PCI DSS 4.0 Migration: What Changes in 2025

The March 2025 Deadline

PCI DSS 4.0 introduced approximately 50 requirements designated as "best practice until March 31, 2025." After this date, these requirements become mandatory for all PCI DSS assessments.

This article examines the key changes, their implications, and practical approaches for achieving compliance.

---

Background: The PCI DSS 4.0 Transition

PCI DSS 4.0 was released in March 2022, with version 4.0.1 following in June 2024 as a minor revision with clarifications. The transition timeline has been:

| Milestone | Date | Status | |-----------|------|--------| | PCI DSS 4.0 Release | March 2022 | Complete | | PCI DSS 4.0.1 Release | June 2024 | Complete | | PCI DSS 3.2.1 Retirement | March 31, 2024 | Complete | | Future-Dated Requirements Mandatory | March 31, 2025 | Deadline |

As of April 2024, all assessments must use PCI DSS 4.0 or 4.0.1. The future-dated requirements provided organizations additional time to implement new or significantly changed controls.

---

Key Future-Dated Requirements

Authentication and Access Controls

Requirement 8.4.2: MFA for All CDE Access

Effective March 2025, multi-factor authentication (MFA) is required for all access into the cardholder data environment, not just remote access. This expands the scope significantly from previous versions.

Implementation considerations: - Evaluate MFA solutions that support local and remote access scenarios - Consider user experience impact on operations - Plan for exceptions and emergency access procedures - Document compensating controls if full implementation is not feasible

Requirement 8.3.6: Password Parameters via Targeted Risk Analysis

Organizations must either meet the defined password complexity requirements OR perform a targeted risk analysis (TRA) to determine appropriate password parameters. If using TRA, the analysis must be documented and the chosen parameters must be justified.

Requirement 8.6.3: Authentication Factor Security

Passwords and passphrases used as authentication factors must be protected against unauthorized disclosure and misuse through additional security measures.

---

Monitoring and Detection

Requirement 10.4.1.1: Automated Log Review Mechanisms

Automated mechanisms must be in place to perform reviews of audit logs. Manual review alone is no longer sufficient for most log review requirements.

Implementation approaches: - Security Information and Event Management (SIEM) platforms - Log aggregation with automated alerting - Anomaly detection tools - Managed security services with log monitoring

Requirement 10.4.2.1: Periodic Log Review for All Components

For system components not covered by daily automated review, organizations must perform periodic log reviews. The frequency is determined by targeted risk analysis.

Requirement 11.3.1.1: Vulnerability Scan Management

Internal vulnerability scans must include processes for rescanning to verify that vulnerabilities have been addressed, either through remediation or risk-based exception.

---

Web Application Security

Requirement 6.4.2: Web Application Firewall Protection

Automated technical solutions (typically web application firewalls) must detect and prevent web-based attacks against public-facing web applications.

Options include: - Cloud-based WAF services - On-premises WAF appliances - Web application and API protection (WAAP) platforms - Integrated application delivery controller WAF modules

Requirement 6.4.3: Payment Page Script Management

All payment page scripts that are loaded and executed in the consumer's browser must be managed as follows: - A method is implemented to confirm that each script is authorized - A method is implemented to assure the integrity of each script - An inventory of all scripts is maintained with written justification for each

This requirement addresses supply chain attacks targeting payment pages through compromised third-party scripts.

---

Cryptography and Key Management

Requirement 3.5.1.1: Keyed Cryptographic Hashes

Where hashes are used to render PAN unreadable, keyed cryptographic hashes of the entire PAN must use a key that is managed in accordance with PCI DSS key management requirements.

Requirement 4.2.1: Strong Cryptography for PAN Transmission

Strong cryptography must be used for transmitting PAN. This includes verification that certificates used are valid and not expired or revoked.

Requirement 12.3.3: Cryptographic Cipher Inventory

Cryptographic cipher suites and protocols in use must be documented, including the business justification for continued use.

---

Phishing and Social Engineering

Requirement 5.4.1: Anti-Phishing Mechanisms

Organizations must implement processes and automated mechanisms to detect and protect personnel against phishing attacks. This is a new requirement family addressing social engineering threats.

