Blog

When you consider the brand new version 4.0 of the PCI DSS standard, it may help to picture it like your car. We all understand that several things that need to happen to make your car run so you can successfully get from Point A to Point B. Some of them are critical—like brake pads and a functioning battery—whereas some are arguably less so, though they’re still important to your overall journey. (Think headlights or clean engine oil.) The same is true within version 4.0, which gave us 60 new requirements to sort through and prepare for to ensure your continued compliance. That’s a lot of new concepts you’re going to need to accommodate, even if many of them won’t be official until March 2025. (They’ll be considered “best practices” until then.) As you start to investigate these things you need to “tune up,” we want to help. As PCI Qualified Service Assessors (QSAs), we’re doing the work to familiarize ourselves with this new version we’ll need to evaluate our clients against. Using the knowledge we’ve gleaned so far, we want to act as your “mechanic” of sorts—that is, help you understand those more critical parts of this car standard that are particularly critical to prepare for during this transition. That’s why we’re going to outline seven of the bigger requirements among all the changes in PCI DSS v4.0. We made a video detailing the new PCI requirements as well, but in this article, we’ll help you follow the thinking behind them from our assessor’s point of view and how to ensure you comply with them in the future. We’ll also note some of the additional guidance the PCI Council has provided for some of these major updates. With this more nuanced view of these changes, you’ll be able to better prepare for the pending shift to v4.0.

Mary Shelley once said, “nothing is so painful to the human mind as a great and sudden change.”