THE ULTIMATE GUIDE TO PCI DSS v4.0.1

THE ULTIMATE GUIDE TO PCI DSS v4.0.1

IT'S THE FINAL LAP

What does your organization need to do to meet the future-dated requirements for PCI v4.0.1? Do you have a realistic roadmap in place? Do you know what the impact will be on your business?
Our PCI Resource Library is filled with experienced QSAs "in the trenches" tips and tools to simplify your transition.
Scroll down to discover unique insights and practical solutions that will help you stay on track as you navigate
the challenges you may face in achieving and maintaining PCI compliance.

PCI DSS EXCLUSIVE RESOURCES

info.obsglobal.comhubfsPCI 4.0.1 Course Correction or Alternate Route

If you have always filed an SAQ A to maintain PCI compliance, recent 11th hour changes may have upended your world, or at least your ability to maintain PCI compliance.
Written by: Daryl Jackson

 

READ MORE

PCIv40HitchHikersGuideThumb1200x628

This comprehensive eBook breaks down all the updates made to the new v4.0 standard. 
Written by: Jordan Wiseman

 

 

DOWNLOAD EBOOK

 

Verizon-Security-Report-news-768x433

Verizon Business turned to Online’s QSA team to contribute anonymized ROC data and expert insights for the 2024 Payment Security Report. The result? A comprehensive guide to payment security trends that equips organizations with the tools to strengthen their PCI DSS compliance while uncovering opportunities for security program enhancements.

 

READ MORE   

Vulnerability_Scanning_eBook_thumb-01

Authenticated scans are now required to satisfy internal vulnerability scanning. This eBook explores how this new change will impact PCI security programs.
Written by: Jeff Man


READ EBOOK

CaseStudy

A Service Provider engaged Online's PCI Advisors to address technical requirements. Our QSA team evaluated network and application environment using BMC Discover. Online was able to  help this Client obtain Compliance Attestation, improving their security and compliance posture for future sustainability.

 

READ THIS STORY   

AMCE_PCIScopeReduction_CaseStudy_Thumbnail

ACME Corporation, a globally operated large equipment manufacturer, turned to Online’s QSA team to help them clarify the PCI DSS for requirements and advise on scope reduction. Not only did ACME exceed their scope reduction goals, but they ended up with some very pleasant side-effects.

 

READ MORE   

VIDEO SERIES | TALKING PCI v4.0 WITH JEFF MAN

WHAT'S NEW IN PCI DSS?

Watch our webinar recording to hear from our team of security experts as they break down the key changes that organizations need to pay most attention to.
 

PCI REQUIREMENTS LIBRARY

PCI SAQ A Changes: Course Correction Update

Daryl Jackson March 3, 2025

The PCI SSC has clarified key SAQ A eligibility requirements, shifting security responsibility for embedded payment pages (iFrames) to Third-Party Service Providers (TPSPs). Find out what this means f...

PCI SAQ A Changes: Course Correction or Alternate Route?

Daryl Jackson February 21, 2025

On January 30th, the PCI SSC announced that merchants completing Self-Assessment Questionnaire (SAQ) A, would be exempt from complying with PCI DSS requirements 6.4.3 and 11.6.1 under certain conditio...

The Time is Now for Future-Dated PCI Requirements

Dan Lapierre September 20, 2024

Hey PCI Champions! Don’t Breathe a Sigh of Relief Just Yet Congratulations on snagging your v4.0 Report on Compliance (ROC) and Attestation of Compliance (AOC)! You might be thinking, “Finally, we’re ...

What the PIN?! 3 Entities that MUST Comply with the PCI PIN Standard

Greg Kraft April 11, 2024

Are you an acquirer or processor that manage PIN data, a vendor that provides systems that handle PIN data, or a merchant that stores, processes, or transmits PIN data? If so, you will want to underst...

Disk Level Encryption: The 3.2.1 Magic Bullet has been Left Behind

Paul Gregoire October 12, 2023

Prepare for a transformative shift in cardholder data security with PCI DSS v4.0. With native disk encryption no longer a shield, organizations worldwide must swiftly adapt, revisiting encryption stra...

Take a Pit Stop – 5 Point Inspection Questions to Consider NOW before the 4.0 Last Lap

Sherri Collis & Steve Levinson June 9, 2023

2023 is flying by. Before you can say March 2024, v3.2.1 of the PCI DSS will be retired. Do you know what your organization needs to do to cross the v4.0 finish line, and how much time it will take? N...

