May 31, 2023

Excited about PCI DSS 4.0? We Are—Here’s Why

Excited about PCI DSS 4.0? We Are—Here’s Why

After what feels like a long time coming (in fact, PKWARE first blogged about this in January 2020), PCI DSS 4.0 was finally released in Q1 of 2022. While 4.0 is went live in early 2022, the current PCI 3.2.1 will not be retired until Q1 of 2024. (Figure 1) This was intentional to give companies plenty of time to finish off any existing ROCs while also providing additional time to become compliant with the new 4.0 standards.

Figure 1: PCI DSS Transition Timeline. Source:


What We Know Is Coming

PCI-DSS 4.0 differs from the current PCI DSS version 3.2.1 in a few key ways. One of the biggest changes is that PCI DSS is giving more leeway in regard to “how” an organization can become compliance.

PCI-DSS 3.2.1 and its predecessors included not only a series of objectives (i.e., protect cardholder data), but very specific requirements that dictate exactly how companies must achieve those goals. In other words, the standard is extremely prescriptive. Should a business be unable to follow these prescriptive steps to compliance they must implement a compensating control; this can often be an extremely time-consuming and costly procedure that requires an organization to go well above and beyond the intent of the primary control itself.

PCI-DSS 4.0 does keep the existing prescriptive method for compliance, should an organization want to continue cookie-cutter security. However, 4.0 is replacing compensating controls with an alternate option: customized implementation.

Customized implementation takes into consideration the original intent of the objective and allows organizations to design their own security controls to meet it. Once an organization determines the security control for a system, network, other object, it must provide full documentation to enable their PCI Qualified Security Auditor (QSA) to make a final decision on the effectiveness of a control. Should the QSA not accept the control or the documentation, the organizations may then be asked to enhance it, alter it, or potentially go back to the prescriptive control requirement.

Another area that’s changed is around the use of cloud and serverless computing. The core controls of the current version 3.2.1 were not designed for modern IT environments that often leverage multi-cloud, on-premises, and vendor networks. Version 4.0 introduces an updated set of requirements and approaches to securing cloud and serverless workloads.

Organizations will also find new control requirements, such as an expansion of card holder data encryption over any transmission, including within trusted networks. There is also a control requirement update regarding multifactor authentication and logins.

Why These Changes Are Important (and Exciting!)

The twelve foundational requirements and list of controls included in PCI DSS 3.2.1 are still a part of 4.0. But the addition of the customized implementation option introduces new flexibility for companies to use a broader range of methods and technologies to achieve each PCI objective. And, ultimately, organizations might find a more cost-effective or simpler way to comply. Another potential perk of the ability to now build in “unique” controls is added confidence against the effectiveness of attacks designed to outmaneuver the more prescriptive approach published publicly by the PCI SSC.

In addition to this, organizations that take their data security seriously will be more open to creating various unique ways and methods to product their Card Data Environments (CDEs). Organizations can start incorporating solutions such as PK Protect Endpoint Manager (PEM) to help keep an eye on and control the scope of their CDE so they are always aware of where payment cards are.

Going beyond that, companies could also choose to begin leveraging element-level encryption with PEM. PKWARE’s proprietary data security solution works  throughout the data’s lifecycle: Whether that data is in an Excel spreadsheet, an email, or a Word file, it will always be protected.

These types of controls, while not technically prescriptive to the DSS can only help an organization’s PCI QSA during their assessment. As any PCI professional knows, it’s important to build trust and credibility with your QSA. Having reports and technology that make the QSA’s job easier and faster will not only save your organization time and money, it will also give the QSA assurance that your teams are doing everything they can to keep security front of mind.

Get Creative with PCI DSS 4.0 and PKWARE

New controls and regulations often seem daunting. However, this time around, we can all take some relief in that while there will be more controls, there will also be more freedom on how we achieves those controls. So get creative!

If you haven’t started yet, it’s time to get ready for PCI DSS 4.0. Start your road to PCI DSS compliance now with help from PKWARE. Request a customized demo today.

Not sure where to start? Let PKWARE’s Data Risk Assessment help you understand where your risks are and how you can solve them before your next PCI DSS assessment.

Share on social media
  • Data Breach Report: May 2024 Edition

    PKWARE May 29, 2024
  • Apr'24 Breach Report-01

    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements

    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024

    PKWARE March 8, 2024