• Blog
  • Navigating the Shift: Unveiling the changes in PCI DSS version 4


Navigating the Shift: Unveiling the changes in PCI DSS version 4

Gain insights in the latest changes in PCI DSS version 4 with this quick overview, highlighting the primary changes and how to best prepare for them.


The Payment Card Industry Data Security Standard (PCI DSS) has been a critical framework in safeguarding credit card transactions, cardholder data, and PII. It's important for any entity storing, handling, processing, or transmitting cardholder information. The shift from PCI DSS version 3.2.1 to version 4.0 marks a significant evolution, defining new requirements and refining the existing ones. As the change will start taking effect in March 2024, businesses aiming for compliance should understand what the change means for their organization. This quick overview will highlight the primary changes and how to best prepare for them.


Here are the top SDLC-related changes in PCI DSS v4

1. A new approach focused on perpetually achieving security goals:

The new "Approaches for Implementing and Validating PCI DSS" section in version 4.0 introduces two distinct methods for entities to implement and validate their compliance with the PCI DSS standards: the defined approach and the customized approach.

  • The defined approach isn't actually new, as it involves following the specific requirements and testing procedures detailed within the standard.

  • The customized approach, on the other hand, focuses on the objectives of each PCI DSS requirement, allowing entities to implement controls in a manner that does not strictly adhere to the defined requirement.

Introducing these approaches in PCI DSS 4.0 signifies a significant shift towards flexibility and adaptability in compliance. Entities can now choose the approach that best fits their security strategy and environment or use a combination of both approaches. The change acknowledges the diverse range of business models and technological landscapes in which entities operate and emphasizes the PCI DSS's commitment to evolving with industry needs and encouraging proactive rather than prescriptive security measures.

Apart from the customized approach, another significant change is the emphasis on continuous compliance. New requirements centered around documenting and updating policies mark the importance of reviewing compliance continuously, not only at a specific time. Introducing the concept of perpetual security monitoring underscores that compliance is a continual effort, not merely an annual task.

2. Expanding Authentication policies:

The evolution of authentication techniques in the transition from PCI DSS version 3.2.1 to 4.0 marks a significant advancement in how businesses secure access to cardholder data environments (CDEs). In version 3.2.1, the standard mandated the implementation of multi-factor authentication (MFA) specifically for non-console administrative or remote access scenarios, providing a basic layer of security against unauthorized access. However, with the release of PCI DSS 4.0, the focus on authentication has been notably enhanced as the MFA requirements are expanded to all types of access and on all users. This newer version goes beyond simply enforcing MFA by adding new requirements to secure the implementation of multi-factor authentication systems. This shift reflects an understanding of the evolving landscape and authentication best practices, leading enterprises to enforce secure authentication policies across the entire CDE, including their SDLC.

3. Managing secrets:

The introduction of a new requirement in PCI DSS version 4.0 addresses a critical aspect of software security: handling passwords or, more specifically, keeping secrets away from your code. The new version enforces the secure management of secrets by defining that passwords capable of interactive login must not be hard-coded into scripts, configuration files, property files, or custom source code. This change targets the most common security issue in the current landscape, where sensitive credentials are embedded within code, exposing them to unauthorized access or exploitation. This approach reduces the risk of credential compromise, often a gateway to more significant security breaches. Handling secrets is a complex task; more often than not, secrets make their way to code due to human error. Relying on developers and code review practices for secret detection alone is not enough, and enforcing an enterprise-grade secret scanner is imperative if you want to comply with the new version.

This update reflects a proactive stance in safeguarding against emerging threats and vulnerabilities in the digital landscape. It ensures that entities under PCI DSS compliance maintain rigorous standards in protecting access to their systems and sensitive cardholder data.

4. Understanding your software's building blocks:

PCI DSS version 4.0 introduces a new requirement focused on creating and maintaining an inventory of all bespoke and custom software, as well as third-party software components integrated into the software. The rationale behind this requirement is to enhance vulnerability and patch management for entities dealing with cardholder data. The most common execution of this concept is the SBOM. SBOM stands for Software Bill Of Materials: a nested description of software components, metadata, and more.

By identifying and cataloging all custom software and third-party components, organizations can more effectively track and address potential vulnerabilities that might be present in these elements. This is particularly crucial as vulnerabilities in third-party components can render the entire application susceptible to attacks. An up-to-date SBOM allows entities to monitor the security of their software ecosystem, ensuring they are aware of what components the software is built from and the potential vulnerabilities in those components. This addition to the PCI DSS framework is a significant step towards matching the growing standard of software security, reflecting software's huge role in keeping cardholder data safe and the increasing importance of a comprehensive solution.


Preparing for change

With the fast-paced evolution of technology and payment systems, PCI DSS 4.0 arrives at an opportune time, aligning with the changing landscape of data and software security. As some requirements in the latest version will turn mandatory as soon as March 2024, now is the time for businesses to understand these changes and shift toward implementation. Legit Security is here to help you make sure you stay one step ahead of the threats. With an enterprise-grade secret scanner, SBOM generation, and authentication policies across the SDLC, Legit is the missing part of your compliance puzzle.

Want to make sure your organization’s software is ready for PCI DSS v4? Contact us.

Learn more and schedule a product demo, or check out the full Legit Security Platform.

Share this guide

Published on
February 07, 2024

Book a 30 minute demo including the option to analyze your own software supply chain, if desired.