What you should know about PCI DSS v4.0.1

If your business handles payment card data, you’ve probably heard of PCI DSS, the security standard designed to protect cardholder information. In June 2024, the PCI Security Standards Council released PCI DSS v4.0.1. It wasn’t a major overhaul, but rather a maintenance update: clarifying certain requirements, fixing minor errors, and making the guidance easier to understand.

The core requirements remain the same, so if you were already on track with v4.0, you won’t need to start from scratch.

In this guide, we’ll walk through what’s new in PCI DSS v4.0.1 and why the update matters for organizations that handle cardholder data.

What is PCI DSS v4.0.1?

PCI DSS v4.0.1, or Payment Card Industry Data Security Standard version 4.0.1, is the latest set of security guidelines developed by the PCI Security Standards Council to protect cardholder data and maintain trust in the global payment ecosystem. 

Like its predecessors, PCI DSS v4.0.1 defines a framework of technical and operational requirements for any organization that stores, processes, or transmits payment card information. Published on 11 June 2024, PCI DSS v4.0.1 is a limited revision to v4.0 that clarifies language and fixes minor errors. PCI DSS v4.0 was retired on 31 December 2024, after which v4.0.1 became the active version.

PCI DSS v4.0.1 is intended to strengthen security practices, reduce ambiguity, and ensure that organizations remain aligned with evolving payment industry needs.

What are the main changes in PCI DSS v4.0.1?

All edits in PCI DSS v4.0.1 fall into two categories:

1. ‍Clarification or guidance — wording, explanations, definitions, and added guidance that increase understanding or give more detail on specific topics.‍
2. Structure or format — reorganization of content, such as moving or removing material, to make the standard easier to navigate and apply.

The changes in detail

1. Correcting wording and formatting
PCI DSS v4.0.1 fixes typographical and minor editorial errors to improve clarity and consistency. Testing procedures were realigned to match the updated requirement wording. Example: the phrase referencing the CDE was revised to clarify that scope considerations refer to cardholder data and sensitive authentication data.

2. Appendices and templates
Sample templates that had been included in Appendix E were removed from the standard text and are now referenced as available on the PCI SSC website. The Glossary and Guidance were cleaned up so definitions appear in the Glossary, with Guidance referring to those glossary terms. New glossary entries were added, for example: “Legal Exception,” “Phishing Resistant Authentication,” and “Visitor.” 

3. Applicability notes and clarifications

• ‍Requirement 3, Protect stored account data: Clarified applicability for issuers and companies supporting issuing services. Certain sub-requirements (for example, those related to Sensitive Authentication Data) are not applicable to issuers when they have a legitimate, documented business need.

• ‍Requirement 6, Secure systems and software: Reverted to the v3.2.1 language that the 30-day patching expectation applies to critical vulnerabilities. Applicability notes were also clarified for managing payment page scripts.

• ‍Requirement 8, Identify and authenticate access: Added an applicability note that Multi-Factor Authentication (MFA) requirements for non-administrative access into the CDE do not apply to user accounts that are authenticated only with phishing-resistant authentication factors.

• ‍Requirement 12, Organizational policies and programs: Clarified expectations for third-party service providers regarding support for customer requests about PCI DSS compliance status and responsibilities. 

4. Other editorial and structural cleanups
Several smaller reorganizations and cross-reference improvements were made to reduce ambiguity and improve usability. The Summary of Changes lists each edit and points to the precise locations in the standard. 

How PCI DSS v4.0.1 impacts your organization

While PCI DSS v4.0.1 does not introduce major new requirements, it clarifies language, reorganizes content, and refines guidance to ensure consistent interpretation. These adjustments may require updates to documentation, staff training, and compliance reporting. 

For organizations handling cardholder data, staying aligned with the clarified standards helps avoid misinterpretation, strengthens security practices, and ensures continued compliance under the latest version.

