Introducing the 2024 PKI & Digital Trust Report     | Download the Report

Getting Ready for the Next Generation of PCI DSS: Version 4.0

Industry Trends

The Payment Card Industry Data Security Standard (PCI DSS) is a widely recognized set of security standards that organizations must comply with when handling credit card information. The Payment Card Industry Security Standards Council (PCI SSC) has overseen the PCI DSS since 2004, when it was first established by American Express, Visa, Mastercard, Discover Financial Services and JCB International.  

On March 31, 2022, the PCI Security Standards Council (PCI SSC) published version 4.0 of the PCI Data Security Standards (PCI DSS). PCI DSS v4.0 takes effect on March 31, 2024, and replaces PCI DSS version 3.2.1 to better address and combat emerging threats and technologies. As with all previous version releases, PCI SSC has set an implementation timeline for when organizations are expected to transition to the new 4.0 standard and when the new standard will be mandatory: 

implementation timeline of PCI DSS 4.0

Updates to PCI DSS v4.0 aim to meet the evolving security needs of the payment industry, promote security as a continuous process, increase flexibility, and improve procedures for organizations using different methods to achieve their security goals. The next generation of the PCI DSS version sets out to achieve the following five objectives: 

1. Increased emphasis on security culture and governance

One of the main changes in PCI DSS version 4.0 is an increased emphasis on security culture and governance. The new version will require organizations to establish and maintain a formal security culture that promotes security awareness and accountability. Organizations will also be required to have a documented security strategy and formal security policies and procedures. 

2. Penetration testing and vulnerability management

PCI DSS version 4.0 will introduce new requirements for penetration testing and vulnerability management. Organizations will be required to conduct penetration testing on a more frequent basis, and they will need to use the latest industry-standard penetration testing methodologies. Additionally, organizations will need to implement more robust vulnerability management programs, including regular scanning and patching of systems. 

3. Enhanced authentication and access controls

Another significant change in PCI DSS version 4.0 is the requirement for enhanced authentication and access controls. This will include the use of multi-factor authentication for all system access and the use of complex passwords and authentication mechanisms. Additionally, organizations will need to implement more stringent controls around remote access to systems. 

4. New requirements for cloud and virtualization environments

PCI DSS version 4.0 will also introduce new requirements for organizations that use cloud and virtualization environments. Organizations will need to ensure that their cloud and virtualization environments are secure and that they are using appropriate security controls.  

5. More stringent requirements for service providers

Service providers will also face new requirements under PCI DSS 4.0. They will be required to implement additional security measures to protect their customers’ cardholder data, including encryption and multifactor authentication. They will also be required to provide more detailed reporting on their compliance with the standard. 

What is Keyfactor doing to prepare?

In February 2023, Keyfactor achieved PCI DSS v3.2 certification. Keyfactor’s PKI-based digital identity and integrity capability supports every facet of digital trust for devices that process, store and/or transmit cardholder data. While Keyfactor does not directly handle sensitive cardholder data, many of its customers do. With this certification, Keyfactor customers will continue to prevent data breaches and further protect their customers’ sensitive credit card information.  

Keyfactor is committed to putting its customers’ security first, and part of that commitment is upholding current and future global industry standards. As a cybersecurity company working with enterprises in regulated industries, Keyfactor is responsible for protecting data and systems.

To learn more about Keyfactor’s security and compliance commitments, please check out: