SkarpSkarp
Get the App

Chapter 3 of 8

Key PCI DSS 4.0/4.0.1 Requirements Through a Legal Lens

Provides a high-level tour of the 12 PCI DSS requirement families in version 4.0/4.0.1, emphasizing those with the most significant contractual, governance, and liability implications for ICT companies.

15 min readen

1. Orienting to PCI DSS 4.0/4.0.1 – Why Lawyers Should Care

PCI DSS 4.0 was published in March 2022 and became the primary version in 2024. Version 4.0.1, released in 2024, mainly clarifies wording and fixes issues but does not change the core requirements.

From a legal and governance perspective, remember:

  • PCI DSS is not a law, but:
  • Card brands (Visa, Mastercard, etc.) and acquiring banks contractually require compliance.
  • ICT companies often promise PCI alignment in MSAs, DPAs, SLAs, and security addenda.
  • Non‑compliance risk for ICT providers:
  • Indemnity for card brand fines and assessments
  • Breach of contract / misrepresentation
  • Negligence claims if controls were promised but not implemented

In this module you will:

  • Walk through the 12 PCI DSS requirement families at a high level
  • Focus on what changes in 4.0/4.0.1 matter legally (e.g., stronger authentication, continuous monitoring)
  • Connect technical controls to contract clauses (representations, warranties, allocation of responsibility)

> Keep your previous modules in mind: you already know that scope (what systems are in the CDE or connected to it) is everything. Here we look at what must be done inside that scope, and who is on the hook for it.

2. The 12 Requirements – A Legal-Friendly Map

PCI DSS 4.0/4.0.1 keeps the traditional 12 requirements, grouped into 6 objectives. For lawyers, it helps to see them as control themes you can map into contracts.

Objective 1 – Secure Network and Systems

  1. Install and maintain network security controls (firewalls, segmentation)
  2. Apply secure configurations to all system components

Objective 2 – Protect Account Data

  1. Protect stored account data (encryption, truncation, tokenization)
  2. Protect cardholder data with strong cryptography during transmission

Objective 3 – Maintain a Vulnerability Management Program

  1. Protect systems and networks from malware
  2. Develop and maintain secure systems and software (patching, SDLC)

Objective 4 – Implement Strong Access Control Measures

  1. Restrict access to system components and cardholder data by need-to-know
  2. Identify users and authenticate access (MFA, strong auth)
  3. Restrict physical access to cardholder data

Objective 5 – Regularly Monitor and Test Networks

  1. Log and monitor all access to system components and cardholder data
  2. Test security of systems and networks regularly (scans, pen tests)

Objective 6 – Maintain an Information Security Policy

  1. Support information security with organizational policies and programs

Legal lens:

  • Each requirement can translate into:
  • A representation ("we have X controls")
  • A warranty ("we maintain X controls throughout the term")
  • A governance clause ("party A is responsible for Y; party B for Z")
  • In 4.0, many requirements allow a Customized Approach (risk-based alternative). That flexibility is great technically, but dangerous if not clearly documented in contracts.

3. Major 4.0 / 4.0.1 Shifts with Legal Impact

Compared with 3.2.1, PCI DSS 4.0 (and clarifications in 4.0.1) introduced several shifts that matter for liability and governance:

1. Stronger Authentication (Req. 8)

  • Multi-factor authentication (MFA) is more pervasive and standardized.
  • Clearer requirements for password complexity, session timeouts, and service account handling.
  • Legal impact:
  • If you say "we are PCI DSS 4.0 compliant," customers expect MFA for admin and remote access at minimum.
  • Breach claims often focus on weak authentication as negligence.

2. Continuous Monitoring and Logging (Req. 10, 11)

  • 4.0 emphasizes continuous or near-continuous monitoring over periodic, checklist-style reviews.
  • More explicit expectations for log integrity, centralization, and alerting.
  • Legal impact:
  • Incident response timelines (e.g., "notify within 24 hours of becoming aware") assume you actually detect issues.
  • Contracts may require 24/7 monitoring; PCI 4.0 supports that expectation.

3. Risk-Based / Customized Approach

  • Many requirements now allow a Customized Approach instead of the strict "Defined Approach".
  • You must document the risk analysis and controls that achieve the same security objective.
  • Legal impact:
  • Customized controls must be defensible if challenged after a breach.
  • Contracts should clarify who decides on customized approaches and who signs off.

4. Future-Dated Requirements and Timelines

  • Some requirements were best practices until March 31, 2025 (relative to today, that date is about 1 year ago) and then became fully required.
  • 4.0.1 mainly clarifies text and corrects errors, but does not reset timelines.
  • Legal impact:
  • If you committed to "PCI DSS 4.0 compliance" before a future-dated control became mandatory, you must be clear whether you meant current or future-dated items too.
  • Representations should specify which version and as of what date.

