What Changed in PCI DSS 4.0.1?
Track every significant change between PCI DSS versions — new requirements, modifications, and future-dated controls.
PCI DSS v4.0.1
Released June 2024PCI DSS v4.0.1 is a limited revision that provides corrections and clarifications to v4.0. It does not introduce new requirements but clarifies applicability notes, formatting, and guidance. All future-dated requirements from v4.0 became mandatory on March 31, 2025.
Technical controls prevent PAN copy/relocation via remote access
When using remote-access technologies, technical controls must prevent copy and/or relocation of PAN for all personnel, unless explicitly authorised for a defined business need.
Periodic re-evaluation of systems not requiring anti-malware
Any system components not currently considered at risk for malware must be periodically re-evaluated to confirm they continue not to require anti-malware solutions.
Anti-malware scanning for removable media
Clarified that anti-malware solutions for removable electronic media should perform automatic scans when media is inserted, connected, or logically mounted.
Anti-phishing mechanisms deployed
Processes and automated mechanisms must be in place to detect and protect personnel against phishing attacks. This includes email-based anti-phishing, link protection, and user training on identifying phishing.
Inventory of bespoke and custom software
An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software, must be maintained to facilitate vulnerability and patch management.
WAF deployed for public-facing web applications
For public-facing web applications, an automated technical solution (web application firewall) must be deployed that continually detects and prevents web-based attacks.
Payment page scripts managed and authorised
All payment page scripts that are loaded and executed in the consumer's browser must be managed — with script inventory, authorisation, integrity checking, and change detection. Directly addresses Magecart-style attacks.
User accounts and privileges reviewed every six months
All user accounts and related access privileges, including third-party/vendor accounts, must be reviewed at least every six months to ensure appropriateness.
Application and system accounts managed on least privilege
All application and system accounts and related access privileges must be assigned and managed based on least privilege, with periodic review.
Minimum password length increased to 12 characters
Minimum password length increased from 7 characters to 12 characters (or 8 if the system cannot support 12). Passwords must contain both numeric and alphabetic characters.
MFA for all access into the CDE
Multi-factor authentication is now required for ALL access into the cardholder data environment — not just remote access. This is one of the most significant changes in v4.0.
Interactive login for system/application accounts managed
If accounts used by systems or applications can be used for interactive login, they must be managed with specific controls including preventing interactive use unless needed.
No hard-coded passwords in scripts or source code
Passwords/passphrases for application and system accounts that can be used for interactive login must not be hard-coded in scripts, configuration/property files, or custom source code.
Automated mechanisms for audit log reviews
Automated mechanisms must be used to perform audit log reviews. Manual-only log review is no longer acceptable given the volume and velocity of modern audit data.
Failures of critical security controls detected and responded to promptly
Failures of critical security control systems must be detected, alerted, and addressed promptly, including but not limited to IDS/IPS, FIM, anti-malware, access controls, audit logging, and segmentation controls.
Authenticated internal vulnerability scanning
Internal vulnerability scans must be performed via authenticated scanning, with sufficient privileges to perform a thorough assessment of systems.
Change and tamper detection on payment pages
A change- and tamper-detection mechanism must be deployed to alert personnel to unauthorised modification of HTTP headers and the content of payment pages as received by the consumer browser.
Targeted risk analysis for flexible requirements
Each PCI DSS requirement that provides flexibility for how frequently it is performed must be supported by a targeted risk analysis that documents the rationale for the frequency chosen.
Targeted risk analysis for customized approach
A targeted risk analysis must be performed for each PCI DSS requirement that is met through the customized approach.
PCI DSS scope documented and confirmed annually
PCI DSS scope must be documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.
Security awareness training includes phishing and social engineering
Security awareness training must include awareness of threats and vulnerabilities that could impact account data security, including phishing and related attacks, and social engineering.
Incident response procedures for unexpected PAN detection
Incident response procedures must be in place to be initiated upon the detection of stored PAN anywhere it is not expected, including determining what to do if PAN is found outside the CDE.
Customized Approach as alternative to Defined Approach
PCI DSS v4.0 introduced the Customized Approach as an alternative validation method. Entities can implement controls that meet the stated objective of a requirement using methods not explicitly described in the standard, supported by targeted risk analysis.
Roles and responsibilities documented for all requirements
Every PCI DSS requirement now explicitly requires that roles and responsibilities for performing activities in that requirement are documented, assigned, and understood.
GRCTrack supports all PCI DSS 4.0.1 requirements
Including all future-dated controls that became mandatory on March 31, 2025.
Start Free Trial