PCI DSS v4.x Future‑Dated Requirements Are Now In Force: Turn Compliance Into Policy‑as‑Code

If your organization touches card data, 2025 isn’t “next year’s” problem anymore. On March 31, 2025, the bulk of PCI DSS v4.x’s future‑dated controls moved from “best practice” to “required.” The PCI Security Standards Council (PCI SSC) has confirmed that 51 of the 64 new requirements are now mandatory, and the retirement of PCI DSS v3.2.1 on March 31, 2024 means v4.x is your only lane going forward. (blog.pcisecuritystandards.org)

In this piece, we’ll translate what “now mandatory” really means and show how to express high‑risk parts of PCI DSS v4.x as policy‑as‑code so you can gate changes, reduce drift, and produce auditor‑ready evidence—without turning engineers into full‑time checkbox chasers.

Note: Nothing here is legal advice; always coordinate with your QSA and acquiring bank.

Why this matters now

Three tempo changes hit at once:

• v3.2.1 is retired; v4.x is the only version you can assess against. (pcisecuritystandards.org)
• The future‑dated controls became effective on March 31, 2025; they’re no longer optional. (blog.pcisecuritystandards.org)
• E‑commerce got special attention: the Council published guidance and updated SAQs around payment‑page security (for example, requirements 6.4.3 and 11.6.1), which are part of the future‑dated set. (blog.pcisecuritystandards.org)

One more nuance: requirement 6.4.2 supersedes 6.4.1 after March 31, 2025—so if your validation still references the old approach, your assessor will expect to see the new one. (pcisecuritystandards.org)

Think of this like switching from an acoustic set to a fully amplified show: you need the same chords (security objectives), but the rig (controls, evidence, automation) has to scale and be consistent, night after night.

The big shift in v4.x: flexibility and proof

PCI DSS v4.x introduced a “customized approach,” which lets mature teams meet control objectives using different technical methods—as long as you can prove the outcome. That proof hinges on targeted risk analyses, documentation, and testable evidence. Policy‑as‑code (PaC) is a natural companion: it turns requirements into repeatable checks that run at commit time and in production, and it leaves an audit trail every time you accept or reject a change. (blog.pcisecuritystandards.org)

From requirement to guardrail: a simple playbook

Here’s a pragmatic four‑step flow you can reuse across controls:

1) Map requirement → control intent → codified rule

• Example: “Protect stored account data” → “Encrypt storage and backups” → “Deny merges if storage resources lack encryption.”

2) Pick an enforcement point

• Pre‑merge (CI) with Conftest/OPA against Terraform/Kubernetes manifests.
• Admission control (Kubernetes Gatekeeper/Kyverno).
• Cloud native policies (AWS Config, Azure Policy) and remediation engines (Cloud Custodian).

3) Run it everywhere

• Pre‑commit or pre‑merge checks, drift detection in production, nightly inventory scans.

4) Evidence on rails

• Store policy results as build artifacts, push summaries to a “controls compliance” repo, and wire dashboards for auditors.

Below are small, focused PaC examples tied to “now effective” concerns.

Example 1: Encrypt storage and keep buckets private (helps with protecting stored data and logging/monitoring)

Many breaches still come down to misconfigured storage. This Conftest policy (OPA/Rego) evaluates a Terraform plan and blocks merges if an S3 bucket is public or lacks encryption—simple, high‑signal guardrails aligned with protecting stored cardholder data and reducing exposure.

# policy/s3.rego
package terraform.s3

default deny = false

# Detect S3 bucket resources in Terraform plan JSON
s3 = input.resource_changes[_]
s3_type = s3.type == "aws_s3_bucket"
after = s3.change.after

# Require default encryption and block public ACLs
deny[msg] {
  s3_type
  not after.server_side_encryption_configuration
  msg := sprintf("S3 bucket %s must enable default encryption", [after.bucket])
}

deny[msg] {
  s3_type
  after.acl == "public-read"  # or public-read-write
  msg := sprintf("S3 bucket %s must not be public", [after.bucket])
}

# Optional: require access logging to a central log bucket
deny[msg] {
  s3_type
  not after.logging
  msg := sprintf("S3 bucket %s must enable server access logging", [after.bucket])
}

Run it in CI:

terraform plan -out tfplan.binary
terraform show -json tfplan.binary > tfplan.json
conftest test tfplan.json -p policy

If someone tries to add a public, unencrypted bucket, the build fails and the pull request shows exactly why—clean evidence you can hand to your assessor.

Example 2: Web attack prevention at the edge (supports the “automated” web‑attack control set)

As 6.4.x tightens browser‑side and app security, a practical infrastructure baseline is “no internet‑facing distribution without a WAF attached.” The Rego snippet below (again against a Terraform plan) fails a build if a CloudFront distribution lacks an AWS WAF association—one way to demonstrate an “automated technical solution to detect and prevent web‑based attacks.” Pair it with application‑layer controls like CSP/SRI in your frontend pipeline. (pcisecuritystandards.org)

# policy/waf.rego
package terraform.waf

default deny = false

cf = input.resource_changes[_]
cf_type = cf.type == "aws_cloudfront_distribution"
after = cf.change.after

deny[msg] {
  cf_type
  not after.web_acl_id
  msg := sprintf("CloudFront distribution %s must attach an AWS WAF (web_acl_id)", [after.comment])
}

This won’t, by itself, satisfy every testing procedure, but it gives you a visible, enforced baseline and auditable events when exceptions are made.

Example 3: Continuous enforcement in Azure (deny misconfigurations, prove it later)

Azure Policy lets you enforce security settings at scale and export compliance posture. Here’s a compact policy that denies Storage Accounts without secure transfer and TLS 1.2+. It’s not exotic, but it’s a reliable, low‑noise control you can point to during assessment.

