Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Knowledge Center

PCI DSS 4.0 Overview

What PCI DSS actually requires, what changed in version 4.0, and why scope reduction is the highest-leverage compliance decision most organizations can make.

6 min read
PCI DSS

PCI DSS gets treated as an annual audit event by many organizations, when in practice the requirement that determines the cost and difficulty of that audit — scope — is a decision made long before the assessor shows up. This article covers what PCI DSS actually requires, what changed in version 4.0, and why scope reduction is usually the single highest-leverage decision an organization makes about it.

What PCI DSS is and who it applies to

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements maintained by the PCI Security Standards Council, a body founded by the major card brands. It applies to any organization that stores, processes, or transmits cardholder data — not just large retailers. A small business using a single point-of-sale terminal is in scope in principle the same way a large e-commerce platform is, though the specific validation path (self-assessment questionnaire vs. a formal assessment by a Qualified Security Assessor) differs based on transaction volume and merchant level.

The 12 requirements, grouped under 6 control goals

PCI DSS organizes its 12 core requirements under six broader control goals. Understanding the goals, not just the numbered requirements, makes it easier to reason about how a given control decision maps to compliance obligations.

PCI DSS 4.0 — Password Requirements at a Glance1Secure Network

Build and maintain a secure network and systems.

2Protect Account Data

Protect stored and transmitted cardholder data.

3Vulnerability Management

Maintain a vulnerability management program.

4Access Control

Implement strong access control measures.

5Monitor & Test

Regularly monitor and test networks.

6Security Policy

Maintain an information security policy.

See PCI DSS 4.0 for the full set of numbered requirements underneath each control goal.
PCI DSS 4.0 control goals and their requirements
Control goalRequirements covered
Build and maintain a secure network and systemsInstall and maintain network security controls; apply secure configurations to all system components
Protect account dataProtect stored account data; protect cardholder data with strong cryptography during transmission over open, public networks
Maintain a vulnerability management programProtect systems and networks from malicious software; develop and maintain secure systems and software
Implement strong access control measuresRestrict access to system components and cardholder data by business need to know; identify users and authenticate access; restrict physical access to cardholder data
Regularly monitor and test networksLog and monitor all access to system components and cardholder data; test security of systems and networks regularly
Maintain an information security policySupport information security with organizational policies and programs

What changed in version 4.0

PCI DSS 4.0 introduced several meaningful shifts from 3.2.1, generally moving toward more explicit, risk-based, and continuously-verified controls rather than point-in-time checklist items.

  • Customized approach alongside the defined approach. Organizations can now design and validate a control that meets the intent of a requirement through a method other than the traditional prescribed implementation, provided they can demonstrate and document that it achieves an equivalent security outcome — this gives more flexibility to organizations with mature security programs, at the cost of a higher documentation burden.
  • Expanded multi-factor authentication requirements. MFA requirements broadened beyond remote and administrative access to cover a wider range of access into the cardholder data environment, reflecting how central credential-based attacks have become to real-world breaches.
  • Targeted risk analyses. Several requirements that previously had fixed frequencies (how often a control must be performed) now allow an organization to define its own frequency, provided it's backed by a documented, targeted risk analysis justifying that cadence.
  • More explicit authenticated scanning requirements. Internal vulnerability scanning requirements were clarified to more explicitly require authenticated scanning, closing a gap where unauthenticated scans could miss vulnerabilities visible only to a logged-in attacker or compromised account.

These changes generally raise the bar for documentation and risk-based justification even where they add flexibility — a customized approach or a self-defined scan frequency requires more evidence, not less, to defend during an assessment.

Scope reduction: the highest-leverage decision

The scope of a PCI DSS assessment is defined by everywhere cardholder data is stored, processed, or transmitted — and every system, network segment, and process in scope must meet the full set of applicable requirements. This means the most effective lever an organization has over PCI DSS cost and complexity isn't implementing controls faster — it's reducing how much of the environment is in scope in the first place.

Segmentation, tokenization, and outsourcing all reduce scope

Network segmentation isolates systems that touch cardholder data from the rest of the environment, so unrelated systems fall out of scope entirely. Tokenization replaces stored card data with a non-sensitive token, often removing storage systems from scope altogether. Outsourcing payment processing to a validated third-party processor (rather than handling card data directly) can shift significant scope away from the organization's own environment. Each of these is a design decision made before compliance work starts, not a control implemented during it.

Organizations that pursue scope reduction first — before starting detailed control implementation — routinely cut assessment cost, audit duration, and ongoing maintenance burden substantially, because fewer systems means fewer controls to implement, document, and re-verify every cycle. Organizations that skip this step often end up applying full PCI DSS rigor to systems that never needed to be in scope at all.

Common mistakes

  • Not pursuing scope reduction before starting compliance work. Segmentation and tokenization decisions made early can eliminate large portions of the assessment burden; retrofitting them after controls are already built out everywhere is far more expensive.
  • Treating PCI DSS as a once-a-year project rather than a continuous program. Controls like vulnerability scanning, log monitoring, and access reviews are ongoing operational requirements, not activities that only need attention before an assessment.
  • Assuming a third-party payment processor removes all scope. Using a validated processor reduces scope significantly but rarely eliminates it entirely — the systems that initiate or redirect the payment flow are still typically in scope.
  • Underestimating the documentation burden of the customized approach. It offers flexibility, but requires a level of evidence and justification that many organizations underestimate before committing to it.

FAQ

Do we need a Qualified Security Assessor (QSA), or can we self-assess? It depends on merchant level and transaction volume, set by the card brands — smaller merchants often qualify for a Self-Assessment Questionnaire (SAQ), while larger merchant levels typically require a formal Report on Compliance from a QSA.

Does using a third-party payment gateway mean we're out of scope entirely? Not necessarily. If your systems ever touch, display, or redirect cardholder data — even briefly, as with certain embedded checkout flows — some scope typically remains. Fully hosted, redirect-based payment pages carry the least residual scope.

How does PCI DSS relate to a broader security program like NIST CSF? PCI DSS is narrowly focused on cardholder data protection, while a framework like NIST CSF covers an organization's broader risk management program — see NIST Cybersecurity Framework Overview for how the two relate.

Operational Support

Need help implementing these findings?

IT KORR can coordinate DNS configuration, email authentication setup, and Microsoft 365 governance alignment. We work with your current providers — no migration required.

No commitment required — we respond within one business day.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT