top of page

What is the difference between PCI-DSS 3.2.1 and PCI-DSS 4.0?

Differences between PCI-DSS 3.2.1 and PCI-DSS 4.0

The technology organisations rely on is constantly evolving, as are threats to their security and reliability. Standards and regulations must adapt to address these emerging threats and vulnerabilities. The Payment Card Industry Data Security Standard (PCI-DSS) is no exception. Organisations must stay abreast of the latest updates and changes in PCI-DSS requirements as they strive to secure sensitive payment card data. In this article, we'll explore some of the differences between PCI-DSS version 3.2.1 and PCI-DSS 4.0 (recently released version), highlighting key updates and when these changes become mandatory.

Man holding a tablet device, ticking boxes from a checklist.

Understanding PCI-DSS: 

PCI-DSS is a set of security standards designed to ensure that companies that accept, process, store, or transmit credit card information maintain a secure environment. It encompasses various requirements and controls to safeguard cardholder data and reduce the risk of data breaches and fraud. PCI-DSS 3.2.1 was released in May 2018 and has just been replaced by version 4.0, which came into force in March 2024.

Key Changes in Version 4.0:

PCI-DSS 4.0, first released in late 2022, introduces several significant changes aimed at improving the security posture of organisations and aligning with evolving cybersecurity threats.  Instead of simply following the defined set of controls provided in the standard, organisations can now follow a customised approach and select appropriate controls. Some of the other key modifications include:

Expanded Scope:

Version 4.0 provides clearer guidance on the scope of PCI-DSS requirements, particularly in cloud environments and for entities utilising third-party service providers. It emphasises the importance of understanding and documenting the flow of cardholder data across systems and networks. The roles and responsibilities related to each requirement must now be defined and documented.

Authentication and Access Control:

The new version emphasizes strong authentication mechanisms and access controls. It introduces requirements for adaptive authentication and risk-based access controls, allowing organisations to tailor security measures based on contextual factors such as user behaviour and location.

Encryption and Key Management:

Version 4.0 introduces updated encryption and key management requirements, reflecting advancements in cryptographic algorithms and best practices. It emphasises the use of industry-standard encryption protocols and encryption keys' secure storage and rotation.

Security Testing and Vulnerability Management:

The latest version of PCI-DSS highlights the importance of continuous security testing and vulnerability management. It introduces requirements for penetration testing of segmentation controls and enhanced guidance on conducting secure code reviews and vulnerability assessments.

Secure Software Development:

Recognising the growing importance of secure software development practices, PCI-DSS version 4.0 includes updated requirements for secure software development lifecycle (SDLC) practices. It outlines principles for integrating security into the software development process and emphasises the need for secure coding practices and regular security testing.

Evolving Threat Landscape:

Version 4.0 acknowledges the dynamic nature of cybersecurity threats and introduces requirements for threat intelligence sharing and monitoring. It encourages organisations to stay informed about emerging threats and vulnerabilities and proactively mitigate risks. There is also now a requirement to protect staff from phishing attacks.

Mandatory Compliance Dates: 

Organisations subject to PCI-DSS must adhere to the compliance deadlines set forth for version 4.0. The PCI Security Standards Council typically provides a transition period to allow entities to implement the necessary changes and updates. With version 4.0, there are some new requirements that will become mandatory in March 2025. Organisations must plan and prioritise compliance efforts to meet the specified deadlines and ensure ongoing security and compliance.

Stock image of credit or bank cards


As cyber threats evolve, so must the standards and regulations designed to protect sensitive data. PCI-DSS version 4.0 represents a significant step forward in enhancing payment card data security and addressing emerging challenges. By understanding the disparities between version 3.2.1 and 4.0, organisations can better prepare to meet the evolving requirements and safeguard against potential vulnerabilities and breaches. Staying proactive and maintaining a strong security posture is essential in today's dynamic threat landscape.

Remember, PCI-DSS compliance is not just a box-ticking exercise; it's a fundamental aspect of protecting your organisation and your customers from the ever-present risks associated with payment card data.

A full explanation of the changes is available from the PCI Standards Council website here:

18 views0 comments

Recent Posts

See All


Commenting has been turned off.
bottom of page