PCI DSS 3.2.1 vs 4.0: What Changed and How to Prepare
PCI DSS 4.0 (now 4.0.1) replaces 3.2.1 as the active payment card security standard. Version 3.2.1 was retired on March 31, 2024, and many of 4.0's most significant new requirements became mandatory on March 31, 2025. Organizations must understand what changed to maintain compliance.
Detailed Comparison
Status
Retired March 31, 2024 — no longer accepted for new assessments.
Active standard — required for all assessments after March 31, 2024.
Total Requirements
12 high-level requirements with 252 sub-requirements.
12 high-level requirements with 270+ sub-requirements (additions for evolving threats).
Compliance Approach
Single approach — strict, prescriptive controls.
Two approaches — Defined (prescriptive, like 3.2.1) and Customized (risk-based, with documented rigor).
Multi-Factor Authentication
Required only for non-console administrative access into the CDE.
Required for ALL access into the CDE, not just administrative — including users and applications.
Password Requirements
Minimum 7 characters with numeric and alphabetic.
Minimum 12 characters (or per 8.3.6, 8 characters with additional complexity if system limits prevent 12).
Phishing Defense
No specific anti-phishing requirement.
New requirement 5.4.1 — automated mechanisms to detect and protect against phishing.
Targeted Risk Analysis
Not formally required for any specific control.
Required for several controls (e.g., 11.3.1 vulnerability scan frequency) when using the Customized Approach.
Vulnerability Scanning
Internal and external scans required at least quarterly.
Same quarterly baseline; expanded scope to include authenticated scans and broader CDE coverage.
Cardholder Data Discovery
Implicit through scope identification.
Explicit requirement for documented data discovery process to find unauthorized CHD.
Service Provider Compliance
Annual attestation; some controls had less rigor for SPs.
Tighter SP requirements — quarterly compliance monitoring and broader visibility into customer environments.
Our Recommendation
PCI DSS 4.0 is mandatory now — there is no choice. The most impactful changes are MFA on all CDE access, 12-character passwords, expanded phishing defenses, and the introduction of the Customized Approach for organizations with mature risk programs. Start with a 4.0 gap assessment, then build a remediation plan against the new requirements that became effective March 31, 2025.
Frequently Asked Questions
PCI DSS 4.0 replaced 3.2.1 on March 31, 2024. Many specific new requirements were "best practice" until March 31, 2025, after which they became mandatory. As of 2025, all assessments must be against 4.0.1.
The Customized Approach lets organizations meet a control objective using risk-based methods rather than the prescriptive Defined Approach. It requires a Targeted Risk Analysis, documented evidence the customized control meets the objective, and assessor validation. It is best suited for organizations with mature risk programs.
Yes — all merchants and service providers must comply with 4.0 regardless of level. Self-Assessment Questionnaires (SAQs) have been updated for 4.0 and must be used by all SAQ-eligible merchants.
More Comparisons
Need Help Deciding?
Our cybersecurity experts can evaluate your specific situation and recommend the right approach for your organization.