After a phased roll-out starting in 2022, the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 was retired in December 2024 and replaced with PCI 4.0.1. This update did not introduce new requirements from 4.0 but instead focused on clarifying existing requirements, correcting minor errors, and improving the overall readability and usability of the standard. Nevertheless, the deadline for businesses to certify on PCI 4.0.1. was March 31, 2025.
For businesses ranging from small merchants to major corporate retailers, understanding responsibilities as set forth in PCI DSS 4.0 and mirrored in 4.0.1 is critical–not only for protecting consumer data and avoiding significant noncompliance penalties, but also maintaining customer trust and ensuring business continuity over the long term.
Read on to learn more about PCI DSS 4.0.1, and what your business must do to achieve and maintain compliance with this essential data security standard.
Core Requirements of PCI DSS 4.0.1
PCI DSS 4.0.1 contains several key differences from versions below 4.0, including significantly enhanced security measures designed to combat the increasingly sophisticated techniques cybercriminals use to attempt to access cardholder data. Like previous versions, PCI DSS 4.0.1 focuses on six major control objectives. However, the latest iteration introduces enhanced requirements and standards businesses must employ toward achieving these objectives.
Let’s explore the new specifications pertaining to each control objective under version 4.0.1.
Network Security
PCI DSS 4.0.1 has expanded multi-factor authentication (MFA) requirements for business access to on-file card data. While the prior version of the rules required MFA only for administrative access to such data, the new standard requires MFA for all types of access to any Cardholder Data Environment (CDE). The PCI defines a CDE as the “system components, people, and processes that store, process, or transmit cardholder data and/or sensitive authentication data” as well as any third-party system that has connectivity to such data.
Data Protection
The latest PCI DSS guidelines significantly strengthen data protection requirements. Businesses transmitting and storing payment data must use enhanced encryption standards, and must maintain documented descriptions of their cryptographic architecture, including encryption, decryption, and key management processes. Version 4.0.1 also requires the quarterly purging of any stored cardholder data beyond what’s necessary for business, legal, and regulatory activities.
Vulnerability Management
Under PCI DSS 4.0.1, businesses must establish regular, ongoing efforts to identify, assess, and remediate any vulnerabilities in their systems and networks, including regular penetration testing, to protect against malicious software and other evolving security threats. Version 4.0.1 also expands security testing requirements to cover all system components within the CDE, rather than just public internet-facing systems, as had been required under the previous version.
Access Control
This objective–aimed at limiting access cardholder data to only the parties that require such access–has been strengthened in PCI DSS 4.0.1 The latest version requires businesses to implement controls that allow or deny access to card data based on specific roles and functions within an organization. Additionally, businesses must review such access controls every six months to evaluate and potentially update user roles and permissions. Finally, passwords for parties with access to cardholder data must be stronger and changed more frequently under DSS 4.0.1.
Monitoring and Testing
PCI DSS 4.0.1 has an increased emphasis on monitoring data access, as well as regular testing and validation of data security controls. Specifically, the latest version calls for comprehensive logging of detailed information when, how, by whom and for what purpose cardholder data is accessed. The standard also now mandates automated log analysis rather than manual review, and businesses must retain all access logs for at least one year to support potential forensic investigations. Version 4.0.1 also calls for ongoing testing of security systems and processes via regular internal and external vulnerability scans. Any high-risk vulnerabilities found during these scans must be addressed as soon as possible.
Information Security Policy
Version 4.0.1 places greater onus on businesses to develop comprehensive data security policies and programs. As per the rules, these frameworks must include risk assessment and incident response procedure, a formal security awareness program, and clear documentation of security responsibilities across the company. The standard also calls for these policies to be reviewed at least once a year and updated as necessary.
Consequences of Non-Compliance
It’s important to emphasize that compliance with PCI DSS 4.0.1 is mandatory – not optional – for all businesses that process payment cards. Even if you have already certified on PCI 4.0, you still need certification on 4.0.1.The potential consequences of non-compliance can be severe for a business of any size.
Financial Penalties
Non-compliance can result in costly non-compliance fees from payment processing companies and fines from the card networks that comprise the Payment Card Industry Security Standards Council. These fines can be significant depending on a business’s size and the severity of violations.
Security Breach Costs
In 2024, the average cost of a data breach reached an all-time high of $4.88 million, a 10 percent increase over the previous year, according to a recent study from IBM and Ponemon Institute. For businesses with fewer than 500 employees, the average impact of a data breach increased by an even higher 13.4 percent, to $3.31 million, the study found.
Reputational Damage
Beyond direct financial costs, the reputational damage stemming from a data breach can be long-lasting. According to IBM, nearly half of the overall costs of a breach take place during the period two or more years after the event–with much of that long-term cost stemming from depleted customer trust after a breach.
Business Disruption
In perhaps the most critical consequence of non-compliance with PCI DSS standards, payment card networks may bar merchants from processing card-based payments entirely–a restriction that can massively disrupt revenue to the point where a business is unable to continue functioning.
Ensure Compliance with Wind River
With PCI DSS 4.0.1 compliance a must for any business accepting payment cards–and the severe potential consequences of non-compliance–the time is now to ensure your organization understands and adheres to the latest data security standards.
Wind River can help your business meet this critical challenge by navigating the latest requirements, implementing necessary controls, and maintaining compliance in an ever-evolving data security landscape.
Contact us today to learn how Wind River can help you get–and stay–compliant with PCI DSS 4.0.1.
"*" indicates required fields