Blog
PCI Trends
Updates to PCI DSS v4.0.1

Updates to PCI DSS v4.0.1

The PCI Security Standards Council (PCI SSC) recently published a limited revision to the PCI DSS in the form of v4.0.1.

Gary Glover
Updated
July 12, 2024
Posted
July 12, 2024
Audit
PCI
PCI DSS v4.0
Updates to PCI DSS v4.0.1

The PCI Security Standards Council (PCI SSC) recently published a limited revision to the PCI DSS in the form of v4.0.1. This update addresses stakeholder feedback and questions received since the release of PCI v4.0 in March 2022.

The new version includes corrections to formatting and typographical errors while clarifying the intent of specific requirements and guidance. Notably, this revision does not add or delete any requirements.

Stakeholder Involvement

To ensure that the changes, clarifications, and additional guidance effectively support industry adoption of PCI DSS v4.0.1, the PCI SSC Board of Advisors, Global Executive Assessor Roundtable, and Principal Participating Organizations (via the Technology Guidance Group) have reviewed and provided feedback on the proposed changes.

This review process occurred during a Request for Comments (RFC) period from December 2023 to January 2024. An RFC Feedback Summary is available to all RFC participants through the PCI SSC portal.

Summary of Changes: PCI v4.0.1

For a complete description of changes, refer to the Summary of Changes from PCI DSS v4.0 to v4.0.1 in the PCI SSC Document Library. Here are some of the critical updates made in this version:

Requirement 3

  • Applicability Notes for Issuers: Clarified notes for issuers and companies supporting issuing services.
  • Customized Approach Objective: Added an objective and clarified applicability for organizations using keyed cryptographic hashes to render Primary Account Numbers (PAN) unreadable.

Requirement 6

  • Critical Vulnerabilities: Reverted to PCI DSS v3.2.1 language specifying that installing patches/updates within 30 days applies only to "critical vulnerabilities."
  • Payment Page Scripts: Added notes to clarify how the requirement for managing payment page scripts applies.

Requirement 8

  • Multi-Factor Authentication: Added a note that multi-factor authentication for all (non-console) access into the CDE does not apply to user accounts authenticated only with phishing-resistant authentication factors.
    • Phishing-resistant multi-factor authentication (MFA) is a security control that uses authentication methods that are resistant to phishing attacks and other attempts to compromise the authentication process. MFA requires users to present a combination of two or more different authenticators to verify their identity for login. This can include something they know, something they have, or something they are. Phishing-resistant MFA can also help prevent unauthorized users from accessing an account if one factor, such as a password, is compromised.

Requirement 11

  • Payment Page Scripts: Clarify thatrequirement 11.6.1 applies to “security-impacting HTTP headers and the script contents of payment pages” and clarified the example section to indicate that the bulleted list shown does not represent single ways to meet this requirement but indicates now that a solution could include a combination of the listed examples.

Requirement 12

  • Customer-TPSP Relationships: Updated notes to clarify several points about relationships between customers and third-party service providers (TPSPs).

Appendices

  • Customized Approach Templates: Removed sample templates from Appendix E and referred to templates available on the PCI SSC website.
  • New Definitions: Added definitions for "Legal Exception," "Phishing Resistant Authentication," and "Visitor" to Appendix G.

Frequently Asked Questions

When will PCI DSS v4.0 be retired?

As with all new versions of PCI DSS, there is a transition period where both the current and updated versions are active. PCI DSS v4.0 will be retired on December 31, 2024. After this date, PCI DSS v4.0.1 will be the only active version supported by PCI SSC.

Does PCI DSS v4.0.1 change the March 31, 2025 effective date for new requirements?

No. This limited revision does not impact the effective date of the new requirements.

Are there any new requirements in PCI DSS v4.0.1?

No. There are no new or deleted requirements in this revision. Refer to the Summary of Changes from PCI DSS v4.0 to v4.0.1 for full details.

When will the PCI DSS v4.0.1 Report on Compliance (ROC) Template and Attestations of Compliance (AOCs), along with the Self-Assessment Questionnaires (SAQs) be published?

The PCI DSS v4.0.1 ROC Template and AOCs, along with the SAQs, are targeted for publication in Q3 of 2024. These will be followed shortly by the publication of updated PCI DSS supporting documents, such as the Prioritized Approach tool.

Moving Forward with PCI v4.0.1

The update to PCI DSS v4.0.1 aims to enhance clarity and ensure smooth adoption of the standard. Organizations are encouraged to review the Summary of Changes and stay informed about the upcoming supporting documents.

As always, refer to the PCI SSC Document Library and the PCI SSC portal for detailed information and additional FAQs.

Join Thousands of Security Professionals.

Subscribe Now

Get the Latest Trends

View Learning Center

Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000