An overview of core PCI DSS requirements

The 12 core requirements of PCI DSS have remained consistent across versions, including the latest v4.0.1. While v4.0.1 introduced clarifications, updated guidance, and minor formatting changes, the foundational security principles are unchanged. 

These requirements form the backbone of cardholder data protection, covering everything from network defenses to physical security:

• Requirement 1: Install and maintain network security controls
  Establish and manage firewalls and segmentation rules to block unauthorized access into the cardholder data environment (CDE). This keeps attackers out of critical systems.‍

• Requirement 2: Apply secure configurations to system components
  Eliminate default settings, unnecessary features, and misconfigurations to reduce exploitable gaps across all systems.
  

• Requirement 3: Protect stored cardholder data
  Encrypt, truncate, or tokenize Primary Account Numbers (PAN) and maintain strong key management to render them useless if stolen. PCI DSS v4.0.1 also clarifies that sensitive authentication data (SAD) must not be stored after authorization, with limited exemptions for issuers, and provides updated applicability notes to guide organizations on when these restrictions apply.‍

• Requirement 4: Encrypt transmission of cardholder data over public networks
  Use strong protocols (e.g., TLS 1.2 or higher) to safeguard data moving across open or untrusted networks. This prevents interception and eavesdropping.‍

• Requirement 5: Secure systems against malware
  Deploy anti-malware tools and keep them updated to protect the CDE from malicious software.‍

• Requirement 6: Develop and maintain secure systems and software
  Follow secure software development practices and patch vulnerabilities promptly to prevent weaknesses from being introduced via code. Under PCI DSS v4.0.1, critical vulnerabilities must be remediated within 30 days, while non-critical issues follow risk-based remediation timelines defined by the organization.‍

• Requirement 7: Restrict access based on business need-to-know
  Limit access to cardholder data strictly to those with a legitimate business purpose to reduce insider risk.

• Requirement 8: Identify and authenticate access
  Enforce unique user IDs, implement strong authentication, and apply expanded MFA to ensure that only verified users can access sensitive systems.

• Requirement 9: Restrict physical access to cardholder data
  Implement physical controls, like locks and card readers, to prevent unauthorized individuals from accessing devices containing cardholder data (CHD).

• Requirement 10: Log and monitor access to system components
  Maintain audit logs that record who did what and when, and regularly review them to detect suspicious behavior.
  

• Requirement 11: Test security of systems and networks regularly
  Conduct vulnerability scans, penetration testing, and wireless assessments to identify weaknesses before attackers do.‍

• Requirement 12: Maintain security policies and programs
  Establish and enforce governance, training, risk management, and oversight to sustain strong security across the organization. PCI DSS v4.0.1 further clarifies that service providers are obligated to support customers with compliance inquiries, including providing required documentation and evidence.

Practical concerns for CEOs

As a CEO, ensuring your organization complies with PCI DSS v4.0.1 is crucial for maintaining customer trust, protecting sensitive data, and avoiding costly breaches or fines.

Here are some key practical concerns and steps to consider:

1. Ensuring smooth transition and compliance

Understand the changes: Familiarize yourself with the Summary of Changes from PCI DSS v4.0 to v4.0.1 available in the PCI SSC Document Library for an in-depth comparison. This will help you understand what is required and avoid compliance pitfalls.

Engage your team: Ensure that your compliance and IT teams are aware of the updates and understand their implications. Regular training and updates can help keep everyone aligned.

Resource allocation: Allocate sufficient resources, both in terms of budget and personnel, to address compliance requirements. Compliance can be resource-intensive, but the investment is crucial for long-term security and trust.

2. Risk management and data protection

Mitigate risks: Ensure that your organization has robust risk management strategies in place to identify, assess, and mitigate risks associated with cardholder data. Regularly update these strategies to reflect the latest standards.

Protect data: Implement strong data protection measures to safeguard cardholder data and sensitive authentication data. This includes encryption, secure storage, and regular audits to ensure compliance with PCI DSS requirements.

