April 04, 2022

PCI DSS 4.0 Introduces Transformational Change: New Risk Analysis, Governance Requirements and Alternative Customized Approach

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Key Takeaways

  • The Payment Card Industry Security Standards Council released version 4.0 of its Data Security Standard (PCI DSS 4.0) on March 31, 2022.
  • The new version—which brings major changes to the payments ecosystem—places an increased focus on targeted risk analysis, organizational maturity and governance.

On March 31, 2022, the Payment Card Industry Security Standards Council released version 4.0 of its Data Security Standard (PCI DSS 4.0). The new version—which brings major changes to the payments ecosystem—places an increased focus on targeted risk analysis, organizational maturity and governance. It also makes PCI DSS compliance a continuous effort, rather than an annual snapshot exercise, and introduces a customized approach to PCI assessments, enabling businesses to implement alternative technical and administrative controls that meet the customized approach objective.

Merchants, service providers, issuers, acquirers, and any other businesses that store, process, or transmit payment cardholder data should begin planning for PCI DSS 4.0. Implementing PCI DSS 4.0 will require structural changes that go beyond tweaking security controls. Businesses will also need to prepare for the increased legal risks of PCI DSS 4.0's obligations. PCI assessments under version 4.0 will require more security documentation, risk analysis and affirmative statements than before, exposing the company's security posture to greater scrutiny.

Because of the complexity of the new requirements and the time required to implement structural changes, companies should begin addressing and internally validating compliance in advance of an assessment by their qualified security assessor (QSA). Businesses should consider whether to involve legal counsel and other consultants (under privilege) in this assessment and other aspects of their transition to PCI DSS 4.0, including for purposes of encouraging full and open communication and consideration of risks and exposure.

In Depth


PCI DSS 4.0 is an extensive change to the previous version of PCI DSS; some of the significant changes are included below.

Increased Requirements for Yearly Diligence for Merchants and Service Providers

PCI DSS 4.0 increases the requirements for periodic diligence of merchants and service providers by adding several new controls. These include:

  • At least every 12 months and upon a significant change, document and confirm the PCI DSS scope of the in-scope environment (PCI DSS 12.5.2) with additional documentation requirements for service providers (PCI DSS;
  • Target risk analysis for any controls that use the customized approach at least every 12 months with written approvals by senior management (PCI DSS 13.3.2);
  • At least an annual risk analysis for any controls that have flexibility for the frequency of controls (PCI DSS 13.3.1, Best Practice until 2025);
  • At least an annual review of cipher suites and protocols (PCI DSS 12.3.3, Best Practice Until 2025); and
  • At least an annual review of hardware and software technologies in use with a plan to remediate outdated technologies approved by senior management (PCI DSS 12.3.4, Best Practice Until 2025).

These additional annual diligence requirements will take time and effort to establish. Additionally, merchants and service providers may want to experience building these new processes well in advance of having to rely on them for PCI DSS compliance through their report Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) processes and QSA oversight. Starting sooner rather than later will be key to pragmatic results by allowing at least one practice cycle of these assessment prior to relying on them for PCI DSS compliance.

New Customized Approach

When merchants and service providers could not meet the prescriptive controls of PCI DSS 3.2.1, they would need to propose a compensating control and justify it with a risk assessment and a compensating control worksheet (CCW). In PCI DSS 4.0, this option still exists, but there is also a new option for a customized control approach. This customized approach still retains the requirement to evaluate risk, but it allows for a more strategic pathway to meet a control. Instead of compensating for the lack of a control, the customized approach allows the merchant or service provider to document a different control based on the objective of the control that is being customized. This customized control will then be assessed by the assessor in place of the control that is being substituted, allowing for a long-term customization rather than a shorter-term "compensating" control. (Note: Not all controls are eligible for the customized approach; notably, PCI DSS 3.3.1 prohibits storage of sensitive authentication data (SAD) after authorization.)

