New Requirements in PCI DSS v4.0

Over the past decades, the Payment Card Industry Data Security Standard (PCI DSS) has been a pivotal framework for organizations handling cardholder data, ensuring the security of credit and debit card transactions across the globe.

As we witness an increasingly sophisticated digital landscape, fraught with advanced threats and technological evolutions, the PCI DSS has been updated to stay ahead of potential vulnerabilities.

In this week’s feature of the VENZA Echo, we’ll navigate through the rules contained in PCI DSS v4.0, discussing its crucial updates and their implications for hoteliers.

Evolution of PCI DSS

Since its original release in 2004, PCI DSS has steadily evolved with updates that have mirrored the changing dynamics of cybersecurity in the payment industry.

From the first version to the more comprehensive v3.2.1, each iteration has addressed new challenges and fortified the payment card industry against an array of cyber threats.

With v4.0, the standard continues its journey, building upon the foundation laid by its predecessors and incorporating contemporary security practices to safeguard payment data.

Enhancements to MFA

A cornerstone in the armory of data security measures, Multi-Factor Authentication (MFA) sees significant expansion in PCI DSS v4.0.

The standard now requires MFA to be utilized not only by administrators but by every individual who accesses the cardholder data environment, regardless of their role within the organization. This update reflects a substantial shift in mitigating unauthorized access risks.

Furthermore, MFA extends its umbrella of protection to include access gained directly via on-site consoles, no longer limiting its scope to remote users.

Moreover, the MFA is mandated to be applied to every access attempt to the cardholder data environment, signifying a more granular control that could lead to multiple authentication steps within a single session for remote users.

Annual Diligence

Under PCI DSS v4.0, entities are now expected to demonstrate enhanced vigilance by incorporating a series of annual checks and balances.

Organizations must regularly document their cardholder data environments, perform targeted risk analysis for customized controls, and assess the risk factors associated with the frequency of control implementation.

Additionally, a yearly review of the cryptographic suites, protocols, and both hardware and software technologies in use is now a necessity. This proactive approach ensures that businesses are not only compliant but are also actively engaging with the security of their payment systems.

Customized Approach

One of the most innovative introductions in PCI DSS v4.0 is the “Customized Approach”.

This new compliance pathway allows merchants and service providers the flexibility to implement alternative controls that meet the security objectives of the PCI DSS in cases where traditional controls are challenging to apply.

This approach supplements, rather than replaces, the compensating controls from the previous version, providing an additional strategy for organizations to maintain compliance while catering to unique business needs and technological environments.

Other Changes

In the new iteration, there are several other substantial changes that stakeholders should be aware of.

The previous acceptance of disk-level or partition-level encryption as a method to render the primary account number unreadable has been retracted. Now, more robust encryption methods are expected to be employed.

Moreover, there’s an introduction of a requirement to maintain an inventory of all trusted keys and certificates, highlighting the emphasis on managing secure transmission of cardholder data.

The use of firewalls has been more clearly defined, with vulnerability scans no longer being considered a substitute for web application firewalls when it comes to protecting public-facing applications.

Furthermore, internal vulnerability scans are now required to be performed using authenticated methods, ensuring a deeper and more accurate assessment of the system’s security.


With the advent of PCI DSS v4.0, the payment security framework takes a significant leap forward, aligning itself with the current and future state of payment system security.

Organizations must approach these updates with a strategic mindset, understanding the expanded MFA criteria, the importance of annual diligence processes, and embracing the flexibility offered by the Customized Approach.

Feeling overwhelmed? Don’t be. VENZA and CyberTek are here to help. Cybersecurity is complex, but in partnership with us, your company can get started in as little as one month. Get a live demonstration today by contacting our Customer Success Team.

Ready to elevate your game? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.


Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Human Firewall

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.


Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.