3. Operational efficiency

Leverage technology: Use advanced technology solutions to streamline compliance processes. Automated tools can help manage compliance tasks, monitor systems, and generate reports, reducing the burden on your team.

How Scrut can help you comply with PCI DSS v4.0.1

Whether you are already PCI certified or working toward certification for the first time, transitioning to PCI DSS v4.0.1 is essential. At Scrut, we make the process easier by combining expert guidance with a powerful compliance platform.

Here’s how we help:

1. Detailed analysis
   We review the official Summary of Changes from PCI DSS v4.0 to v4.0.1 and explain how each update affects your organization.
   
2. Gap assessments
   Our InfoSec and Customer Success teams conduct vulnerability and compliance gap assessments to identify weaknesses, prioritize fixes, and create a clear remediation roadmap.
   
3. Compliance management
   Assign owners, track tasks, deliver security awareness training, and monitor readiness from a single platform with expert support available whenever you need it.
   
4. Program planning and implementation
   We align your compliance efforts with your business objectives, from building detailed plans to executing them effectively.
   
5. Policy development
   Create or customize security policies with the help of our InfoSec experts. Use our platform’s DIY tools or let us draft them for you, ensuring they are both compliant and practical.
   
6. Testing services
   Access a full suite of tests, including penetration testing, vulnerability scanning, and cloud or application security assessments, to identify and fix security gaps early.
   
7. Evidence collection and continuous monitoring
   Automatically gather evidence from more than 100+ integrations, centralize compliance data, and track control progress in real time to resolve issues before they escalate.
   
8. Pre-emptive audit preparation
   Plan PCI DSS audits in advance, track control readiness, and avoid last-minute bottlenecks with clearly defined project timelines.
   
9. Audit support
   Work with our partner QSAs directly through the platform or choose from our preferred auditors for a smooth, end-to-end assessment experience.
   

By combining our technology, expertise, and hands-on support, Scrut helps you achieve and maintain PCI DSS v4.0.1 compliance while minimizing disruption to your business.

‍

FAQs

1. Which businesses must comply with PCI DSS?

All organizations that store, process, transmit, or can impact the security of cardholder data and/or sensitive authentication data must comply with PCI DSS. This includes merchants, service providers, financial institutions, software developers, and manufacturers. 

2. What are the penalties for non-compliance?

PCI DSS non-compliance can lead to penalties determined by payment brands or acquiring banks, such as fines, increased transaction fees, and even suspension of card processing privileges. These consequences are typically enforced by the card networks, not the PCI SSC itself.

3. Is PCI compliance required by law?

No, PCI DSS is not required by law. It is enforced contractually by payment card brands and acquiring banks. Compliance is required to maintain merchant processing status, but PCI DSS is not government-imposed.

4. Are there new requirements in PCI DSS v4.0.1?

No, there are no new requirements in PCI DSS v4.0.1. It is a limited revision that corrects typographical errors, clarifies guidance, and updates formatting. It does not introduce new or remove existing requirements. 

5. What is the enforcement timeline for PCI DSS v4.0.1?

PCI DSS v4.0 was retired as of December 31, 2024. PCI DSS v4.0.1 is the only active version now. Future-dated requirements introduced in v4.0, such as universal MFA, continue with their original deadlines (e.g. March 31, 2025).

6. When did PCI DSS v4.0.1 come into effect?

PCI DSS v4.0.1 was published in June 2024 and became effective immediately. Following the retirement of v4.0 at the end of December 2024, v4.0.1 became the sole standard supported by PCI SSC.

7. When was PCI DSS v4.0 retired?

PCI DSS v4.0 was officially retired on December 31, 2024. After that, v4.0.1 became the only active version. 

8. How do the changes in PCI DSS v4.0.1 affect my business?

Since there are no new requirements, businesses should focus on reviewing and updating their documentation, retraining staff on clarified guidance, and ensuring technical implementation aligns with the refined language. Minor wording adjustments may affect interpretation and scope.