What Are the Key Changes in PCI DSS v4.0.1?

What Are the Key Changes in PCI DSS v4.0.1?


Not much to be honest. The PCI Security Standards Council (PCI SSC) has released a limited revision to the PCI DSS standard. PCI DSS v4.0.1 addresses feedback and questions raised since the original v4.0 publication in March 2022. This revision mainly consists of formatting corrections, typographical error fixes, and clarifications of existing requirements and guidance without introducing new or deleting existing requirements.

Key Changes

Some notable updates in PCI DSS v4.0.1 include:

  • Requirement 6:
    • 6.3.3 was reverted back to the v3.2.1 wording, so high vulnerabilities no longer need to be remediated with 30 days, just criticals again. 
    • 6.4.3 applicability notes have been updated to clarify that:
      • If it is impractical for authorization to occur before a script is changed or a new script is added to the page, the authorization should be confirmed as soon as possible after a change is made. AND 
      • Where an entity includes a TPSP’s/payment processor’s embedded payment page/form on its webpage, the entity should expect the TPSP/payment processor to provide evidence that the TPSP/payment processor is meeting this requirement, in accordance with the TPSP’s/payment processor’s PCI DSS assessment and Requirement 12.9.
  • Requirement 8:
    • 8.4.2's applicability note now states that MFA for all non-console CDE access does not apply to "User accounts that are only authenticated with phishing-resistant authentication factors." A definition of Phishing Resistant Attacks was added into the Glossary - 

      "Authentication designed to prevent the disclosure and use of authentication secrets to any party that is not the legitimate system to which the user is attempting to authenticate (for example, through in-the-middle (ITM) or impersonation attacks). Phishing-resistant systems often implement asymmetric cryptography as a core security control.
      Systems that rely solely on knowledge-based or time-limited factors such as passwords or one-time-passwords (OTPs) are not considered phishing resistant, nor are SMS or magic links. Examples of phishing-resistant authentication includes FIDO2
  • Requirement 12
    • 12.9.2 applicability notes have been updated clarify that a PCI DSS Attestation of Compliance (AOC), a declaration on a company’s website, a policy statement, a responsibility matrix, or other evidence not included in a written agreement is not a written acknowledgment that meets this requirement.

Note: These are not all the changes made to the document, you can grab the PCI DSS Summary of Changes document from the PCI SSC website for a full list.

You can grab a copy of the new PCI DSS v4.0.1 here.

Frequently Asked Questions

  • Retirement of PCI DSS v4.0: PCI DSS v4.0 will be active alongside v4.0.1 until 31 December 2024, after which only v4.0.1 will be supported.
  • Effective Date for New Requirements: The revision does not alter the 31 March 2025 effective date for new requirements.
  • New Requirements: No new or deleted requirements are included in PCI DSS v4.0.1.
  • Publication of Supporting Documents: Updated Report on Compliance (ROC) Template, Attestations of Compliance (AOCs), and Self-Assessment Questionnaires (SAQs) for v4.0.1 are expected in Q3, followed by other supporting documents.
  • Has PCI Policies updated their templates: Yes, absolutely. We've updated our SOA document with all the updated requirements, testing procedures and applicability notes. You can download a copy by clicking here.


Back to blog

Leave a comment

Please note, comments need to be approved before they are published.