Payment Card Industry Data Security Standard (PCI DSS) 4.0 Compliance

Thales can help simplify PCI DSS 4.0 compliance efforts by protecting any business that transmits, processes and stores cardholder data

PCI DSS 4.0 Requirements

Mandate | Active Now

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that provides a baseline of technical and operational requirements designated to protect payment data and reduce credit card fraud. PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

The new version of the standard was released on March 31, 2022. Changes from the previous version 3.2.1 include:

  • Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
  • Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
  • Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
  • Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.

Details about the updates can be found in the PCI DSS v4.0 Summary of Changes document on the PCI SSC website.

How Thales Can Help with PCI DSS Compliance

Thales can help organizations working with cardholder data achieve compliance with several PCI DSS 4.0 requirements, including:

Vault Icon

Requirement 2

Apply secure configurations to all system components

Vault Icon

Requirement 3

Protect stored account data

Strong Cryptography Key Icon

Requirement 4

Protect cardholder data with strong cryptography during transmission over open, public networks

Strong Cryptography Key Icon

Requirement 6

Develop and maintain secure systems and software

Protected Cardholder Data Icon

Requirement 7

Restrict access to system components and cardholder data by business need to know

Authenticate User Access Icon

Requirement 8

Identify users and authenticate access to system components

card Icon

Requirement 9

Restrict physical access to cardholder data

Access Log Icon

Requirement 10

Log and monitor all access to system components and cardholder data

Access Log Icon

Requirement 12

Support information security with organizational policies and programs

  • Regulation
  • Compliance

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. The 12 principal requirements represent 6 overarching principles.

When will PCI DSS 4.0 take effect?

PCI DSS v3.2.1 will remain active for two years after v4.0 is published. This provides organizations time to become familiar with the new version, and plan for and implement the changes needed. The implementation timeline is shown in the image below.

[Figure 1: PCI DSS 4.0 Implementation Timeline. Source: PCI SSC]

Risks Associated with PCI DSS Auditing and Compliance

  • Failure to comply with PCI DSS compliance requirements can result in fines, increased fees, or even the termination of your ability to process payment card transactions.
  • Complying with the PCI DSS cannot be considered in isolation; organizations are subject to multiple security mandates and data protection and privacy laws or regulations. On the other hand, PCI compliance projects can easily be side-tracked by broader enterprise security initiatives.
  • Guidance and recommendations linked to PCI DSS requirements include common practices that are likely to be already in place. However, some aspects, specifically those associated with encryption and multi-factor authentication, might be new to the organization and implementations can be disruptive, negatively impacting operational efficiency if not designed correctly.
  • It is all too easy to end up with a fragmented approach to security based on multiple proprietary vendor solutions and inadequate technologies that are expensive and complex to operate.
  • Opportunities exist to reduce the scope of PCI DSS compliance obligations and therefore reduce cost and impact; however, organizations can waste time and money if they do not exercise due diligence to ensure that new systems and processes will be accredited as PCI DSS compliant.

An Integrated Compliance Solution

Drawing on decades of experience helping banks and financial institutions comply with industry mandates, Thales offers integrated products and services that enable your organization to protect stored cardholder data, encrypt it for transfer, and restrict access on a need-to-know basis. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your PCI DSS compliance burden.

Addressing the Core Principles of PCI DSS

Thales offers comprehensive PCI DSS compliance software solutions that help organizations address the core principles of PCI DSS:

  • Protect Stored Account Data: Thales’ CipherTrust Manager and Luna Hardware Security Modules (HSMs), available on-premises, in the cloud as Thales Data Protection Luna Cloud HSM services,and across hybrid environments, enable organizations to perform crypto operations and centrally manage encryption keys and deliver a variety of encryption, tokenization and data masking solutions to protect cardholder data in files, folders, applications and databases in both traditional and cloud or virtualized environments.
  • Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks: Thales High Speed Encryptors (HSE) encrypt cardholder and other sensitive data that traverses open networks.
  • Develop and Maintain Secure Systems and Software: Thales Luna HSMs and Luna Cloud HSMs enable organizations to securely store signing material in a trusted hardware device, thus ensuring the authenticity and integrity of any application code.
  • Restrict Access to System Components and Cardholder Data by Business Need to Know: SafeNet Trusted Access enables you to centrally manage unique user identities, risk-based authentication policies, and add/revoke access to systems in your Cardholder Data Environment (CDE). SafeNet Trusted Access offers powerful and expansive modern authentication capabilities that meet the needs of diverse users and user types.
  • Identify Users and Authenticate Access to System Components: Thales SafeNet Trusted Access ensures that each individual user is assigned a unique credential. Offering the broadest range of authentication methods and form factors, SafeNet Trusted Access allows customers to address numerous use cases, assurance levels, and threat vectors with unified, centrally managed policies—managed from one authentication back end delivered in the cloud or on premise. Supported authentication methods include context-based authentication combined with step-up capabilities, one-time password (OTP), X.509 certificate-based solutions, and FIDO security keys.
  • Restrict Physical Access to Cardholder Data: Thales SafeNet Trusted Access smart cards can be integrated with various building access technologies to function as both an employee’s physical and digital ID.
  • Log and Monitor All Access to System Components and Cardholder Data: All products in the Thales portfolio produce audit records that log any encryption key lifecycle operations (creation/deletion/rotation/revocation) and authentication events that can be used for forensics and incident reporting.
  • Support information security with organizational policies and programsCipherTrust Data Discovery and Classification can be used to facilitate identifying all sources and locations of PII, including PAN, to look for PAN that resides on systems and networks outside the currently defined CDE or in unexpected places within the defined CDE, and to automate data remediation if PAN was found outside the CDE with the combined solution of Cipher Trust Encryption.
  • Related Resources
  • Other key data protection and security regulations


    Active Now

    Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.


    Active Now

    Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

    Data Breach Notification Laws

    Active Now

    Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.