This highlights key clarifications and changes without introducing new or removed requirements. It is designed to help you understand what has been updated and how it impacts your compliance efforts. For further details, feel free to reach out to us.
What Happened?
On January 31, 2024, the PCI Security Standards Council (PCI SSC) released PCI DSS v4.0.1, a limited update to PCI DSS v4.0. This revision does not introduce new or deleted requirements. Instead, it includes minor corrections, clarifications, and formatting fixes to improve understanding and implementation of the standard.
After January 1, 2025, PCI DSS v4.0.1 will be the only supported version.
Please note that while organizations must transition to v4.0.1 by January 1, 2025, the new requirements introduced in v4.0 will not become mandatory until March 31, 2025, as originally planned.
What Changed in the Standard?
The updates in PCI DSS v4.0.1 focus on:
Clarifying existing requirements to remove ambiguity
Fixing typographical and formatting errors
Updating applicability notes for better interpretation
Reverting some wording in v4.0.1 to better align with PCI DSS v3.2.1 where necessary for clarity.
Key Updates by Requirement:
Requirement 3 (Protect stored cardholder data)
Clarified how issuers and issuing service providers should interpret specific controls.
Added a Customized Approach Objective for organizations using keyed cryptographic hashes.
Requirement 6 (Develop and maintain secure systems and applications)
Reinstated PCI DSS v3.2.1 language, clarifying that the 30-day patching timeframe applies only to critical vulnerabilities.
Added notes on how to manage payment page scripts securely.
Requirement 8 (Identify and authenticate access to system components)
Clarified that multi-factor authentication (MFA) does not apply to accounts only authenticated with phishing-resistant authentication factors.
Requirement 12 (Maintain a security policy and support compliance efforts)
Updated notes on third-party service provider (TPSP) relationships to clarify responsibilities.
Appendices
Removed sample templates from Appendix E (now available on the PCI SSC website).
Added definitions for Legal Exception, Phishing-Resistant Authentication, and Visitor in Appendix G.
What Didn’t Change?
No new requirements were added.
No existing requirements were removed.
The March 31, 2025, effective date for new v4.0 requirements remains unchanged.
For a full description of changes, refer to the Summary of Changes from PCI DSS v4.0 to v4.0.1 file link below.
What Changed in Drata?
If you are working towards PCI DSS v4.01 compliance, these updates do not change your compliance strategy. The focus remains on implementing the existing security controls while using the clarifications to ensure correct interpretation and implementation.
This release is a minor update, the text / copy for 44 requirements were updated, but had no impact on DCF or Policy mapping.
Policies: Our standard 22 policy templates will be provisioned with the update, we’re increasing the number of policy templates attached to PCI from the 18 it was under 4.0, but this is not due any updated requirements, rather we’re augmenting the standard set of policy templates we deliver across the Platform.
The additional policies included are as follows:
Risks: No new risks have been developed or associated with the framework.