In response to feedback and inquiries from stakeholders following the publication of PCI DSS v4.0 in March 2022, the PCI Security Standards Council (PCI SSC) has released a minor update to the standard, known as PCI DSS v4.0.1. This revision addresses formatting issues, typographical errors, and provides clarity on the focus and purpose of certain requirements and recommendations. There have been no new requirements introduced or existing ones removed in this update.
To ensure that the modifications, clarifications, and additional guidance effectively assist in the adoption of PCI DSS v4 within the industry, the PCI SSC Board of Advisors, Global Executive Assessor Roundtable, and Principal Participating Organizations (through the Technology Guidance Group) were requested to review and provide feedback on the proposed changes during a Request for Comments (RFC) period held from December 2023 to January 2024. An RFC Feedback Summary is accessible to all RFC participants via the PCI SSC portal.
For a comprehensive overview of the modifications, please consult the Summary of Changes from PCI DSS v4.0 to v4.0.1, now accessible in the PCI SSC Document Library. Some of the key changes implemented in this update include:
Requirement 3
- Clarified Applicability Notes for issuers and organizations that offer issuing services.
- Included a Customized Approach Objective and specified applicability for entities utilizing keyed cryptographic hashes for making Primary Account Numbers (PAN) illegible.
Requirement 6
- Reverted to the language used in PCI DSS v3.2.1, emphasizing that the installation of patches/updates within 30 days is necessary only for “critical vulnerabilities.”
- Added Applicability Notes to elaborate on how the requirement for managing payment page scripts is applicable.
Requirement 8
- Introduced an Applicability Note stating that multi-factor authentication for all (non-administrative) access into the CDE does not pertain to user accounts authenticated solely with phishing-resistant authentication methods.
Requirement 12
- Updated Applicability Notes to clarify various aspects concerning the relationships between customers and third-party service providers (TPSPs).
Appendices
- Eliminated Customized Approach sample templates from Appendix E and directed users to the provided sample templates on the PCI SSC website.
- Added definitions for “Legal Exception,” “Phishing Resistant Authentication,” and “Visitor” to Appendix G.
Answers to Common Queries about PCI DSS v4.0.1
When will PCI DSS v4.0 be replaced?
As with every new iteration of PCI DSS, there will be an overlap where both the current and updated versions are active simultaneously. PCI DSS v4.0 will be retired on December 31, 2024. Subsequently, PCI DSS v4.0.1 will be the lone supported version of the standard by PCI SSC.
If uncertain, consult FAQ 1328 “Where can I find the current version of PCI DSS?” for additional details and links to more FAQs on transitioning to an updated PCI DSS version.
Does PCI DSS v4.0.1 alter the effective date of the new requirements set for March 31, 2025?
No, this minor revision does not affect the effective date of the new requirements.
Are there any fresh requirements in PCI DSS v4.0.1?
No, as this is a minor revision, there are no additions or removals of requirements. Please refer to the Summary of Changes from PCI DSS v4.0 to v4.0.1 for complete details.
When will the PCI DSS v4.0.1 Report on Compliance (ROC) Template, Attestations of Compliance (AOCs), and Self-Assessment Questionnaires (SAQs) be published?
The PCI DSS v4.0.1 Report on Compliance (ROC) Template, Attestations of Compliance (AOCs), and Self-Assessment Questionnaires (SAQs) are scheduled for release in Q3, followed shortly by the updated PCI DSS supporting documents, such as the Prioritized Approach tool.
Seeking Further Information?
About Author
