Data Security

PCI DSS 4.0 Shifts Toward Flexibility and Risk for Better Payment Data Security

rectangle Written by: Matthew Delman rectangle 2 5 min read

Payment card information remains some of the most attractive data for cybercriminals. When they’re able to collect credit card numbers and sell them on the dark web or use them for fraudulent transactions. Given the evolution in threats facing financial data, the PCI Security Standards Council (PCI SSC) released version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) in March 2022.

The standard existed in parallel with PCI DSS 3.2.1 from its release in March 2022 until March 31, 2024, when version 3.2.1 of the standard was retired. There were extensive changes made the standard between the versions, including some future-focused new requirements that don’t go into effect until 2025. The bulk of the changes become mandatory as of April 1, 2024, however, meaning that payment card processors and merchants should already be in compliance with the bulk of the standards.

PCI DSS 4.0 marks a substantial evolution for payment card security. There are a few major changes from 3.2.1, including the adoption of a new customized method for compliance, promoting continuous security, and enhancements to the self-assessment questionnaire.


The Customized Approach Adds Needed Flexibility

PCI DSS 3.2.1 was known for its prescriptive requirements around security controls. The standards council at PCI defined the specific technologies that merchants and processors needed in order to process payment card data. On its face this may make sense, but the reality is that every business is different. A mom and pop bakery doesn’t have the same security requirements as a global e-commerce giant.

The defined approach of the past offered minimal flexibility in terms of security. The new Customized Approach instead recognizes that “one size fits all” doesn’t work in cybersecurity. Businesses can now design security measures that best suit their environment and risk profile. This empowers organizations to be more innovative in their approach to security, leveraging cutting-edge technologies and solutions that meet their specific needs.

The new Customized Approach in PCI DSS 4.0 is a game changer. The new standard requires organizations to conduct more thorough risk assessments to identify vulnerabilities specific to their payment systems. This allows for a more dynamic and adaptable security posture, ensuring controls are tailored to address the most pressing threats.

For instance, a large retail chain processing thousands of transactions daily might prioritize implementing advanced intrusion detection and prevention systems (IDS/IPS) to proactively identify and block malicious activity. Meanwhile, a smaller online store handling a lower volume of transactions might focus on robust access controls and multi-factor authentication to prevent unauthorized access to their cardholder data environment (CDE).

PCI DSS 4.0 Changes Empower Better Security

Beyond adding the ability to adopt a custom approach to compliance, the PCI DSS 4.0 standard introduced several new requirements and updated a few existing ones. PCI SSC had a number of goals with this changes, but most notably they focused on cloud environments and a more continuous approach to security.

The PCI SSC recognized that payment security has to evolve to keep up with a complicated threat landscape. As a result, a few of the key changes that you’ll find in the new standards are:

  • Stronger focus on multi-factor authentication (MFA): MFA adds an extra layer of security beyond passwords, making it significantly harder for attackers to gain unauthorized access to sensitive systems.
  • Emphasis on continuous monitoring and regular testing: Security controls are only effective if they are continuously monitored and regularly tested for vulnerabilities. PCI DSS 4.0 emphasizes the importance of ongoing security assessments to ensure controls remain robust.
  • More precise guidance on managing encrypted data: With the increasing use of encryption to protect cardholder data, PCI DSS 4.0 provides clearer guidance on how to securely manage encryption keys, even when stored separately from the encrypted data.
  • Clarification on applicability: The new standard clarifies how PCI DSS requirements apply to entities that don’t handle primary account numbers (PANs) but still store other sensitive cardholder data.

PCI DSS 4.0 represents a significant step forward in securing payment card data. By focusing on risk management, customization, and continuous improvement, the new standard empowers organizations to build stronger and more adaptable security programs. By taking a proactive approach to compliance, businesses can ensure the safety of their customers’ data and maintain trust in the payment ecosystem.


How Sotero Supports PCI-DSS 4.0 Compliance

Sotero empowers businesses with robust, end-to-end encryption solutions that protect data at rest, in transit, and in use. As part of this encryption, Sotero employs data masking techniques to safeguard sensitive information that still allows personnel to validate data without exposing it.

However, Sotero’s magic lies in its data-centric security approach. Rather than trying to secure every possible entry point, Sotero focuses its security measures on the data, where it matters most. This focus ensures that, regardless of where a potential breach could occur, the data remains protected.

Sotero’s anomaly detection adds an additional layer of security, empowering security teams to monitor all data utilization and establish baselines for user and application behavior. Any high-risk changes to this baseline behavior, potentially indicative of an attack, are detected early in the process and promptly halted. This provides continuous monitoring and assessment, a key component of PCI-DSS compliance.

With Sotero, companies can ensure not only the safety of their data, but also the integrity of their brand. Remember that compliance is about more than avoiding penalties–it’s about building competitive differentiation and brand trust. And with Sotero, achieving that becomes a seamless reality. To view the platform in action with a data security expert, click here.


Payment Data Security,


Subscribe to our Blog

Take a look at a truly encrypted future, with no data left unsecure.

Request a Live Demo.

Schedule a live one-on-one
demo of Sotero.

Book Demo