4. Requirements 1–2: Network Security & Configuration – Contract Hooks

These two requirements often show up in hosting, cloud, and managed service contracts.

Requirement 1 – Network Security Controls

  • Technical idea: Use firewalls, segmentation, and secure network design to isolate the CDE.
  • Typical legal hooks:
  • Responsibility matrix: Who manages firewalls, security groups, routing rules?
  • Segmentation representations:
  • Example: "Provider maintains logical and/or physical segmentation such that non-CDE systems cannot access the CDE except through documented, controlled interfaces."
  • Change control clauses:
  • Example: "Provider will not materially alter network architecture impacting PCI scope without prior written notice and risk assessment."

Requirement 2 – Secure Configurations

  • Technical idea: Harden servers, containers, and network devices; disable insecure services; standard builds.
  • Typical legal hooks:
  • Baseline security standard:
  • Example: "Provider maintains secure configuration baselines aligned with PCI DSS and industry standards (e.g., CIS Benchmarks) for all in-scope systems."
  • Patch and configuration SLAs:
  • Example: "Critical security configuration issues identified by Provider or Customer will be remediated within X days, unless otherwise agreed in writing."

ICT provider scenario

You are a PaaS provider hosting a customer’s payment application:

  • You manage network segmentation and default configurations.
  • Customer manages application code.
  • If your MSA vaguely says "we are PCI compliant," but does not specify segmentation responsibilities, you may end up implicitly owning more of Requirement 1 and 2 than intended.

> Legal takeaway: Always tie Req. 1–2 to a clear RACI (who is Responsible, Accountable, Consulted, Informed) in the contract.

5. Requirements 3–4: Protecting Card Data – Who Owns Encryption?

Requirements 3 and 4 drive many data protection and encryption clauses.

Quick recap

  • Req. 3: Protect stored account data (e.g., PAN) – typically via strong encryption, truncation, or tokenization.
  • Req. 4: Protect cardholder data in transit over open, public networks – e.g., TLS 1.2+ with strong cipher suites.

Thought exercise

Imagine you are drafting an MSA for a SaaS payment gateway:

  1. The SaaS provider stores full card numbers encrypted in its database.
  2. The customer’s website posts card data directly to the SaaS provider over HTTPS.
  3. The SaaS provider manages keys in an HSM; the customer never sees the raw PAN.

Questions to think through (write down brief answers):

  1. Data storage responsibility
  • Who is responsible for Req. 3 (protecting stored account data)?
  • How would you phrase that in the contract? (e.g., "Provider is solely responsible for encryption and storage of cardholder data within its systems.")
  1. Key management
  • Should the contract:
  • Explicitly reference key management standards (e.g., PCI PIN, PCI P2PE, NIST SP 800-57)?
  • Require separation of duties for key custodians?
  1. Transmission security
  • For Req. 4, will you:
  • Require TLS 1.2 or higher and forbid insecure protocols?
  • Specify who configures TLS (customer’s website vs. provider’s API endpoint)?
  1. Breach allocation
  • If a breach occurs due to unencrypted storage at the provider, what indemnity clause would you expect?
  • If the customer misconfigures their website and sends card data over HTTP, should the provider still be liable?

> When you review a real contract, try to map every encryption / transmission clause back to Req. 3–4 and check: is the responsible party clear, or is it ambiguous?

6. Requirements 5–6: Vulnerability Management & Secure Development

These requirements matter a lot for software vendors, cloud platforms, and managed security providers.

Requirement 5 – Protect Systems from Malware

  • Anti-malware, EDR, and related controls where applicable.
  • Legal consequences:
  • If you market managed endpoints or managed servers, customers may assume you handle malware protection end-to-end.
  • Contracts should specify which layers you cover (OS only? containers? endpoints?) and what is excluded.

Requirement 6 – Secure Systems and Software

This is where many 4.0 changes show up:

  • More emphasis on secure SDLC (threat modeling, code review, testing).
  • Clearer expectations for patch management and third-party components.

Common contract clauses connected to Req. 6:

  1. Secure development warranty
  • Example: "Provider develops and maintains its Services in accordance with a documented secure development lifecycle aligned with PCI DSS and industry best practices."
  1. Patch timelines
  • Example: "Critical security patches applicable to the Services will be deployed within X days of release, subject to reasonable testing."
  • Misalignment risk: If your internal policy says 30 days but you contractually promise 7 days, you create systemic breach of warranty risk.
  1. Third-party components
  • 4.0 explicitly expects management of vulnerabilities in libraries, frameworks, and dependencies.
  • Contracts may require SBOMs (Software Bills of Materials) or at least disclosure of high-risk third-party components.

