Guide to the PCI-DSS v4.0.1 regulations [Updated for 2025]

The PCI DSS compliance framework has been a staple in the cybersecurity realm for businesses handling credit card transactions. The Payment Card Industry Data Security Standard was developed to encourage and enhance payment card account data security. It helps define consistent security measures to bolster payment card data security, processing, and storage. PCI DSS is not a government-created institution but rather is a collaboration of the major credit card companies, forming the PCI Security Standards Council. 

Organizations that store, process, or transmit cardholder data fall under the compliance framework known as PCI-DSS (Payment Card Industry Data Security Standard). It’s there to help protect cardholders and businesses dealing with cardholder data from cyber-attacks and breaches. The most recent version released by the PCI Security Standards Council (PCI SSC) is version 4.0.1. 

So what’s new in the latest update and how can organizations best stay compliant in 2025? We’ll walk through everything you need to know.  

What are the key requirements of PCI DSS?

The latest version establishes 12 core security requirements set to enhance and protect the security of payments: 

  1. Install and maintain network security controls 
  2. Apply secure configurations to all system components 
  3. Protect stored account data 
  4. Protect cardholder data with strong cryptography during transmission over open, public networks 
  5. Protect all systems and networks from malicious software 
  6. Develop and maintain secure systems and software 
  7. Restrict access to system components and cardholder data 
  8. Identify users and authenticate access to system components 
  9. Restrict physical access to cardholder data 
  10. Log and monitor all access to system components and cardholder data 
  11. Test security of systems and networks regularly 
  12. Support information security with organizational policies and programs 

In addition, it is worth noting that PCI-DSS establishes a minimum baseline of technical and operational requirements for entities to protect account data and help prevent data breaches or other cyberattacks that can compromise the payment system workflow. So just worth noting that there are additional security measures on top of the guidelines established by PCI-DSS that can enhance cardholder data security. 

PCI-DSS fines 

Are there penalties for PCI-DSS non-compliance? The PCI compliance framework does have ‘teeth’ in that it can lead to real-world fines for businesses who are found to be non-compliant. These fines can range from $5,000 to $100,000 a month. Also, other penalties and consequences can affect businesses monetarily, such as higher bank transaction fees or possibly even termination of the relationship with the bank altogether. 

What’s new in PCI-DSS v4.0.1? 

PCI DSS v4.0.1 has upped the level of protection for digital identities. Since many payment services and payment services processors and entities have moved to use cloud computing, more robust security and compensating controls are needed for securing authentication mechanisms. The new requirements, as outlined, more closely align with NIST best practices for user accounts: 

  • Enhanced password requirements: While general user accounts minimum password has been defined at 12 characters, with service accounts used by applications, services, and systems passwords, the recommendation is a password with at least 15 characters for complexity requirements, including alphanumeric characters, and that is checked against breached and other bad password lists. You can find a full guide to creating a PCI-compliant password policy here.  
  • Increased flexibility and customization: PCI DSS v4.0 allows organizations to implement security controls that are more tailored to their specific environments and risk profiles. This is achieved through the introduction of “Compensating Controls” and “Alternative Approaches” that can be used to meet the standard’s requirements. 
  • Multi-factor authentication (MFA): MFA for PCI is now required for all administrative access to the cardholder data environment (CDE). 
  • Encryption: Enhanced encryption requirements for data at rest and in transit to better protect sensitive cardholder data. 
  • Secure software development: New requirements for secure software development practices, including threat modeling and code reviews. 
  • Focus on emerging technologies: The update addresses the security challenges posed by emerging technologies such as cloud services, virtualization, and containerization. It provides guidance on how to secure these environments and integrate them into the PCI DSS framework. 
  • Improved risk assessment: There is a greater emphasis on continuous risk assessment and management. Organizations are required to conduct regular risk assessments to identify and mitigate potential vulnerabilities. They must also review access privileges at least every six months. 
  • Penetration testing and vulnerability scanning: The frequency and scope of penetration testing and vulnerability scanning have been increased to ensure that security measures are robust and up-to-date. 
  • Incident response and forensics: Enhanced requirements for incident response planning and forensic investigations to help organizations quickly and effectively respond to security breaches. 
  • Training and awareness: There is a stronger focus on training and awareness programs for employees to ensure they understand and follow security best practices. 
  • Compliance validation: The process for validating compliance has been refined to be more continuous and less reliant on annual assessments. This includes the introduction of “Continuous Monitoring” requirements. 
  • Clarification and simplification: The update aims to clarify and simplify some of the existing requirements to make them easier to understand and implement. 

In general, it is worth noting the twelve core tenant concepts of PCI-DSS did not change with version 4.0.1 of the standard requirements. These core standards are the framework’s pillars and still apply to organizations complying with PCI DSS. PCI DSS v4.0.1 is built on the concept of zero-trust, which is increasingly recognized as the best practice moving forward. However, interestingly with PCI DSS v4.0.1, there is a new option for organizations meeting PCI DSS regulations — the customized approach to satisfying PCI requirements. Organizations can now choose between the defined approach and the customized approach

Customized approach  

With the customized approach, businesses can design their own security controls and standards to satisfy the PCI DSS v4.0 standard requirements and even modify the implementation procedures and meet the needs set forth. In addition, it allows businesses to demonstrate how they are meeting the security intent of each PCI DSS requirement. Companies may use new security approaches different from those outlined by traditional PCI requirements, providing an alternative way to meet the PCI DSS framework’s requirements. 

