The latest update to PCI DSS 4.0 has just been released, and it will be a welcome change for complying organizations. I’ve reviewed the summary of changes, issued by the PCI Security Standards Council, and I expect PCI DSS 4.0.1 will take some stress off of many companies’ shoulders.

This update to PCI doesn’t add or remove any requirements. Instead, it provides a secondary round of additional clarity, based on feedback the Council received. It also corrects issues and errors from the original PCI 4.0 release.

Let’s take a look at what to expect from PCI DSS 4.0.1

Check out TCT’s complete guide to PCI DSS Certification

The Highlight Reel of Significant Changes

Here are the most interesting changes that you’ll want to know about. For an exhaustive list of all the changes that come with PCI DSS 4.0.1, check out the Summary of Changes document on the PCI Security Standards Council website.

Of the various updates that were made in version 4.0.1, the most significant ones are located in Requirements 6 and 8. Those are the two areas with the greatest amount of confusion in version 4.0. The remaining changes in PCI 4.0.1 were clarifications and fixes to typographical errors. That said, here are the items worth noting. 

Requirement 6

The PCI Council removed some language that had been added for version 4.0 — specifically, that the requirement applied to high-security patches and updates. That language has been removed, rolling back to the language in v. 3.2.1. The requirement now states that it applies to critical vulnerabilities.

Requirement 6.4.3 has added clarification about keeping an inventory of all the scripts to be maintained, with written business and technical justifications about why those scripts are necessary. 

They have also added several applicability notes to clarify how requirement 6.4.3 applies to an entity’s web pages and a third-party payment processor’s embedded payment pages or forms. 

These clarifications will be especially helpful for companies that are going through PCI DSS with this net new requirement.

Requirement 8

Generally speaking, a lot of the clarifications and improved guidance surround multi-factor authentication (MFA). These clarifications provide coherence about the applicability of the controls within your environment, depending on the configuration.

For example, MFA for non-administrative access to your cardholder data environment doesn’t apply to user accounts that only authenticate with phishing-resistant auth factors. 

There are several clarifications surrounding MFA, which should help organizations more clearly understand what their obligations are and who the requirements apply to. MFA applicability was a big hot button, even from the early days of PCI 4.0 discussions.

Requirement 12

Under PCI 4.0.1, the Council has implemented a number of changes surrounding the relationship between the customers and third-party service providers. It’s been a requirement for a long time, but the messaging has continued to evolve. 

This update gives much greater clarity about your relationship with your third-party providers — for example, who needs to be doing what, who holds documentation and contractual obligations, and more. The clarity should be very helpful for consumers of the PCI DSS.

Frequently Asked Questions About PCI DSS 4.0.1

When will PCI 4.0 be retired?

Typically, new updates cross over with the previous version for some period of time. That is the case with version 4.0.1, and the Council will officially retire PCI 4.0 on December 31, 2024. After that point, anyone becoming compliant will need to use PCI 4.0.1. 

The good news is that the majority of these changes shouldn’t be materially impactful for your organization, if you’re already pursuing a version 4.0 certification. TCT Portal has the capability to easily port the information from your existing PCI 4.0 track to your new PCI 4.0.1 track — so the update will be no big deal if you’re a TCT Portal customer. This is one of the many ways TCT makes your life easier.

Is there any impact to the requirements with an effective date of March 31, 2025? 

No, those requirements haven’t changed in any way.

Are there any new requirements under PCI DSS 4.0.1?

No, there are no new requirements with this update.

When will the PCI 4.0.1 ROC and SAQ reporting templates, with their AOCs be published?

We don’t have a firm date on that yet, but PCI SSC says they’re targeting Q3 of this year. Updated supporting documents will follow soon after. 

For the moment, TCT has updated the PCI certification track so that organizations can leverage that track in order to manage their compliance engagements. Once the updated templates have been released, we’ll swap out the reporting templates, ROCs, and AOCs for the new versions.

We’ll keep an eye out for those reporting templates and their associated AOCs to move immediately to incorporate them into the TCT Portal.

TCT Portal Already Has PCI DSS 4.0.1

PCI 4.0.1 was issued on June 11 around 1:00 pm Eastern Time. Within an hour, TCT had our hands on it, had started our analysis of modifications and changes, had reviewed those internally, and were in the process of deploying the updates to the PCI 4.0.1 track in TCT Portal.

The updates for the PCI 4.0.1 track are complete and are live for all TCT Portal users.

TCT’s personnel acted fast on this update. We have a lot of clients who leverage the PCI DSS, and it’s our priority to be all over it any time there are changes to PCI. 

We serve organizations across the whole breadth of compliance — assessment firms, service providers, and compliant organizations. Every one of these companies has clients and customers that depend on them. Add up all those stakeholders and you’re looking at tens of thousands of organizations that are affected by PCI compliance. We see that as a tremendous responsibility.

We have countless individuals who depend on TCT to serve them expediently and reliably. It’s something we’ve strived to do from Day One, and we will continue to do it every day we go to work.

That’s why our team was primed to go the moment that PCI 4.0.1 was released. We have clients that need the update quickly, and we took that to heart.

Looking for a compliance management tool that makes compliance suck less for you and your team? Maybe it’s time to see a demo of TCT Portal for yourself.

TCT Portal

Get your
personalized demo

See what TCT Portal can do for your organization

Show Me
KEEP READING...

You may also like