PCI 4.0 Summary of Changes

Authored by Brian Odian for VikingCloud’s Compliance Elements Series, available on YouTube.

The release of PCI DSS 4.0 can be a little overwhelming.  As with changes to any standard, you may not know where to begin.

Fortunately, the PCI SSC has provided a Summary of Changes document to supplement the release of version 4.  And just as well too.

There are 64 new requirements in version 4, 53 of which apply to all entities, and 11 to Service Providers only.  Interestingly of those 64 requirements only 13 are effective immediately for all version 4 assessments, with 51 of them being marked as future dated – that is they become effective on the 31st of March 2025.  So, for a great many of the new requirements, you have the time to plan and implement them.

Right about now you may be thinking for a Level 1 Report on Compliance there were already over 240 requirements, and now you are telling me there are 64 new requirements!  Bear in mind new requirements come under the change type of “Evolving Requirements” in the Summary of Changes document, which is defined as “Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.”

For example, in version 3.2.1 requirements 8.1.6 and 7 were merged and moved under requirement 8.3.4 in version 4.  What this effectively means in the overall number of assessable requirements from version 3.2.1 to 4 doesn’t change significantly – at least not enough to keep you awake at night.

The Summary of Changes document covers the change types, changes to the introductory section of ver