It’s worth noting when using the customized approach, a qualified security assessor (QSA) must review and determine if the custom controls defined by the customer are acceptable to comply with the requirements as outlined. However, this brings advantages for the customer and the ability to verify meeting the requirements satisfactorily. 

Defined approach  

The defined approach with PCI-DSS 4.0 remains relatively unchanged from prior versions. It is a detailed control statement and related testing the QSA must complete confirming the control is in place. Compensating controls are still a viable option and can be used when needed. The defined approach is ideal for organizations at the beginning stages of their cybersecurity and compliance initiatives, have budget constraints, or already have compensating controls in place that align with PCI-DSS requirements. 

Who needs to comply with PCI-DSS? 

PCI DSS (Payment Card Industry Data Security Standard) compliance is required for any organization that handles, processes, stores, or transmits credit card data. This includes a wide range of entities, such as: 

  1. Merchants: Any business that accepts credit card payments, regardless of size or type. This can include retail stores, e-commerce websites, restaurants, and service providers. 
  2. Service providers: Companies that provide services involving the processing, storage, or transmission of cardholder data on behalf of other merchants or service providers. Examples include payment processors, gateway providers, and hosting services. 
  3. Acquirers: Financial institutions that process credit card transactions for merchants. This includes banks and other payment facilitators. 
  4. Issuers: Financial institutions that issue credit cards to consumers. This includes banks and credit unions. 
  5. Software developers: Companies that develop software used in the payment card industry, such as point-of-sale (POS) systems, payment applications, and other financial software. 
  6. Third-party vendors: Any third-party vendors or partners that have access to cardholder data as part of their services to merchants or service providers. 
  7. Financial institutions: Banks and other financial institutions that are involved in the payment card ecosystem, including those that issue cards and those that process transactions. 
  8. Payment facilitators: Platforms that enable merchants to accept payments, such as payment aggregators and payment service providers. 
  9. Any entity handling cardholder data: This includes any organization, regardless of its primary function, that has access to or handles cardholder data in any capacity. 

Is PCI DSS a worldwide regulation? 

Yes, PCI DSS (Payment Card Industry Data Security Standard) is a worldwide standard. It applies to any organization, regardless of its location, that handles, processes, stores, or transmits credit card data. This includes merchants, service providers, acquirers, issuers, and any other entities involved in the payment card ecosystem. 

When are organizations required to implement PCI DSS v4.0? 

There will be a transition period from PCI DSS v3.2.1 to the new v4.0.1 standard. Organizations will be required to be fully compliant by March 31, 2025. However, it will be prudent for businesses to start working towards making the transitions needed to comply fully by 2025. 

Continuous Scan Password Policy icon
Continuously block 4 billion+ compromised passwords in your Active Directory

Is your organization’s password policy compliant with PCI-DSS? 

With the more stringent account and password standards found in the new PCI DSS v4.0.1 framework, organizations would do well to implement the technical requirements needed to protect against weak and breached passwords. Many entities who must comply with PCI DSS compliance regulations use Active Directory as their Identity and Access Management (IAM) solution.  

Unfortunately, Active Directory contains no built-in capabilities to check for breached and other dangerous password types. Specops Password Policy with Breached Password Protection provides organizations with the tools needed to comply with PCI DSS v4.0.1 and other compliance framework requirements to protect account passwords: 

  • Create custom dictionaries to protect against dangerous passwords specific to your business 
  • Continuously scan your Active Directory against a database of over 4 billion unique compromised passwords  
  • Dynamic end-user feedback to help users create compliant passwords for their accounts 
  • Length-based password expiration with customizable email notifications 
  • Block user names, display names, specific words, consecutive characters, incremental passwords, and password reuse 
specops password policy with breach password protection
Specops Password Policy with Breach Password Protection

Interested to see how Specops Password Policy could fit in with your organization? Get in touch and we’ll set you up with a free trial.

FAQ

What are the changes from PCI-DSS v3.2.1 to V4.0.1? 

PCI DSS v4.0 keeps many of the same core concepts of v3.2.1 in place. However, it strengthens the requirements of account passwords and other areas around authentication and authorization.

When do I need to comply with PCI-DSS V4.0.1 by? 

Organizations must be fully compliant with PCI DSS v4.0 by March 31, 2025.

Does PCI-DSS apply to my organization? 

PCI DSS requirements apply to entities with environments where cardholder data is stored, processed, or transmitted and entities with environments that can impact the security of the cardholder data environment (CDE).

(Last updated on January 8, 2025)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog

Related Articles

  • How to build a PCI-compliant password policy

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines designed to protect cardholder data and ensure that organizations handling payment card information maintain a secure environment. Among its many requirements, PCI DSS places significant emphasis on robust password policies to prevent unauthorized access and mitigate the risk of data breaches. …

    Read More
  • Where can I find my driver on WinPE?

    You may receive a “A connection to the deployment share couldn’t not be made. The following networking device did not have a driver installed.” wizard error if you import the wrong driver, or are missing the driver on WinPE. If you suspect there may be something wrong with the drivers you imported, you can use…

    Read More
  • Guide to NCSC’s Cyber Essentials password policy compliance

    Passwords play an important role in the Cyber Essentials scheme. If you are planning for Cyber Essentials accreditation, you will need to make sure your password policy is up to the challenge.

    Read More