In the realm of payment security, the Payment Card Industry Data Security Standard (PCI DSS) provides a critical framework that guides businesses to protect cardholder information against breaches and fraud.

As the digital landscape evolves and cybersecurity threats become increasingly sophisticated, the PCI DSS sets guidelines and requirements for securing payment card data, with periodic updates to address emerging threats.

The newest version, v4.0 of the PCI DSS was released in March 2022, and represents a significant update from the previous version, 3.2.1. In this blog, we’ll explore the key differences between PCI DSS 4.0 and its predecessor, to help organizations navigate the upgrade process effectively. You can also join our live webinar on March 12 to dive deeper and participate in a live Q&A session.

The genesis of PCI DSS 4.0

PCI DSS 4.0 emerged in response to the rapidly changing digital payment ecosystem, characterized by sophisticated cyberthreats and technological advancements. Its development underscores a proactive approach to safeguarding sensitive payment information through enhanced security measures, flexibility, and efficiency.

A leap towards customization and flexibility

One of the most prominent shifts in PCI DSS 4.0 is its emphasis on customization. Unlike the more prescriptive nature of PCI DSS 3.2.1, the latest version provides a flexible framework that allows organizations to tailor their security measures based on specific risks and business models. This approach enables businesses to implement innovative and effective controls that align with their operational realities. For instance, a retail chain can tailor security controls for each type of POS system, applying advanced encryption or enhanced monitoring as needed. Similarly, a cloud-based service provider might use cloud-native features like dynamic scaling and microsegmentation to protect cardholder data, optimizing both security and efficiency.

Strengthening security through a risk-based approach

PCI DSS 4.0 accentuates the importance of a risk-based approach to security. This paradigm shift encourages organizations to conduct thorough risk assessments, enabling them to identify and prioritize threats. By focusing on risk management, businesses can allocate resources more efficiently, ensuring that the most critical vulnerabilities are addressed promptly.

Enhanced authentication protocols

The evolution of digital payments has brought authentication mechanisms to the forefront of security discussions. PCI DSS 4.0 introduces more stringent requirements for MFA, extending its application to encompass all access to the cardholder data environment (CDE). This move aims to fortify access controls, minimizing the risk of unauthorized access to sensitive data.

Key differences: PCI DSS v3.2.1 vs. PCI DSS v4.0

Here are the key differences between the PCI DSS v3.2.1 and v4.0:


PCI DSS v3.2.1

PCI DSS v4.0


Explicitly defines the scope through requirement details

Emphasizes continuous monitoring and the dynamic nature of the scope


Stronger focus on MFA

Continues emphasis on MFA, adds authentication controls


Requirements for encryption of cardholder data are addressed, but provides limited guidance on its management when the decryption keys are held separately

Expands encryption requirements to include new technologies, emphasizing the importance of protecting it even if decryption capabilities are out of reach

Software development

Introduces Secure Software Lifecycle (SLC) requirements

Further enhances software security requirements

Risk assessment

Requires a formal risk assessment process

Strengthens risk assessment processes and introduces targeted risk analysis

Penetration testing

Requires annual penetration testing

Recommends continuous penetration testing

Cloud computing

Guidance provided for cloud computing environments

Enhancements for securing cloud-based infrastructure

Security awareness

Requires security awareness training

Enhances security awareness training requirements

Service providers

Focuses on service provider accountability

Emphasizes shared responsibility and third-party risk management

Reporting requirements

Specific reporting requirements outlined

Enhanced reporting requirements, more focus on evidence-based reporting

Wireless networking

Guidance provided for secure wireless networking

Updates wireless networking requirements for modern technologies

PCI DSS v4.0 is a significant update from v3.2.1. The new standard places a greater emphasis on risk management, emerging threats, and technologies. Organizations that are not yet compliant with PCI DSS v4.0 should start planning their upgrade now.

ManageEngine Log360 is a unified SIEM solution with integrated DLP and CASB capabilities, that helps you comply with regulatory mandates such as PCI DSS v4.0, HIPAA, SOX, FISMA, and the GDPR. This comprehensive solution detects, prioritizes, investigates, and responds to security threats by combining threat intelligence, ML-based anomaly detection, and rule-based attack detection techniques.

Watch our live webinar on PCI DSS v4.0 to learn more!