{
  "properties": {
    "displayName": "Storage must enforce HTTPS and TLS >= 1.2",
    "policyType": "Custom",
    "mode": "All",
    "policyRule": {
      "if": {
        "allOf": [
          { "field": "type", "equals": "Microsoft.Storage/storageAccounts" },
          { "anyOf": [
              { "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", "equals": "false" },
              { "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", "notEquals": "TLS1_2" }
          ]}
        ]
      },
      "then": { "effect": "deny" }
    }
  }
}

Assign at the subscription or management group, export compliance to your evidence repo nightly, and map the policy ID to your control register.

Example 4: Auto‑remediate drift in AWS (and leave breadcrumbs)

Prevention is great; fixing drift automatically is better. Cloud Custodian policies can close gaps and write what they did to an S3 evidence bucket.

policies:
  - name: encrypt-unencrypted-s3
    resource: aws.s3
    filters:
      - type: bucket-encryption
        state: False
    actions:
      - set-bucket-encryption:
          crypto: aws:kms
          key: alias/org-s3-kms
      - type: post-finding   # optional: send to Security Hub

Pair this with CloudTrail and a lightweight Lambda that writes “control X enforced, N resources remediated” into an audit log. Your assessor will appreciate both the control and the receipts.

Don’t forget the browser: e‑commerce changes got real

The Council has been explicit: e‑skimming and payment‑page tampering remain a big problem, and requirements around script integrity and change detection take effect in v4.0.1 as of March 31, 2025. The Council released a dedicated Information Supplement to help teams implement 6.4.3 and 11.6.1, and updated SAQ A to reflect these changes. Treat these as first‑class work items if you accept web payments. (blog.pcisecuritystandards.org)

Practical PaC hooks here include:

• Build checks that reject front‑end bundles if Content‑Security‑Policy and Subresource Integrity (SRI) aren’t configured for third‑party scripts.
• CI steps that compare known‑good script manifests to current deploys and fail when drift is detected.
• Infrastructure policies that require WAF and bot management at the edge for any payment endpoints.

These checks won’t replace application testing, but they’ll keep you honest—and create the breadcrumbs assessors want to follow.

Make your assessor’s day: evidence patterns that work

Auditors love three things: clarity, consistency, and context. Bake these into your PaC pipeline:

• Control registry: A simple YAML/CSV that maps PCI requirement IDs to specific policies, the repos they run in, and the evidence location.
• Immutable logs: Ship policy evaluations (pass/fail, timestamp, commit SHA, user) to a write‑once bucket or a SIEM index.
• Exceptions with timers: When you must waive a policy, require a targeted risk analysis, a business owner, and an expiration date. PCI v4.x formalizes targeted risk analyses; your exception workflow should reflect that. (blog.pcisecuritystandards.org)

Common gotchas (and how to dodge them)

• “Policies pass in CI; production is different.” Close the loop with continuous drift detection (e.g., AWS Config + Conformance Packs, Azure Policy compliance scans) and regular exports into your evidence repo.
• “Too many false positives.” Start with high‑value, low‑ambiguity controls (encryption, public access) before you encode nuanced ones.
• “Customized approach without the paperwork.” If you choose the customized path, maintain the required templates (controls matrix and targeted risk analysis) from the start; v4.x spells this out. (blog.pcisecuritystandards.org)
• “SAQ A surprises.” If you rely on SAQ A, read the Council’s 2024/2025 updates; some payment‑page requirements changed and older SAQ A versions were retired March 31, 2025. (blog.pcisecuritystandards.org)

A 30/60/90‑day plan you can actually ship

• 0–30 days
  • Inventory all cloud and K8s resources in scope for the CDE and any connected systems.
  • Implement three baseline policies: storage encryption, “no public buckets,” and WAF on public app edges.
  • Wire policy results to an evidence bucket.
• 31–60 days
  • Add drift detection in production and nightly exports.
  • Roll out e‑commerce PaC checks (CSP/SRI presence; script allowlist diffs).
  • Stand up an exception process that includes targeted risk analyses.
• 61–90 days
  • Map remaining future‑dated requirements to PaC or process controls—prioritize those with high breach impact.
  • Run a tabletop with your QSA on your evidence set; adjust gaps before assessment season.

Balanced view: PaC is necessary—but not sufficient

Policy‑as‑code won’t write your incident response plan, train staff, or negotiate third‑party responsibilities. But it does three things exceptionally well:

• Reduces variance (no more “works on my laptop” security).
• Creates durable, timestamped evidence.
• Gives engineers fast feedback without waiting for quarterly audits.

Pair it with the Council’s guidance, especially for e‑commerce and the customized approach, and you’ll move from reactive “prove we did it” to proactive “we prevent it by default.” (blog.pcisecuritystandards.org)

Quick references to keep handy

• PCI DSS v4.x transition and effective dates, including the March 31, 2025 future‑dated cutoff. (blog.pcisecuritystandards.org)
• “51 of 64 new requirements are future‑dated” confirmation from the Council. (blog.pcisecuritystandards.org)
• E‑commerce payment‑page security guidance and SAQ A updates. (blog.pcisecuritystandards.org)
• FAQ on 6.4.2 superseding 6.4.1 after March 31, 2025. (pcisecuritystandards.org)
• Background on the customized approach and required risk analyses. (blog.pcisecuritystandards.org)

If you treat PCI like sheet music and policy‑as‑code like your metronome, you’ll keep the whole band on time—dev, ops, and compliance together—without losing the groove.