The deadline to comply with the latest version of the Payment Card Industry Data Security Standard (PCI DSS), v4.0.1, is rapidly approaching: March 31, 2025. Are you prepared?
Understanding the changes in PCI DSS v4.0.1
Compared with v4.0, v4.0.1 actually represents a very minor change. In fact, compared with the earlier version, v4.0.1 primarily addresses minor updates or clarifications. This newest version is designed and intended to simply make it easier to understand the existing requirements.
But both v4.0 and v4.0.1 represent a significant shift from previous versions from PCI DSS, especially as it relates to Application Security (AppSec). In the past, organizations needed specific tools and technologies to be compliant with PCI DSS, but that’s no longer the case.
For example, in the previous version of PCI DSS, Requirement 6.6 stated that organizations must "implement a web application firewall (WAF) to protect web applications from attack." This specific requirement has been retired, however, and the latest version of PCI DSS no longer calls out any specific technology.
In comparison, here’s what Requirement 6 (Develop and Maintain Secure Systems and Software) and Requirement 11 (Test Security of Systems and Networks Regularly) look like in the latest versions of PCI DSS:
- 6.2: Bespoke and custom software are developed securely.
- 6.3: Security vulnerabilities are identified and addressed.
- 6.4: Public-facing web applications are protected against attacks.
- 6.5: Changes to all system components are managed securely.
- 11.3: External and internal vulnerabilities are regularly identified, prioritized and addressed.
- 11.4: External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
How compliance standards like PCI DSS now address tooling
In this way, PCI is aligned with other major standards and frameworks like NIST CSF 2.0. It’s less important to have specific tools and technologies in place, and more important to have the best possible security posture.
This shift is important to note and perhaps has been a long time coming. Some companies still mistakenly believe that certain technologies like WAFs or static application security testing (SAST) scanners are needed in order to be compliant. But, by and large, this is no longer the case. In fact, these legacy technologies may be hindering compliance, making it more difficult to meet some of the latest PCI DSS standards. While standards have up until recently been written with a checkbox mentality, compliance today is more focused on processes and outcomes.
Importance of PCI DSS compliance
While compliance with PCI DSS isn’t required by law, in the same way that compliance with the European Union’s Digital Operational Resilience Act (EU DORA) applies to the EU, any organization that stores, processes or transmits credit card data electronically must comply with PCI DSS. If your organization is involved with VISA, MasterCard, Discover, American Express and/or JCB in a payment capacity, then you need to comply with PCI DSS.
Staying compliant with PCI DSS is easier than you think: Here’s how to do it.
And penalties for non-compliance can be steep. According to VISA, fines can be levied for approximately $1,000 to $50,000 per month for failing to implement controls or to report on security postures. As well, non-compliant organizations can face a $50 to $90 fine per cardholder data compromised.
Improving AppSec to ensure PCI DSS compliance
Solutions that provide automated vulnerability detection and defenses along with continuous monitoring, such as Contrast AST and Contrast Application Detection and Response (ADR), can be very effective components of PCI DSS compliance programs. In fact, these solutions may be used to replace some of the traditional approaches to assessing and protecting applications. For example:
- Contrast AST can be useful in the development of secure code by identifying issues earlier in the life cycle and offering remediation paths.
- Contrast ADR allows supported software to be protected with greater fidelity than what is offered by traditional software security approaches alone.
Contrast provides a suite of capabilities that help businesses meet PCI standards head on—aligning to both technical and process requirements of PCI DSS. By connecting industry-leading secure code coverage across applications, APIs and open-source libraries within a common platform, Contrast Security is uniquely positioned to enable operational shifts for more informed security policy decisions, advanced threat detection and stakeholder communication.
For more information about PCI DSS, head to our glossary entry on PCI compliance.
Read more:
