Just Published: PCI DSS v4.0.1


To address stakeholder feedback and questions received since PCI DSS v4.0 was published in March 2022, the PCI Security Standards Council (PCI SSC) has published a limited revision to the standard, PCI DSS v4.0.1. It includes corrections to formatting and typographical errors and clarifies the focus and intent of some of the requirements and guidance. There are no additional or deleted requirements in this revision.  

To help ensure that the changes, clarifications, and additional guidance effectively support industry adoption of PCI DSS v4, the PCI SSC Board of Advisors, Global Executive Assessor Roundtable, and Principal Participating Organizations (through the Technology Guidance Group) were invited to review and provide feedback on the proposed changes during a Request for Comments (RFC) period that ran from December 2023 through January 2024. An RFC Feedback Summary is available to all RFC participants through the PCI SSC portal.  

For a full description of changes, refer to the Summary of Changes from PCI DSS v4.0 to v4.0.1, available now in the PCI SSC Document Library. Some of the changes made in this update include:  

Requirement 3 

  • Clarified Applicability Notes for issuers and companies that support issuing services.
  • Added a Customized Approach Objective and clarified applicability for organizations using keyed cryptographic hashes to render Primary Account Numbers (PAN) unreadable. 

Requirement 6 

  • Reverted to PCI DSS v3.2.1 language that installing patches/updates within 30 days applies only for “critical vulnerabilities.”
  • Added Applicability Notes to clarify how the requirement for managing payment page scripts applies. 

Requirement 8 

  • Added an Applicability Note that multi-factor authentication for all (non-administrative) access into the CDE does not apply to user accounts that are only authenticated with phishing-resistant authentication factors. 

Requirement 12

  • Updated Applicability Notes to clarify several points about relationships between customers and third-party service providers (TPSPs). 

Appendices

  • Removed Customized Approach sample templates from Appendix E and referred to the sample templates that are available on the PCI SSC website.
  • Added definitions for “Legal Exception,” “Phishing Resistant Authentication,” and “Visitor” to Appendix G. 

Frequently Asked Questions about PCI DSS v4.0.1

When will PCI DSS v4.0 be retired?

As with all new versions of PCI DSS, there will be a period where both the current and updated version will be active at the same time. PCI DSS v4.0 will be retired on 31 December 2024. After that point, PCI DSS v4.0.1 will be the only active version of the standard supported by PCI SSC.  

When in doubt, reference FAQ 1328 “Where can I find the current version of PCI DSS?” for more detail and links to additional FAQs about transitioning to an updated version of PCI DSS.  

Does PCI DSS v4.0.1 change the 31 March 2025 effective date for the new requirements?

No. This limited revision does not impact the effective date of these new requirements. 

Are there any new requirements in PCI DSS v4.0.1?

No. As this is a limited revision, there are no new or deleted requirements. Refer to the Summary of Changes from PCI DSS v4.0 to v4.0.1 for the full details.

When will the PCI DSS v4.0.1 Report on Compliance (ROC) Template and Attestations of Compliance (AOCs), along with the Self-Assessment Questionnaires (SAQs) be published?

The PCI DSS v4.0.1 Report on Compliance (ROC) Template and Attestations of Compliance (AOCs), along with the Self-Assessment Questionnaires (SAQs) are targeted for publication in Q3 and will be followed shortly by the publication of updated PCI DSS supporting documents, such as the Prioritized Approach tool.  

Looking for More? 

 





Source link