PCI DSS 4.0
Payment Card Industry Data Security Standard version 4. 0 (PCI DSS 4.
Last updated Apr 11, 2026
Continue your mission
Payment Card Industry Data Security Standard version 4. 0 (PCI DSS 4.
# PCI DSS 4.0
Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0) is the security standard governing every organization that stores, processes, or transmits payment card data. Published by the PCI Security Standards Council (PCI SSC) in March 2022 and fully mandatory as of March 31, 2025, PCI DSS 4.0 supersedes version 3.2.1 in its entirety. The March 2025 date is significant: it is the point at which all "future-dated" requirements that were optional under 4.0 but grandfathered from earlier versions became mandatory with no exceptions.
PCI DSS 4.0 organizes 12 security requirements into six control objectives, covering everything from firewall architecture and cardholder data protection to access control, monitoring, and vendor management. Compliance is not optional: failure to meet the standard can result in card brand fines, increased transaction fees, reputational damage, and ultimately the loss of the ability to accept card payments.
What distinguishes PCI DSS 4.0 from its predecessor is a deliberate shift in philosophy. Version 3.2.1 was largely prescriptive: here is what you must do. Version 4.0 introduces the Customized Approach, which allows mature organizations to define their own controls for meeting a stated security objective, provided they can document, test, and demonstrate effectiveness. This is not a relaxation of security requirements. It is a recognition that rigid technical prescriptions can become compliance theater when they do not match an organization's actual architecture.
PCI DSS 4.0 sits firmly in RGA (Risk Governance and Assurance), the outermost layer of CDA's Planetary Defense Model. It provides the governance framework that forces attention onto inner layers, particularly DPS (encryption and data handling), IAT (access control and MFA), and VSD (vulnerability management and application security).
---
PCI DSS 4.0 organizes its 12 requirements into six high-level control goals:
Goal 1: Build and Maintain a Secure Network and Systems
Goal 2: Protect Account Data
Goal 3: Maintain a Vulnerability Management Program
Goal 4: Implement Strong Access Control Measures
Goal 5: Regularly Monitor and Test Networks
Goal 6: Maintain an Information Security Policy
PCI DSS 4.0 offers two compliance pathways:
The Defined Approach (the traditional path) requires implementing controls exactly as specified. Organizations that want certainty and predictability use this path. It is the required path for organizations using self-assessment questionnaires (SAQs).
The Customized Approach allows organizations to define alternative controls that meet a stated security objective. It requires a Customized Approach Objective Worksheet, testing by a Qualified Security Assessor (QSA), and documentation that demonstrates the alternative control meets or exceeds the stated objective. This path is only available for organizations that undergo a full Report on Compliance (ROC), not SAQ filers.
PCI DSS applies to the Cardholder Data Environment (CDE), which includes all system components that store, process, or transmit cardholder data, and all systems that could impact the security of those components. Scope creep is one of the most common and expensive problems in PCI compliance.
Scope reduction techniques:
PCI DSS compliance assessment type depends on transaction volume, calculated as the number of card transactions processed annually:
| Level | Volume | Assessment Requirement | |-------|--------|----------------------| | Level 1 | Over 6 million Visa/Mastercard transactions per year (any channel), or any merchant that has suffered a breach | Annual Report on Compliance (ROC) by a QSA; quarterly ASV scans | | Level 2 | 1 million to 6 million transactions per year | Annual Self-Assessment Questionnaire (SAQ) with QSA sign-off recommended; quarterly ASV scans | | Level 3 | 20,000 to 1 million e-commerce transactions per year | Annual SAQ; quarterly ASV scans | | Level 4 | Fewer than 20,000 e-commerce transactions, or up to 1 million other transactions | Annual SAQ; quarterly ASV scans recommended |
SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE) correspond to different payment acceptance methods and scope profiles. An e-commerce merchant using a fully redirected payment page has a vastly different SAQ than a physical retailer accepting chip-and-PIN.
Implementation costs for PCI DSS 4.0 vary significantly by organization size and current posture. A rough benchmark:
The ongoing annual cost of compliance often exceeds the initial remediation cost by Year 2, once organizations account for quarterly scanning, annual penetration testing, log management infrastructure, and security awareness training.
---
PCI DSS failures cost money in three distinct categories, and many organizations underestimate all three.
Regulatory fines and card brand penalties: Non-compliance fines from Visa and Mastercard range from $5,000 to $100,000 per month. Following a breach, fines can reach $500,000 per incident. The fines are levied against the acquiring bank, which passes them directly to the merchant through the merchant agreement.
