PCI DSS Version 4.0 Content Hub

PCI DSS Version 4.0

It’s finally here! And at confide we are very excited to be able to talk about the new version of PCI DSS – because PCI DSS is one of our favourite topics to talk about. We have been looking forward to talking about version 4 since we saw the first RFC (request for comment) in 2019. Now, nearly three years later we can finally start talking bout what’s new, what’s not so new, and how this will impact your PCI DSS compliance. 

Over the coming months and years we will be publishing a large amount of content on the changes in PCI DSS version 4.0 and this content hub is where you can find it all. 

Since PCI DSS is not a one-size fits all approach, we’ve broken down our content into areas that you might find yourself interested in. Over time, more content will be added to each and we encourage you to visit, read, and reach out. Regardless of where you’re at in your PCI DSS journey, we want to help you reach v4.0 compliance with as little difficulty as possible.

Required after 31 March 2024
Countdown to PCI DSS v4.0

Key Topics in PCI DSS v4.0

PCI DSS Version 4.0 General Changes

PCI DSS v4.0 is a significant change. But sometimes the more things change, the more they stay the same. Topics in this area focus on how v4.0 is different from v3.2.1 and how they are the same.


PCI DSS Version 4.0 Technical Controls

PCI DSS has changed some of the ways they expect technology to be implemented. Some of these changes are minor, some might require business cases to be put forward for new technology. This section dives into these new technical controls so you can understand what you’ll want to work on before they come into force.

PCI DSS Version 4.0 Governance Controls

Governance isn’t a new topic for PCI DSS, but in v4.0 it becomes even more important. Two terms you’ll hear a lot about are “roles and responsibilities” and “targeted risk assessments” which are also called TRAs. Posts in this section focus on the governance aspects in the Standard.

PCI DSS Version 4.0 and Service Providers

If you’re a merchant you might find this section interesting to see how your service providers will be reporting in v4.0.

If you’re a service provider, the posts in this section will help you understand what requirements are changing for you over the coming months.

PCI DSS Version 4.0 Reporting

The biggest question out there is how v4.0 will change the reporting. Even if you think that you don’t need to worry about reporting because you use a QSA, learning more about the report structure helps you understand why your QSA asks you for more (and different) information than they have the past or why it takes a little longer now to complete a report.

In this section we also cover changes to the SAQs since with the new version of PCI DSS, some requirements have changed, some have been removed, and some have been added.

Where to Find the Documents

The PCI SSC has created its own Version 4 Resource Hub with links to the key documentation and other releases related to v4.0. We definitely recommend that you keep an eye out on the new documentation since this is key to helping make sure you know what you should be preparing for!

As of August 2023, the following documents have been released:

  • PCI DSS v4.0
  • PCI DSS Report on Compliance Template for v4.0
  • Merchant Attestation of Compliance for v4.0
  • Service Provider Attestation of Compliance v4.0
  • INFI Instructions and Worksheet
  • All v4.0 SAQs
  • Prioritized Approach Tool

Are You Ready for Version 4.0?

Whether you’ve been eagerly awaiting version 4.0 like we have at Confide or you’re looking on with trepidation, we’re here to help you with your PCI DSS journey. Contact us for more information and to understand how we can help you achieve compliance with v4.0.