> Legal takeaway: For ICT providers, Req. 6 is often the bridge between technical SDLC and legal promises about "secure coding" and "timely patching."

7. Quick Check: Authentication, Logging, and Monitoring Duties

Test your understanding of how 4.0’s stronger authentication and monitoring map into contracts.

A cloud service provider markets its platform as “PCI DSS 4.0 aligned.” It offers customers virtual machines and basic logging, but **does not** enforce MFA for customer admin accounts by default. Which statement best describes the legal risk?

  1. There is low legal risk because PCI DSS does not require MFA for administrative access.
  2. There is potential misrepresentation risk, because PCI DSS 4.0 expects strong authentication (including MFA) for administrative access, and customers may reasonably rely on that.
  3. There is no issue as long as the provider passes its own PCI assessment; customers cannot rely on marketing statements.
Show Answer

Answer: B) There is potential misrepresentation risk, because PCI DSS 4.0 expects strong authentication (including MFA) for administrative access, and customers may reasonably rely on that.

PCI DSS 4.0 strengthens expectations around authentication (Req. 8), including MFA for administrative and remote access. If a provider markets its platform as “PCI DSS 4.0 aligned” but does not enable or require MFA for admin accounts, customers may argue they reasonably relied on that statement. This can create misrepresentation or breach of warranty risk, especially if a breach is linked to weak authentication.

8. Requirements 7–9: Access Control and Physical Security

Requirements 7–9 define who can touch what, both logically and physically.

Requirement 7 – Need-to-Know Access

  • Enforce least privilege: users only get the minimum access they need.
  • Legal implications:
  • Data protection and privacy contracts often require role-based access control (RBAC) and documented access approvals.
  • After a breach, one of the first questions is: "Why did this user have access to so much?"

Requirement 8 – Identify and Authenticate Users

  • Stronger expectations in 4.0 for:
  • MFA for admin and remote access
  • Unique IDs; no shared accounts
  • Secure handling of service accounts and APIs
  • Contract connections:
  • Authentication clauses (e.g., MFA, SSO, password policies)
  • Shared responsibility for user provisioning: provider vs. customer.

Requirement 9 – Physical Security

  • Controls for data centers, offices where card data is accessible, and media handling.
  • For many ICT providers using third-party data centers (e.g., colocation or hyperscale cloud):
  • Physical security is often covered by sub-processor / sub-service provider obligations.
  • Contracts should allow you to flow down PCI requirements and rely on independent attestations (e.g., SOC 2, PCI DSS AoC of the data center).

> Legal takeaway: Access control failures are frequent in breach reports. Make sure contracts tie Req. 7–9 to clear responsibilities for user management, MFA, and physical security, including sub-processors.

9. Requirements 10–11: Logging, Monitoring, and Testing – Evidence for Disputes

Requirements 10 and 11 are about visibility and assurance.

Requirement 10 – Log and Monitor

  • Log access to systems and cardholder data.
  • Protect log integrity, centralize where possible, and review alerts.

Legal connections:

  • Incident response provisions often assume:
  • You can reconstruct events from logs.
  • You know which data was accessed.
  • After an incident, poor logging can:
  • Increase the scope of notifications ("we cannot rule out…")
  • Make it harder to defend against negligence claims.

Requirement 11 – Test Security Regularly

  • Vulnerability scans, penetration tests, change-detection, segmentation testing.
  • In 4.0, there is more emphasis on ongoing testing and risk-based methods.

Contract hooks:

  1. Right to audit / right to review reports
  • Customers may request:
  • PCI DSS Attestation of Compliance (AoC)
  • Pen test summaries or independent assurance reports.
  1. Frequency commitments
  • Example: "Provider will conduct network vulnerability scans at least quarterly and penetration testing at least annually on PCI in-scope systems."
  1. Third-party testers
  • Clarify whether you use Qualified Security Assessors (QSAs) or internal teams, and what evidence customers can see.

> Legal takeaway: Strong logging and testing (Req. 10–11) are not just technical; they provide evidence in disputes about what happened, when, and whether you acted reasonably.

10. Requirement 12: Governance, Documentation, and Shared Responsibility

Requirement 12 is where PCI DSS meets corporate governance.

What Req. 12 expects (high level)

  • A formal information security policy approved by management.
  • Defined roles and responsibilities for security and PCI compliance.
  • Training for personnel.
  • Risk assessments, incident response plans, and vendor management.

Activity: Draft a simple PCI responsibility matrix

Imagine a SaaS provider handling online card payments on behalf of merchants. For each area below, decide whether the provider, the customer, or both should be primarily responsible. Jot down your choices and a short justification.