Post-breach forensics and remediation: A PCI Forensic Investigator (PFI) engagement following a breach typically costs $50,000-$500,000. The organization must also pay for card replacement for every affected card, fraud reimbursement, and enhanced monitoring.
Reputational damage and lost revenue: For e-commerce and retail businesses, the reputational cost of a card data breach often exceeds the direct financial cost. Customers who learn their payment data was compromised do not return.
The common misconception about PCI DSS is that compliance equals security. It does not. PCI DSS is a minimum floor. Organizations that treat compliance as the ceiling consistently find that they meet the standard on paper while remaining exploitable in practice. The Customized Approach in version 4.0 is partly a response to this: prescriptive controls applied without operational context do not produce security, they produce documentation.
The March 2025 deadline for formerly future-dated requirements caught many organizations off guard. Requirements around phishing-resistant MFA, e-commerce script management, and automated log review were technically optional (with compensating controls) until that date. Organizations that delayed addressing them now face non-compliance with requirements that have been in the standard for three years.
---
PCI DSS 4.0 spans multiple PDM domains. The governance framework lives in RGA, but its technical requirements reach into every inner layer:
| PCI DSS Requirement Area | PDM Domain | CDA Methodology | |--------------------------|------------|-----------------| | Requirements 3-4: Data protection, encryption, TLS | DPS (Data Protection and Sovereignty) | Sovereign Data Protocol (SDP) | | Requirements 5-6: Vulnerability management, application security, WAF | VSD (Vulnerability and Surface Defense) | Continuous Surface Reduction (CSR) | | Requirements 1-2, 5: Network security controls, hardening, anti-malware | SPH (Security Posture and Hygiene) | Autonomous Posture Command (APC) | | Requirement 8: MFA, identity, access control | IAT (Identity Access and Trust) | Zero Possession Architecture (ZPA) | | Requirements 10-11: Logging, monitoring, intrusion detection, pen testing | TID (Threat Intelligence and Defense) | Predictive Defense Intelligence (PDI) | | Requirement 12, overall compliance governance | RGA (Risk Governance and Assurance) | Perpetual Compliance Assurance (PCA) |
This table reveals a fundamental truth about PCI DSS: organizations that view it purely as a governance checklist handled by their compliance team will fail. The technical requirements (encryption, MFA, segmentation, patching, WAF) require hands-on engineering across every PDM layer.
CDA's Perpetual Compliance Assurance (PCA) methodology treats PCI DSS compliance as a continuous operational state, not a point-in-time project. The annual QSA assessment is an artifact of PCA, not the goal itself. Organizations that run PCA correctly are always in a state of demonstrable compliance because the controls are embedded in operations.
The most impactful lever CDA applies to PCI DSS engagements is scope reduction through CSR (Continuous Surface Reduction). Reducing CDE scope is the single most cost-effective strategy available to most organizations. Every system removed from CDE scope is a system that does not require PCI controls, does not require QSA review, and does not become a liability in the event of a breach. CDA's CSR methodology maps the network topology, identifies all in-scope systems, and systematically evaluates which can be removed through tokenization, P2PE, or segmentation.
For Requirement 8, CDA applies ZPA (Zero Possession Architecture): the MFA and access control requirements of PCI DSS 4.0 are not compliance checkboxes but the technical implementation of the ZPA principle that no credential should be sufficient on its own. Phishing-resistant MFA (FIDO2, hardware security keys) is not just the right answer for PCI: it is the right answer for every privileged account in every organization.
The Foundational Risk Map (FRM) assessment includes a PCI scope mapping as a standard component for any organization that handles payment data. The Shield visualization surfaces CDE-adjacent gaps in SPH (unpatched systems), VSD (exposed services and application vulnerabilities), and IAT (weak access controls) that translate directly into PCI non-compliance findings.
CDA's PCI engagement approach follows the five campaign phases:
---
---
---
PCI Security Standards Council. PCI DSS v4.0. PCI SSC, March 2022. https://www.pcisecuritystandards.org/document_library/
PCI Security Standards Council. PCI DSS v4.0 Summary of Changes from PCI DSS v3.2.1 to v4.0. PCI SSC, March 2022.
PCI Security Standards Council. Customized Approach Frequently Asked Questions. PCI SSC, 2022.
Verizon. Payment Security Report. Verizon, 2023. https://www.verizon.com/business/resources/reports/payment-security-report/
CDA, LLC. Foundational Risk Map (FRM): PCI Scope Assessment Module. Internal Reference.
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.