The Top 6 big PCI DSS 4.0 changes and how to prepare your security teams

For any company involved in any facet of  payment card processing, March 31, 2025, looms as the deadline for meeting the updated Payment Card Industry Data Security Standard (PCI DSS) version 4.0, first issued April 1, 2024.

The updated standard focuses on enhanced security practices like stronger encryption, improved access controls and more robust vulnerability management – the latter of which is already an albatross around a CISO’s neck with the tremendous backlog of Common Vulnerabilities and Exploits (CVEs) to manage.

A look at PCI DSS: serving an important purpose

The PCI DSS first arrived in 2004 to ensure companies achieve data protection by establishing security control effectiveness. As cybercriminals’ tactics and targets have evolved, PCI standards have also expanded to keep up with the two-headed beast: an increasingly complex threat landscape combined with a continuously widening attack surface. 

The latest updates aim to address emerging threats while providing flexibility for organizations to innovate to achieve PCI compliance. While these changes are intended to help payment processors strengthen security and reduce risk – for themselves, their partners and customers – adhering to such compliance changes is never easy for already-strained security teams. 

Top challenges for your security teams 

To understand the scope of the challenge, let’s take a look at PCI DSS 4.0’s major changes:

1. Customized approach

Allows organizations to meet security objectives using controls tailored to their environment, emphasizing outcomes-based compliance, offering flexibility while requiring detailed risk assessments and documentation.

2. Expanded scope and risk-based focus

Requires organizations to conduct structured risk assessments and report on security strategies more comprehensively. The scope of requirements expanded to include cloud environments and service providers, reflecting modern payment industry practices.

3. Strengthened authentication controls

The updated PCI-DSS v4.0 removes ambiguity around the types of multifactor authentication (MFA)/two-factory authentication (2FA) and where to use them. This change makes it clear that this requirement applies to both Administrative and Non-Administrative Accounts utilized for accessing Customer Data Environments.

4. Continuous monitoring and testing: 

Requires continuous monitoring and testing of an organization’s security controls to ensure ongoing compliance and threat mitigation.

5. Updated technical and operational requirements: 

• Strengthened network security controls (e.g., replacing “firewalls” with broader “network security controls”). 
• Clarifications on secure configurations and vendor-supplied defaults.
• Adjustments to patch management timelines, reinstating the 30-day rule for critical vulnerabilities.

6. Enhanced data protection: 

Focuses on protecting Primary Account Numbers (PANs) through keyed cryptographic hashes and other advanced methods.

PCI DSS compliance: automation and application-layer visibility are key

These new PCI DSS 4.0 requirements cause headaches for security teams when having to update aging infrastructure and implement new systems and tools to address various components. In particular, the mandate for routine  monitoring and testing while consistently applying security patches to mitigate vulnerabilities may seem daunting, but Contrast can do it continuously — one of only a few solutions that can.

This is especially true in the application layer, which is where a majority of attacks originate. (According to Verizon’s annual Data Breach Investigations Report (DBIR), two of the top three types of cybersecurity incidents in 2024 stemmed from applications — the number one culprit being web application credentials and number three being exploited application vulnerabilities.)

The unfortunate truth is that the application layer is an organizational blindspot with existing cybersecurity tools. Endpoint detection and response (EDR), cloud detection and response (CDR), and network detection and response (NDR) all serve an important function in providing visibility into their respective areas. But until recently, the application layer was left in the cold.

ADR and application vulnerability monitoring (AVM) provide better visibility into the vulnerability management of your applications, providing real-time protections that in turn allow security teams the time to properly triage and address the identified vulnerabilities.

ADR, together with application vulnerability monitoring (AVM), both secures the application and continuously monitors for vulnerabilities in live applications, thereby streamlining  a company’s compliance efforts while relieving security teams of the stress and worry of trying to keep up with the onslaught of malicious activities.

How Contrast ADR helps you to leapfrog risks

Specific features and capabilities that ADR tools provide to meet specific aspects of PCI DSS 4.0 include:

1. Monitoring and testing

ADR addresses PCI DSS requirements for continuous monitoring and proactive security testing by:

• Real-time application monitoring: ADR tools embed monitoring mechanisms directly into applications, providing continuous oversight of runtime behaviors, configuration changes, and anomalous activities (e.g., API misuse).
• Threat detection and response: ADR solutions detect both internal and external threats, such as supply chain attacks, by analyzing application-layer activity. They provide actionable alerts with rich context, enabling security teams to investigate and mitigate threats quickly.
• Compliance reporting: ADR systems generate detailed logs and reports on application activity, which are essential for meeting PCI DSS logging and testing requirements (e.g., Requirement 10 for tracking access to cardholder data). Contrast ADR fulfills the PCI DSS 4.0 requirement (6.3.1) for security vulnerability reporting.

2. Vulnerability and patch management

ADR enhances patch management processes by:

• Identifying vulnerabilities in real time: ADR tools continuously scan applications for vulnerabilities (e.g., outdated libraries) that could be exploited, ensuring timely detection of risks.
• Compensating control: Advanced ADR systems can automatically apply controls or enforce guardrails to mitigate risks until patches are deployed, reducing the window of exposure.
• Streamlined remediation: By providing detailed insights into vulnerabilities and their impact on the application environment, ADR helps prioritize patching efforts based on risk levels, aligning with PCI DSS’s patch management timelines (Requirement 6.3).

The clock is ticking on PCI DSS 4.0; it's time to adopt automation and application-layer visibility to help you hurdle threats. ADR isn't just a tool, it's the helping hand your  security teams need to reach compliance

Want to learn more about how Contrast ADR can help your compliance efforts? Book a demo today.

Read more:

• Contrast blog: DORA mandates have landed: Ready for a 4-hour incident reporting window?
• Contrast blog: Unpacking the SEC cybersecurity reporting rules: Enhance compliance efforts and reduce risk with ADR
• Contrast blog: Ensuring vigilant digital transformation in the financial sector
• Contrast blog: Preparing for PCI DSS v4.0.1, the latest version of PCI