Understanding the ISO 27001:2022 Transition
A comprehensive overview of the key changes in the 2022 revision and what organizations need to do to maintain certification.
Understanding the transition to PCI DSS 4.0, its customized approach, and what merchants and service providers need to prepare.
What's New in PCI DSS 4.0?
PCI DSS 4.0, released in March 2022, is the most significant update to the Payment Card Industry Data Security Standard since version 3.0. The standard introduces a new 'Customized Approach' alongside the traditional 'Defined Approach,' allowing organizations to meet security objectives through alternative controls that are validated by the assessor. The update also introduces 64 new requirements, 13 of which are effective immediately, with the remaining 51 becoming mandatory after March 31, 2025.
The Customized Approach
The Customized Approach is PCI DSS 4.0's most transformative change. Instead of prescribing exactly how to implement a control, the standard now defines the security objective each requirement aims to achieve. Organizations can implement alternative controls that meet the same objective, provided they can demonstrate effectiveness through a documented controls matrix and testing procedures. This approach benefits mature organizations with strong security programs, while the Defined Approach remains available for those who prefer prescriptive guidance.
Key New Requirements
Notable new requirements include: targeted risk analysis for each PCI DSS requirement where flexibility is allowed, enhanced authentication requirements including multi-factor authentication for all access to the cardholder data environment, automated technical mechanisms to detect and protect against phishing, management of all payment page scripts loaded in consumer browsers, and enhanced logging and monitoring to detect anomalies. The standard also strengthens requirements around encryption, vulnerability management, and security awareness training.
Preparing for Compliance
Organizations should start with a gap assessment against the new 4.0 requirements, prioritizing the 13 immediately effective changes. Build a remediation roadmap with clear milestones, update documentation and policies to reflect new requirements, implement technical controls for the future-dated requirements well ahead of the March 2025 deadline, and plan for assessor coordination. TSC supports organizations through the entire PCI DSS 4.0 transition with structured gap assessment, remediation guidance, and assessment preparation.
Key Takeaways
- PCI DSS 4.0 introduces both a Defined Approach and a new Customized Approach for meeting requirements.
- 64 new requirements have been added, with 51 becoming mandatory after March 31, 2025.
- Multi-factor authentication is now required for all access to the cardholder data environment.
- Payment page script management and anti-phishing controls are newly required.
- TSC provides structured PCI DSS 4.0 transition support from gap assessment through compliance validation.
How TSC Can Help
TSC provides end to end consulting across 40+ compliance frameworks. Our structured process ensures your organization moves from initial assessment to audit readiness efficiently and confidently.
Whether you are beginning your compliance journey or maintaining existing certifications, our team brings the expertise and methodology to support your goals.
Payment Security
Need help with compliance?
Schedule a consultation to discuss how TSC can support your compliance program.
Schedule a ConsultationRelated