PCI DSS 4.0.1

Payment Card Industry Data Security Standard v4.0.1 — published 11 June 2024 as a limited revision to v4.0 (clarifications and corrections only; no new or deleted requirements). v3.2.1 retired 31 March 2024; v4.0 retired 31 December 2024; v4.0.1 is the sole active version since 1 January 2025. The 51 future-dated requirements introduced in v4.0 became mandatory 31 March 2025 — the v4.0.1 revision did NOT change this date. 12 high-level requirements with hundreds of sub-requirements. v4.0.1-specific clarifications cover: 3.5.1.1 (customised-approach objective for keyed cryptographic hashes), 6.3.3 (reverted to v3.2.1 'critical-only' 30-day patching scope), 6.4.3 / 11.6.1 (payment-page script applicability notes for TPSP-embedded forms), 8.4.2 (MFA exemption for phishing-resistant authentication factors), TPSP and issuer applicability notes throughout. Cross-mapped to ISO 27001:2022 Annex A, CSA CCM, SOC 2 CC series, NIST CSF 2.0, with jurisdictional overlays for DPDPA + Rules 2025 and RBI CSF. Source: PCI SSC Document Library.

Composition

86 controls currently indexed; participates in 29 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Anti-malware protection with EDR and email/web safeguards
• Authentication architecture and multi-factor authentication
• Centralised logging with retention, tamper protection, and integrity
• Continuous monitoring of networks, systems, applications, and outsourced development
• Cryptographic controls, key management, and post-quantum readiness
• Data Loss Prevention — multi-channel egress protection
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Data-at-rest protection — encryption, access, processor controls
• Data-in-transit protection and physical media handling
• DevSecOps maturity — security-as-code, pipeline-enforced controls, API security
• Encryption at rest — sensitive data and key management
• Forensic capability and evidence collection
• Logical and physical access restriction — least privilege baseline
• Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
• Multi-factor authentication — universal MFA across access types
• Network protection — segmentation, monitoring, perimeter, and data leak prevention
• Network segmentation with zero-trust principles
• PCI DSS PAN protection — storage minimisation, masking, encryption
• PCI DSS Targeted Risk Analysis (TRA) — flexibility and customised approach
• PCI DSS e-skimming protection — payment page script integrity
• PCI DSS v4.0.1 customised approach with targeted risk analysis
• PCI DSS v4.0.1 universal MFA expansion to all CDE access
• Physical access controls — secure areas, entry monitoring, asset protection
• Privileged access management and access rights lifecycle
• Ransomware-resilient backup architecture
• Secure SDLC — threat modelling, secure coding, SAST/DAST, dependency scanning, DevSecOps
• Secure configuration baselines and hardening discipline
• VAPT cycle — vulnerability assessment and penetration testing programme
• Vulnerability management programme — discovery, prioritisation, remediation