  1. User account provisioning and deprovisioning (who creates/disables merchant staff accounts in the SaaS portal?)
  2. Network segmentation of the SaaS production environment
  3. Incident response communications to affected cardholders
  4. Annual PCI DSS assessment (SAQ or ROC) for the SaaS platform itself
  5. Security awareness training for merchant employees who use the portal

Now, think about how you would encode this in a contract:

  • Would you include a PCI Responsibility Matrix as an annex?
  • Would you reference Requirement 12 explicitly, or describe duties in plain language (e.g., "Provider shall maintain an information security program that includes…")?

> In practice, many disputes come from gaps or overlaps in responsibilities. A clear, contractually binding matrix aligned with Req. 12 can prevent that.

11. Flashcards: Mapping PCI Controls to Legal Concepts

Flip these mental flashcards by reading the front, then testing yourself on the back before you reveal it.

PCI DSS Requirement 3 (Protect stored account data)
Often appears in contracts as: encryption-at-rest commitments, key management obligations, data minimization, and warranties that card data is stored only as necessary and in compliance with PCI DSS.
PCI DSS Requirement 8 (Identify and authenticate users)
Maps to clauses about MFA, password policies, SSO, and user identity management. Especially important for defining which party must enforce MFA for admin and remote access.
Customized Approach (PCI DSS 4.0)
A risk-based alternative to the defined control. Legally, it requires strong documentation and management sign-off, and should be reflected in contracts so customers understand that equivalent – not identical – controls are used.
Future-dated requirements in PCI DSS 4.0
Controls that were considered best practices until March 31, 2025 and then became mandatory. Contracts should clarify whether "PCI compliance" includes such future-dated controls as of signature or only when they become required.
Requirement 12 (Support information security with organizational policies and programs)
Connects to governance clauses: formal security policies, risk assessments, training, incident response plans, vendor management, and clear allocation of PCI responsibilities between provider, customer, and sub-processors.

12. Final Check: Connecting PCI 4.0 to Contract Language

One last scenario to consolidate your legal perspective on PCI DSS 4.0/4.0.1.

A managed service provider (MSP) operates and patches servers that are part of a customer’s CDE. The MSA states: “Provider will maintain PCI DSS 4.0 compliance for all services” but is silent on who is responsible for web application security testing. After a breach due to a vulnerable web app, the customer claims the MSP breached PCI DSS Requirement 11. Which is the **strongest** argument for the MSP?

  1. Req. 11 only applies to network devices, not web applications, so the MSP has no obligation.
  2. Because the contract did not allocate application-level testing to the MSP and the MSP only controls the OS and infrastructure, the MSP can argue that its PCI obligation was limited to those layers it operates.
  3. Any reference to PCI DSS 4.0 automatically makes the MSP responsible for all 12 requirements across all layers of the stack.
Show Answer

Answer: B) Because the contract did not allocate application-level testing to the MSP and the MSP only controls the OS and infrastructure, the MSP can argue that its PCI obligation was limited to those layers it operates.

Requirement 11 covers testing of systems and applications, but contract allocation still matters. If the MSP only operates and patches infrastructure, and the MSA does not clearly assign responsibility for application security testing to the MSP, it can reasonably argue its PCI obligations are limited to the layers it controls. This highlights why a clear PCI responsibility matrix and precise scope descriptions are critical in contracts.

Key Terms

PCI DSS
Payment Card Industry Data Security Standard, a set of technical and operational requirements for protecting cardholder data, mandated by card brands via contracts rather than statute.
Indemnity
A contractual obligation for one party to compensate another for certain losses or liabilities, such as card brand fines or costs arising from a data breach.
RACI Matrix
A responsibility assignment model that defines who is Responsible, Accountable, Consulted, and Informed for specific tasks or control areas.
Least Privilege
An access control principle where users and systems are granted the minimum level of access – and only the permissions – necessary to perform their tasks.
Customized Approach
In PCI DSS 4.0, a risk-based method that allows entities to implement alternative controls that meet the intent of a requirement, instead of following the prescribed defined approach, subject to documentation and assessor review.
Future-dated Requirement
A PCI DSS control that was initially considered a best practice until a specified date, after which it becomes mandatory (for PCI DSS 4.0, many such requirements became mandatory from March 31, 2025).
AoC (Attestation of Compliance)
A formal document produced after a PCI DSS assessment, signed by the entity and, where applicable, the assessor, confirming the entity’s compliance status.
CDE (Cardholder Data Environment)
The people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, and any systems connected to them.
MFA (Multi-Factor Authentication)
An authentication method requiring at least two independent factors (something you know, have, or are) to verify a user’s identity.
Secure SDLC (Secure Software Development Lifecycle)
A structured process that integrates security practices (like threat modeling, code reviews, and security testing) into each phase of software development.