The Payment Card Industry Security Standards Council (PCI SSC) has released PCI DSS v4.0.1, a limited revision that addresses stakeholder feedback and clarified questions received since the publication of v4.0 in March 2022.
This update focuses on clarifying requirements and guidance while maintaining the standard’s core security objectives.
Timeline and Transition
PCI DSS v4.0 was retired as the current standard on 31 December 2024. After this date, PCI DSS v4.0.1 became the active standard. The March 31, 2025 deadline for implementing future-dated requirements remains unchanged.
PCI DSS v4.0.1: Key Changes and Clarifications
Requirement 3: Data Protection:
PCI DSS v4.0.1 provides updated guidance for organisations using keyed cryptographic hashes. These changes aim to improve security for payment card transactions and maintain trust in electronic payment systems.
Requirement 6: System Security
PCI DSS v4.0.1 has two significant updates to Requirement 6:
- A return to v3.2.1 language regarding patch implementation.
- Clearer guidance on managing payment page scripts
Requirement 8: Authentication
A notable addition to the PCI DSS in v4.0.1 includes guidance on phishing-resistant authentication. Phishing-resistant Multi-Factor Authentication (MFA) is a highly secure authentication method specifically designed to protect against sophisticated phishing attacks.
The new requirements specify that:
- MFA requirements do not apply to accounts using only phishing-resistant authentication factors.
- Authentication codes must only work with intended applications.
Requirement 12: Third-Party Service Providers (TPSP)
Requirements 12.8.2 and 12.9.1 have been updated to provide more clarity around TPSP’s responsibility for their customers’ PCI DSS compliance.
The changes include:
- Clearer guidance on customer-TPSP relationships
- Updated documentation requirements
- Refined security control expectations
- The addition of New Definitions
The revision includes new definitions in Appendix G:
- Legal Exception
- Phishing-Resistant Authentication
- Visitor
- Industry Collaboration
The development of v4.0.1 involved extensive stakeholder input, including:
- PCI SSC Board of Advisors
- Global Executive Assessor Roundtable
- Principal Participating Organizations
- Technology Guidance Group
- Impact on Organizations
What Organisations Need to Do.
To ensure PCI DSS compliance against the new standards outlined in v4.0.1, organisations should:
- Review the PCI SSC’s official documentation.
- Access the Summary of Changes document in the PCI SSC Document Library
- Update internal policies and procedures as needed
- Evaluate existing authentication methods against the new phishing-resistant requirements.
- Be clear on their Third-Party Management obligations against the now further clarified TPSP requirements.
Looking Ahead
While PCI DSS v4.0.1 doesn’t introduce new requirements, it provides valuable clarifications that will help organisations better understand and implement payment security controls.
These changes, though minor compared to v4.0, are crucial for ensuring consistent interpretation and implementation of the standard.
In line with the new standards, your organisation should:
- Fine-tune compliance programs.
- Strengthen security controls.
- Prepare to implement the future-dated requirements mandated from April 2025.
- Update third-party service provider management practices.
The release of v4.0.1 demonstrates the PCI SSC’s commitment to maintaining clear, practical, and effective security standards while responding to industry feedback and evolving threats in the payment card ecosystem.
If you’d like a comprehensive review of your organisation’s cyber security practices against the requirements of PCI DSS v4.0.1, get in touch with us for a complimentary security review.