compliant with the latest version of PCI DSS. If you need help interpreting any of the updates or require expert guidance, feel free to contact us. 

For a comprehensive list of all changes, we recommend downloading the official PCI DSS Version 4.0.1 Guide directly from the PCI Security Standards Council. 

About Data Protection People 

Data Protection People is a leading consultancy in data protection and cyber security, providing expert guidance on GDPR compliance and PCI DSS. As a QSA-certified organisation, we assist businesses in ensuring they meet the stringent standards of PCI DSS compliance through our tailored consulting and assessment services. Our team includes some of the most knowledgeable professionals in the industry, who work diligently to make compliance understandable and accessible for organisations of all sizes. 

Let Us Simplify Your Compliance Journey 

Data Protection People’s role as a trusted QSA ensures that we’re equipped to help you navigate every aspect of PCI DSS compliance, from understanding new requirements to implementing them within your business. Our goal is to make compliance accessible, understandable, and achievable, regardless of the size of your organisation.