Expanded Risk Analysis Guidance

PCI DSS 4.0 has also provided expanded guidance on conducting risk analysis. Risk analysis has always been a part of PCI DSS, significantly used as part of the compensating control worksheet. In this new version, there is a Sample Targeted Risk Analysis Template (PCI DSS Appendix E2). While this is not required to be used, the template provides more information on how the PCI Security Council expects a risk analysis to be carried out.

Clarifications to "Significant Change" Standard

PCI DSS 4.0 has clarified some key PCI DSS concepts, including a more fulsome description of a "significant change" which was not specifically defined in prior versions in PCI DSS. While there is not an exact definition in this latest version, PCI DSS does provide descriptions and examples of what a significant change is (PCI DSS, 7 Description of Timeframes Used in PCI DSS Requirements). This is important because of the many interim changes, adaptations and updates (especially in the mobile payments industry) in the United States and in other countries (such as India).


PCI DSS 4.0 will remain optional until March 31, 2024, when PCI DSS v. 3.2.1 will be retired. Assessments performed after that date must be under version 4.0. Companies will be able to opt-in to version 4.0 in the coming months once the self-assessment questionnaires and other supporting documents are released.

Several of the new requirements added for version 4.0 will not become mandatory until March 31, 2025. Until that date these requirements are considered "Best Practice" for entities that opt-in to version 4.0 early.


The increased focus on risk assessments in PCI DSS 4.0 means that entities are likely to disclose more information about their security program to QSAs than they would under version 3.2.1. Given that PCI security assessments are not conducted under privilege, businesses should be prepared for the assessment papers to be scrutinized in the wake of a security incident. This will be increasingly significant because the widespread adoption of chip transactions in the US has reduced the viability of card cloning, reportedly causing credit card fraudsters large and small to target card-not-present (CNP) transaction data and increase cyber risk to a wide variety of companies.

Statements made in risk analyses should be accurate, verifiable and consistent with other disclosures. Security documentation should reflect actual, provable and current practices. Customized controls should defensibly meet the defined customized approach objectives.

The transition to PCI DSS version 4.0 will prove challenging and time-consuming to many companies. Companies should begin their transition planning promptly. An initial step in the transition should be an assessment against the PCI DSS 4.0 standard to identify compliance gaps and opportunities to implement a customized approach. Engaging outside counsel to help oversee the conduct of the internal assessment or other aspects of transition planning can mitigate risk and contribute to a successful transition.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Merck Fosters Healthcare Of The Future

By McDermott Will & Emery attorneys McDermott Will & Emery December 02 , 2022

Artificial intelligence and machine learning have led a digital transformation in healthcare, expanding providers’ resources and improving the lives of people around the world.

A Tsunami of Lawsuits Is Expected to Slam Institutions in the Wake of New York Adult Survivors Act

By Greer Griffith McDermott Will & Emery December 01 , 2022

A new revival window opened on Thanksgiving Day for filing sexual assault and abuse lawsuits that would otherwise be time-barred by the New York statute of limitations.

Tax Court Holds That Deficiency Petition 90-Day Time Limit Is Jurisdictional

By Andrew R. Roberson McDermott Will & Emery December 01 , 2022

Last summer, the Supreme Court of the United States held that the 30-day time limit to file a Collection Due Process (CDP) petition is a non-jurisdictional deadline subject to equitable tolling (Boechler, P.C. v. Commissioner).

More From Cybersecurity

Deadline: 'Old' Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger Greenberg Traurig December 02 , 2022

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA).

Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?

By David A. Zetoony Greenberg Traurig November 22 , 2022

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”

OFSI's Annual Review Highlights Effect of Sanctions on Russia

By Annabel Thomas Greenberg Traurig November 21 , 2022

On 10 November, the UK’s Office of Financial Sanctions Implementation (OFSI) published its annual review for the period April 2021 to August 2022, with a focus on the effect of sanctions on Russia following the invasion of Ukraine in February.

Featured Stories