Important Changes Mandated by PCI DSS 4 from March 2025

PCI DSS 4 arrived in March 2022 to replace PCI DSS 3.2.1. There are 51 future-dated requirements in PCI DSS 4 that become mandatory on 31st March 2025. These new requirements may fundamentally impact the compliance status and have significant operational impacts for organisations. Therefore, it is important to understand how these changes may affect your organisation prior to the deadline.

Some core changes require additional documentation to be created and maintained. There is a new Targeted Risk Analysis approach for several requirements and some new inventory requirements for keys, software components, and cipher suites. However, some of the highest impact new requirements may need changes to system architectures and systems. These are discussed below to provide an overview of the requirement and how compliance can be achieved with each.

Protect Public-Facing Web Applications with a Web Application Firewall (6.4.2)

In PCI DSS v3.2.1, there was the option of a Web Application Firewall (WAF) or regular web application vulnerability scans for public facing web applications in scope. The latter is no longer an option in PCI DSS 4, and now a WAF or similar solution is mandatory (6.4.2). The solution needs to block attacks or has alerts that are investigated immediately.  There are several WAF solutions available on the market including services provided by the top tier cloud service providers. Nomios, as a Silver Partner with F5 Networks, can provide competitive pricing on F5 Network’s Advanced Web Application Firewall (WAF) to satisfy this PCI requirement.

Payment Page Scripts Management and Change Detection (6.4.3 & 11.6.1)

All payment page scripts that are loaded and executed in the consumer’s browser now require to be identified, authorised, justified, and have integrity checking in place (6.4.3).

Payment pages now need a change- and tamper-detection mechanism to alert people to unauthorised changes to important HTTP headers and script contents, as received by the browser (11.6.1).

HUMAN Security, a trusted Nomios partner, offers Client-Side Defence to manage payment page scripts and detect and alert on unauthorised changes. Their technology ensures all scripts loaded in the consumer’s browser are properly identified, authorised, and monitored for integrity. While requirements 6.4.3 and 11.6.1 no longer apply to SAQ A merchants, eligibility for SAQ A requires confirmation that “the site is not vulnerable to script-based attacks”. HUMAN’s Client-Side Defence helps achieve this, supporting SAQ A qualification, strengthening client-side security, and simplifying compliance with 6.4.3 and 11.6.1.

Access Controls for Application and System Accounts (7.2.5; 8.6.1 & 8.6.3)

PCI DSS 4 now requires specific access controls for application and system accounts. These types of accounts must now have the least privilege principal applied (7.2.5), must be periodically reviewed (7.2.5.1), must have interactive logins prevented or limited (8.6.1), and have passwords changed periodically (8.6.3).

General purpose use privileged access management tools as well as standard platform configuration setting can be leveraged to comply with these requirements. For cloud-based environment, Cloud Service Providers (CSPs) provide standard services to meet these requirements.

Multifactor Authentication (MFA) for Non-Console CDE Access (8.4.2 &  8.5.1)

Access into the Cardholder Data Environment (CDE) now requires MFA (8.4.2), for all non-console access. MFA solutions must also prevent replay and bypass attacks(8.5.1). There are several MFA solutions available on the market and additional MFA modules or solutions can be enabled through current identity solutions to help meet these requirements.

Nomios is partnered with top-tier identity providers, including CISO Partner, Fortinet, and One Identity, to help organisations meet these new MFA requirements.

Automated Reviews of Audit Logs (10.4.1.1)

Log reviews can no longer be manual, and organisations now need to use automated mechanisms to perform audit log reviews (10.4.1.1). This may require investment in Security Orchestration, Automation and Response (SOAR) solution to introduce automation with alerting.

Nomios is partnered with leading SOAR providers, including Palo Alto Networks, Chronicle, Microsoft, and Rapid7, to help implement automated audit log reviews.

Detection and Response of Failures of Critical Security Control Systems (10.7.2 & 10.7.3)

Failures of critical security control systems now need to be detected, alerted, and addressed promptly (10.7.2). Critical security control systems include intrusion detection or prevention (IDS/IPS), anti-malware systems, door access systems, audit logging, SIEM, and automated scanning tools. This would also include any change detection mechanisms.

Failures of these critical security control systems need to be responded to promptly (10.7.3), with specific documentation requirements including root cause analysis.

Nomios runs a world class UK based Network Operations Centre (NOC) that monitors and manages network operations performance and can be leveraged to monitor the status of your critical PCI security control systems.

Authenticated Internal Vulnerability Scans (11.3.1.2)

Internal vulnerability scans now need to be authenticated where possible (11.3.1.2). Where authenticated scans are not possible, a justification requires to be documented. Authenticated scanning is commonly addressed using scanning agents installed on each system component where the operating systems support scanning agents. Switching to authenticated scans may reveal previously unknown vulnerabilities that require to be remediated to comply with PCI DSS.

Nomios provides various vulnerability scanning solutions, including Wiz, to help organisations meet this requirement.

Security Awareness Includes Phishing, Social Engineering, and Acceptable Use (12.6.3.1 & 12.6.3.2)

Security awareness training now needs to include phishing, social engineering, and other threats that may affect the security of cardholder data (12.6.3.1). Training also needs to include acceptable use of end-user technologies, such as laptops used for remote access into the CDE and any MFA solution (12.6.3.2).

Nomios offers customised Security Awareness solutions tailored to an organisation's needs, including specific training modules for privileged roles.

Code Repositories (Section 2a)

An immediate change in PCI DSS 4 that organisations may not be fully aware of is that code repositories for custom code and for configuration information are now in scope for PCI DSS assessments. This applies to code or configurations that are used in the cardholder data environment (CDE). Configurations include infrastructure as code, commonly in Terraform files in code repositories with continuous integration and continuous deployment. It is important to check that your code repositories are within a PCI DSS compliant environment, and if you use a SaaS provider for code repositories, that they have an Attestation of Compliance (AoC) as a Service Provider that covers their services.

Let’s Connect

We know that some of these new requirements can be difficult to navigate and that is why we are available to provide you with the guidance you need.

To support your PCI DSS compliance, QSAs from Dionach, part of Nomios, can conduct a gap assessment against the new PCI DSS 4 requirements, offering valuable insights to help you maintain compliance. Nomios also provides a range of technical security solutions to address these requirements. Get in touch with our expert team today to discuss how we can support your compliance journey.