Required elements: - Technical controls to detect phishing attempts - Training and awareness programs (covered separately) - Incident response procedures for phishing events

---

Scope and Inventory Management

Requirement 12.5.2: PCI DSS Scope Documentation

PCI DSS scope must be documented and confirmed at least once every 12 months and upon significant change. Documentation must include: - Data flows - Account data storage, processing, and transmission - In-scope systems and networks - Segmentation controls - Connections to third parties

Requirement 12.5.2.1: Automated Scope Discovery

In addition to the annual scope review, organizations must use automated mechanisms to detect and alert on unauthorized changes that could affect PCI DSS scope.

---

Implementation Priorities

High Priority (Critical Path Items)

These requirements often have the longest implementation timelines:

1. MFA for CDE Access (8.4.2): May require infrastructure changes, procurement, and user training 2. Payment Page Script Management (6.4.3): Requires new processes and potentially new tooling 3. Automated Log Review (10.4.1.1): SIEM implementation and tuning takes significant time

Medium Priority (Process Changes)

These requirements primarily involve policy and process updates:

1. Cryptographic Inventory (12.3.3): Requires comprehensive discovery and documentation 2. Scope Documentation (12.5.2): Formalizes practices many organizations already follow 3. Anti-Phishing Controls (5.4.1): Often partially in place through email security

Lower Priority (Already Partially Implemented)

Many organizations have partial implementations of:

1. WAF Protections (6.4.2): Common but may need enhancement 2. Password Policy Updates (8.3.6): Often requires TRA documentation rather than control changes 3. Vulnerability Scan Process (11.3.1.1): Frequently addressed through existing vulnerability management

---

Planning Your Migration

Step 1: Gap Assessment

Conduct a comprehensive review comparing your current state against all future-dated requirements. Identify: - Fully compliant areas - Partially compliant areas needing enhancement - Gaps requiring new controls

Step 2: Resource Planning

For each gap, determine: - Technology solutions required - Implementation effort and timeline - Budget requirements - Training needs

Step 3: Implementation Roadmap

Prioritize based on: - Compliance deadline (March 31, 2025) - Implementation complexity - Dependencies between requirements - Resource availability

Step 4: Testing and Validation

Before your next assessment: - Test new controls thoroughly - Document evidence of implementation - Conduct internal assessments against new requirements - Address gaps identified during testing

---

Common Migration Challenges

Challenge: Payment Page Script Inventory

Requirement 6.4.3 requires knowing every script that executes on payment pages. Many organizations discover they have dozens of scripts from analytics, marketing, fraud detection, and other services.

Approaches: - Content Security Policy (CSP) implementation - Subresource Integrity (SRI) for external scripts - Script monitoring and inventory tools - Reduction of unnecessary scripts

Challenge: Legacy System MFA

Implementing MFA for CDE access may conflict with legacy applications that do not support modern authentication protocols.

Approaches: - Identity-aware proxies - Jump servers with MFA gates - Application modernization planning - Compensating controls where direct implementation is infeasible

Challenge: Log Volume Management

Automated log review requires centralized log collection, which can generate significant data volumes and associated costs.

Approaches: - Tiered log retention strategies - Event filtering at collection - Cloud-based SIEM with flexible pricing - Focus on high-value event correlation

---

Working with Assessors

Communicate proactively with your QSA or prepare for your self-assessment by:

- Sharing your migration roadmap before the assessment - Discussing any areas where compensating controls may be needed - Understanding how your assessor validates new requirement compliance - Documenting evidence collection processes for new requirements

---

After March 2025

Once future-dated requirements become mandatory:

- All requirements must be assessed and validated - Non-compliance findings affect overall compliance status - Remediation timelines depend on acquiring bank policies - Focus shifts to maintaining compliance with the full requirement set

---

Summary

The March 31, 2025 deadline represents a significant expansion of mandatory PCI DSS requirements. Organizations should:

1. Assess current state against all future-dated requirements 2. Prioritize implementation based on complexity and dependencies 3. Plan resources for technology, process, and training needs 4. Execute systematically with clear milestones 5. Validate thoroughly before formal assessment

The transition period was designed to allow organizations adequate time to implement these controls. Organizations that have not yet begun planning should treat this as an urgent priority.

---

This article provides general information about PCI DSS 4.0 future-dated requirements. Consult the official PCI DSS standard and your qualified assessor for specific compliance guidance.