PCI DSS v4.0.1: Key Updates and Clarifications

The PCI Security Standards Council (PCI SSC) has recently released a limited revision to the PCI DSS, resulting in the publication of PCI DSS v4.0.1. This update addresses stakeholder feedback and questions received since PCI DSS v4.0 was published in March 2022. The changes focus on correcting formatting and typographical errors, as well as clarifying the intent and focus of some requirements and guidance.

Importantly, no new requirements have been added, nor have any existing requirements been removed. As with all new versions of PCI DSS, there will be a period where both the current and updated versions will be active. PCI DSS v4.0 will be retired on 31st December 2024, after which PCI DSS v4.0.1 will be the only active version supported by PCI SSC.

For a comprehensive overview of the changes, please refer to the "Summary of Changes from PCI DSS v4.0 to v4.0.1" available in the PCI SSC Document Library.

Here are some of the notable updates included in this revision:

• Enhancements made in 3.3 provide clarity for issuers and companies involved in issuing services.

• The update in 6.4.3 offers clarification on the inventory of scripts and its relevance to the organisation's webpages.

• Notable guidance has been added in 11.3 concerning the vulnerability management process.

• The refinement in 11.6.1 addresses security-impacting HTTP headers and script contents of payment pages.

• Various requirement sections now include enhanced guidance on Customer Approach Objectives.

• Requirement 12 now features detailed guidance tailored for Third-Party Service Providers (TPSPs).

PCI DSS v4.0.1: Key Updates and Clarifications (pci-proxy.com)