The 4 Goals of PCI DSS v4.0

At a Glance

The main takeaway: The PCI Security Standards Council released PCI DSS version 4.0 on March 31, 2022 to replace version 3.2.1. Businesses subject to PCI compliance must understand the significant changes in PCI 4.0 as they plan their transition from PCI DSS v3.2.1 to v4.0. This video is the first in a series outlining the 4 overarching goals of PCI DSS v4.0.

Impact on your business: PCI v4.0 includes significant enhancements across the PCI DSS compliance framework that will provide additional clarity and assurance to both entities subject to PCI and the third-party business partners that rely on PCI Reporting. Therefore, migration from version 3.2.1 to version 4.0 will require extensive planning to effectively manage resources and costs.

Next Steps: Version 3.2.1 will be officially retired on March 31, 2024. Until this date, entities can select between version 3.2.1. or version 4.0 as the standard to demonstrate their PCI compliance status. Due to the considerable changes in version 4.0, Aprio believes it is in the best interest of your business to begin your transition to PCI DSS v4.0 as soon as feasibly possible.

The full story

The PCI DSS is a global standard of technical and operational requirements designed to protect payment data. The PCI Security Standards Council released PCI DSS version 4.0 on March 31, 2022 to replace version 3.2.1 that was issued in May of 2018.

PCI SSC has established a 2-year transition period for entities to adopt version 4.0. This means that version 3.2.1 is officially retired on March 31, 2024. It also means that until March 31, 2024, entities can select between version 3.2.1 or version 4.0 as the standard to demonstrate their PCI compliance status.

There are several new requirements in version 4.0 that become effective March 31, 2025, and in the interim, these are considered optional best practices. Version 4.0’s new enhancements to the structure and content of PCI DSS compliance reporting, in our opinion, make PCI a comprehensive and sustainable security framework for protecting cardholder data.

Version 4.0 also includes significant enhancements to the validation approach and report structure that will provide additional clarity and assurance to both entities subject to PCI requirements and the many third-party stakeholders who rely on the PCI DSS reporting of their business partners.

Aprio believes it is in the best interests of your company to migrate to 4.0 as soon as feasible regardless of whether you are new to PCI DSS or a long-time filer.

The PCI SSC has indicated that version 4.0 was designed to achieve four overarching goals.

1. To continue to meet the security needs of the payments industry
2. To promote security as a continuous process
3. To increase flexibility of the methods used to achieve security objectives
4. To enhance validation methods and procedures

Related Resources

We have created a series of videos to drill down into the purpose and intent of these goals and the changes represented in 4.0 to achieve these goals.

• PCI DSS 4.0 Goal 1: Continuing to meet the security needs of the payment card industry
• PCI DSS 4.0 Goal 2: Promoting security as a continuous process
• PCI DSS 4.0 Goal 3: Increasing flexibility of methods to achieve security objectives
• PCI DSS 4.0 Goal 4: Enhancing validation methods and procedures