#1 Preventative Measure to Stop Network Breaches

Daryl Jackson February 10, 2023

Despite the significant changes introduced with PCI DSS v4.0, there are many bedrock requirements that did not change. This article serves to highlight an often neglected, but extremely important face...

Three Steps to Avoiding an “In Place With Remediation” Status

Sherri Collis & Steve Levinson August 8, 2022

Three steps to avoiding the new "In Place with Remediation" status and using the seven P's to help -- prior proper planning prevents p*#s poor performance! A few months ago, we published a blog “There...

DSS 4.0 Clarifies, Strengthens MFA Requirements

Jordan Wiseman & Kurt Outwater May 30, 2022

MFA under v4.0: No more admin bypass. And no more accessing the CDE without it. Start now and make sure you’ve got the time to set up MFA correctly, and securely. Your users will thank you, your QSA w...

Authenticated Vulnerability Scanning

Jeff Man April 29, 2022

One of the most significant changes introduced in PCI DSS v4.0 involves the documented approach for performing internal vulnerability scans. The internal vulnerability scanning requirement (now 11.3.1...

Monitor the Monitoring

Clark Dixon April 20, 2022

There are two notable changes that may require a fair bit of runway to fully meet the existing requirement to monitor your critical security control systems. On March 31st, 2022 PCI DSS v4.0 was relea...

There is Trouble Brewing: In Place with Remediation

Sherri Collis & Steve Levinson April 19, 2022

What could possibly go wrong with calling out a non-compliant status, or “In Place with Remediation,” on your Attestation of Compliance? Do you have a storm brewing you are yet aware of? On March 31st...

Understanding the Changes to Appendix A1: Multi-Tenant Service Providers

Adam Gaydosh April 20, 2022

Are you a SaaS? Do you offer various shared services to merchants and other service providers with access to resources or services being logically controlled or partitioned to keep resources contained...

Incident Response - Unexpected PAN Identified

Mark Hannah April 20, 2022

Mistakes with PAN happen! Data leaks, memory dumps, or debug logs can accidentally contain sensitive information and can leak data into unexpected places in your environment. It is now a requirement t...

Web Application Firewall - Automated Technical Solution

Maryann Douglass April 19, 2022

There are now two options to meeting the new requirement 6.4.2 for a web application firewall: WAF or RASP. Notice I didn’t say manual code review! On March 31st, 2022 PCI DSS v4.0 was released. Today...

Roles and Responsibilities | Who's Driving What?

Mark Hannah & Sherri Collis April 18, 2022

If you don’t have documented and employee acknowledged roles and responsibilities for every role that is part of your PCI scope of assessment, you may need a long roadway to get this in place. On Marc...

PCI v4.0 - Requirement 7:  All Things Accounts and Access Reviews

Sherri Collis & Grant Sabesky April 18, 2022

Remember the good ole days when Requirement 7 was all about general and privileged user accounts? Well, those days are done as of March 31, 2025! On March 31st, 2022 PCI DSS v4.0 was released. Today’s...

The Customized Approach | Part 1

Greg High April 18, 2022

Have you ever been off-roading? Full-on four-wheel-drive, low gear, creeping over rocks, or blasting through snowbanks? It’s quite an exhilarating experience. I liken the updates made to the Customize...

The Customized Approach | Part 2

Greg High April 18, 2022

The recent release of PCI DSS v4.0 may give the mistaken impression that there is a lot of time for organizations to prepare for any required changes to people, processes, and technologies. While this...

 

PCI DSS v4.0 TRANSITION TIMELINE

PCI4.0-Timeline3

Source: https://www.pcisecuritystandards.org/

NOT SURE WHERE TO START?

Our team of QSA's have spent hundreds of hours studying the new standard and are prepared to thoroughly review your current state to help you develop a right-sized plan to become PCI v4.0.1 compliant.

SIGN UP FOR A GAP ASSESSMENT & REMEDIATION ROAD MAP

HELPFUL LINKS

PCI Standards Council https://www.pcisecuritystandards.org/
PCI Standards Council FAQs https://www.pcisecuritystandards.org/faqs
PCI Standards Council Newsroom https://www.pcisecuritystandards.org/about_us/newsroom_overview
American National Standards Institute www.ansi.org
Center for Internet Security www.cisecurity.org
Cloud Security Alliance www.csa.org
European Union Agency for Cybersecurity www.unisa.europa.eu
The FIDO Alliance www.fidoalliance.org
International Organization for Standardization www.iso.org
The UK National Cyber Security Centre www.ncsc.gov.uk
National Institue of Standards and Technology www.nist.gov
Open Web Application Security Project www.owasp.org
Software Assurance Forum for Excellence in Code www.safecode.org