PCI DSS v4.0
We will assist you in achieving more security
On this page we have assembled the most important information for you.
The key facts at a glace
As of when is a certification according to v4.0 mandatory?
During the transition period, both standards, PCI DSS v4.0 and PCI DSS v3.2.1, are thus valid simultaneously. Companies affected can determine together with their QSA according to which standard they want to be certified during this period. On March 31, 2024, PCI DSS v3.2.1 will be completely replaced and v4.0 will be the only version of the standard valid from then on.
How quickly do you have to implement new requirements?
Completely new requirements in version 4.0 were given the suffix "future-dated", which gives organizations time beyond the transition period to complete necessary implementations. Until March 31, 2025, these requirements are considered best practices and are optional during that time.
After March 31, 2025, these requirements will be considered mandatory and must be fully addressed as part of future PCI DSS certifications.
What is a "Customized Approach"?
Compared to the classic approach, in which the requirements must be implemented exactly as specified in the standard, the so-called "Customized Approach" brings more flexibility to the implementation of the requirements. For example, you can use existing processes and measures that are required by other norms or standards and have already been implemented in your company for your PCI DSS certification. To do this, you need to analyze the intent of a requirement together with your QSA and show how your individual implementation fits the intent of the requirement.
We accompany you
An alignment and thus further development of existing processes based on the requirements of PCI DSS v4.0 usually requires a well considered implementation project. Whether you strive for certification according to the new version at an early stage or would like to use the transition period for implementation, we are happy to support you:
Overview of the new requirements
Presentation of the new requirements for your company in an initial workshop. Together, we will gain an overview of the PCI DSS v4.0 requirements that are relevant for you and outline known challenges and best practices.
Evaluate requirements for your company
During a gap analysis, we check all certification-relevant IT systems, existing documentation and current processes for their compliance with PCI DSS v4.0. Identified non-compliances are documented in the form of a catalog of measures and will be discussed with you.
Your certification according to PCI DSS v3.2.1 is coming up?
Our experts will be happy to conduct a gap analysis alongside the accessment in order to check your environments, documents and processes for non-compliance with PCI DSS v4.0.
Plan & implement measures
We do not leave you on your own after the gap analysis. Our assessors will create an individual roadmap together with you. Based on the results of your gap analysis, we will develop specific packages of measures with associated tickets, and we will closely support you in their implementation.
Certification according to PCI DSS v4.0
You are ready. After a successful implementation, we will accompany you as your trusted accessor in confirming your compliance with the PCI DSS.
More insights
During webinars and in blog posts, our PCI experts have already taken a more detailed look at the standard for you:
Webinar recordings
PCI DSS 4.0: Let's get started
PCI DSS 4.0: Impact on E-commerce
PCI DSS 4.0: Impact on Retail
Blog posts
PCI DSS v4.0 – The Most Important Changes at a Glance: Keyed Cryptographic Hashes
PCI DSS v4.0 – The Most Important Changes at a Glance: Technical User Handling
