With just 12 months to go until PCI DSS v4.0 becomes mandatory, now is the time to prepare for the latest update to the payment security standard.

Merchant and service provider organizations that store, process or transmit payment card information, including pre-pay, debit and credit cards, must comply with PCI DSS under their contractual obligations with clients, acquirers or card brands. Service providers that can impact the security of payment card data are also required to comply with the standard.

The last iteration of the PCI DSS, v3.2.1, will be retired on March 31, 2024. For organizations in scope of the standard, this means they’ll no longer be able to assess against this version.

PCI DSS v4.0 introduces a number of new controls and extends the applicability of others, affecting all organizations looking to comply with the standard.

Introducing the Customized Approach

The updated standard introduced a new customized approach to offer more flexibility and innovation in security controls while ensuring the intent of the standard is satisfied. However, this approach is only recommended for organizations with mature risk management programs and requires cooperation and collaboration between the organization and their QSA to determine the acceptability of customized controls and the testing procedures to validate their effectiveness.

Scoping for PCI DSS v4.0

The new standard also introduced a new control (12.5.2.) requiring organizations to verify their PCI DSS scope at least every 12 months (every six months for service providers). For DESV-eligible organizations, this is required every three months. For service providers, a further scoping exercise is required following any significant changes to the organizational structure (12.5.3.).

While scoping has always been a pre-requisite for compliance and annual assessment, this is the first time it has been formalized in the requirements.

Using data discovery scanning simplifies the scope validation process by identifying:

  • All locations of stored account data, including any unauthorized locations of data
  • The boundary of the cardholder data environment (CDE) and the accuracy of data flow diagrams
  • All in-scope assets (based on the locations of account data and data flows, following PCI DSS scoping guidelines)

Among other significant updates to the controls, PCI DSS v4.0 requires organizations to:

  • Prevent users from copying or relocating PAN data when accessing it using remote-access technologies (3.4.2.)
  • Maintain a documented description of the cryptographic architecture used for the protection of account data ( *
  • Implement anti-phishing mechanisms to protect users from phishing attacks (5.4)
  • Enforce multifactor authentication (MFA) for all access to the cardholder data environment (CDE) (8.4.2.)
  • Conduct log reviews using an automated tool — manual log reviews are no longer permitted (
  • Run authenticated internal vulnerability scans every three months (11.3.1)
  • IDS/IPS solutions used by service providers must detect, alert and address covert communication channels ( *
  • Perform a targeted risk analysis for all PCI DSS controls that allow organizations to define their own testing frequency (12.3.1)
  • Develop incident response procedures for the detection of stored PAN anywhere it is not expected (12.10.7)

service providers only

How Ground Labs’ Data Discovery Supports PCI DSS Compliance

Ground Labs’ award-winning Enterprise Recon PCI is trusted by organizations for its comprehensive card data discovery and remediation-in-place capabilities across the broadest set of platforms including support for cloud and email scanning.

Card Recon Desktop and Server editions offer industry-leading card data discovery designed for small and medium-sized businesses.

To find out more, book a call with one of our experts today.

Want to keep up with all our blog posts? Subscribe to our newsletter!