PCI DSS 4.0.1: All 12 Requirements Explained with Implementation Costs

What Changed in PCI DSS 4.0

Expanded to cover all network security controls (not just firewalls). Renamed from 'Install and maintain a firewall configuration' to reflect modern architectures including cloud, containers, and software-defined networking.

Common Audit Failure Points

• Overly permissive firewall rules not reviewed in 6+ months
• Missing documentation of network topology and data flows
• No formal change management process for firewall rule modifications
• Failure to restrict outbound traffic from the CDE

What Changed in PCI DSS 4.0

Renamed from 'Do not use vendor-supplied defaults.' Now requires managing all security parameters, not just defaults. Includes cloud and containerised environments explicitly.

Common Audit Failure Points

• Default credentials still active on network devices or databases
• Unnecessary services and protocols left enabled
• Missing hardening standards for cloud infrastructure
• Inconsistent configurations across environments

What Changed in PCI DSS 4.0

Expanded scope to 'account data' (not just cardholder data). New requirements for SAD storage detection and cryptographic key management. Disk-level encryption alone is no longer sufficient for removable media.

Common Audit Failure Points

• Storing full PAN in plaintext in databases or log files
• Retaining cardholder data beyond the authorised retention period
• Inadequate encryption key management procedures
• Unencrypted backup tapes or removable media containing card data

What Changed in PCI DSS 4.0

Updated cipher suite requirements. TLS 1.0 and 1.1 are explicitly prohibited. Certificates must be validated and current. Applies to all transmission of PAN, not just over the internet.

Common Audit Failure Points

• Using outdated TLS versions (1.0 or 1.1) on internal systems
• Expired or self-signed SSL/TLS certificates in production
• Sending PAN via email, chat, or other unencrypted channels
• Missing encryption on internal network segments carrying card data

What Changed in PCI DSS 4.0

Renamed from 'Protect all systems against malware.' Now requires addressing all types of malicious software, including on systems not traditionally considered at risk. Anti-phishing mechanisms now required under Requirement 5.4.

Common Audit Failure Points

• Anti-malware not deployed on all in-scope systems (including Linux servers)
• Outdated signature definitions or disabled real-time scanning
• No anti-phishing controls for email and web browsing
• Missing malware protection on removable media

What Changed in PCI DSS 4.0

Major new requirement 6.4.3: manage all payment page scripts loaded and executed in the consumer browser. This targets Magecart-style attacks and requires inventory, authorisation, and integrity verification of all scripts on payment pages.

Common Audit Failure Points

• Critical security patches not applied within 30 days
• No inventory or authorisation process for payment page scripts (6.4.3)
• Missing WAF or equivalent for public-facing web applications
• Inadequate secure code review or SAST/DAST processes

What Changed in PCI DSS 4.0

Explicit requirement for application and system accounts (not just user accounts). Access reviews must cover all accounts with access to the CDE, including service and application accounts.

Common Audit Failure Points

• Excessive access privileges not aligned with job roles
• No formal access review process or reviews not completed semi-annually
• Shared or generic accounts used for CDE access
• Service accounts with overly broad permissions

What Changed in PCI DSS 4.0

MFA now required for ALL access into the CDE (not just remote access). Minimum password length increased to 12 characters. Password complexity and rotation requirements updated. System and application accounts must be managed with the same rigour as user accounts.

Common Audit Failure Points

• MFA not implemented for all CDE access (only remote access covered)
• Passwords under 12 characters or lacking complexity requirements
• Shared credentials for administrative access
• No mechanism to detect and prevent use of compromised passwords

What Changed in PCI DSS 4.0

New requirement for periodic POS terminal inspections to detect tampering. Updated media destruction requirements. Explicit requirements for protecting network jacks and wireless access points.

Common Audit Failure Points

• No formal POS terminal inspection programme for tamper detection
• Visitor access logs incomplete or not retained for required period
• Inadequate media destruction procedures and documentation
• Server rooms accessible without individual authentication

What Changed in PCI DSS 4.0

Automated log review mechanisms now required (manual-only review no longer sufficient). New requirements for detecting and alerting on failures of critical security control systems. This effectively mandates SIEM or equivalent technology.

Common Audit Failure Points

• No automated log review mechanism (relying on manual review only)
• Logs not retained for the full 12-month period
• Missing or incomplete logging on critical CDE systems
• No alerting mechanism for security control failures

What Changed in PCI DSS 4.0

Internal vulnerability scans must be authenticated. Penetration testing methodology must cover the entire CDE perimeter and critical systems. If network segmentation is used, segmentation controls must be tested at least every 6 months.

Common Audit Failure Points

• Quarterly ASV scans failing and not being remediated and rescanned
• Penetration testing scope not covering the full CDE perimeter
• No segmentation testing when network segmentation is used for scope reduction
• File integrity monitoring not covering all critical system files

What Changed in PCI DSS 4.0

New requirement for targeted risk analysis (TRA) to support flexible implementation. Security awareness training must include phishing and social engineering. Incident response plan must be tested annually. Expanded third-party/service provider management requirements.

Common Audit Failure Points

• Security policies not reviewed and updated annually
• Security awareness training not including phishing simulations
• Incident response plan never tested or exercised
• Third-party service providers not monitored for PCI compliance status