The PCI Council officially released PCI DSS v4.0.1 on June 11, 2024*. This update clarifies the focus and intent of some of the requirements and guidance from the original PCI 4.0 release.
Summary of Key Changes
Requirement 3
- 3.3.1 - Clarified Applicability Notes for issuers and companies that support issuing services.
- 3.5.1.1 - Added a Customized Approach Objective and clarified applicability for organizations using keyed cryptographic hashes to render Primary Account Numbers (PAN) unreadable.
Requirement 6
- 6.3.3 - Reverted to PCI DSS v3.2.1 language that installing patches/updates within 30 days applies only for “critical vulnerabilities.”
- 6.4.3 - Added Applicability Notes to clarify how the requirement for managing payment page scripts applies.
Requirement 8
- 8.4.2 - Added an Applicability Note that multi-factor authentication for all (non-administrative) access into the CDE does not apply to user accounts that are only authenticated with phishing-resistant authentication factors.
Requirement 12
- 12.8.2 - Updated Applicability Notes to clarify several points about relationships between customers and third-party service providers (TPSPs).
Today, v4.0 and v4.0.1 are both active. PCI DSS v4.0 will be retired on 31 December 2024. After that point, PCI DSS v4.0.1 will be the only active version of the standard supported by PCI SSC.
*Source: https://blog.pcisecuritystandards.org/just-published-pci-dss-v4-0-1
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.