PCI DSS 4.0 and Threat Modeling

What is PCI DSS 4.0?

Payment Card Industry Data Security Standard (PCI DSS) 4.0 is the latest version of the standard created by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC includes companies like American Express, Mastercard, and Visa. 

PCI DSS 4.0 is a global set of 12 security standards designed to protect payment card information - whether the card data is stored, processed, or transmitted. It provides a benchmark of technical and operational requirements to safeguard this data. It introduces stronger authentication requirements as one of its key changes. 

Who is it applicable to?

Starting from March 2025, anyone processing or storing payment card data is subject to PCI DSS 4.0. This standard is not legally binding, however, noncompliance can result in company fines, and the payment industry is enforcing this standard. This is applicable to merchants, service providers, payment gateways, and third-party vendors handling payment transactions.

What steps are recommended to comply?

There are 12 operational and technical requirements in the PCI DSS 4.0 which are broken down further into groups such as ‘Build and maintain a secure network’, and ‘Maintain a vulnerability management program’. Threat modeling can support compliance with several of these requirements. The 12 requirements are: 

1. Install and Maintain Network Security Controls
2. Apply Secure Configurations (Avoid Default Settings)
3. Protect Stored Cardholder Data
4. Encrypt Cardholder Data Transmission Over Public Networks
5. Regularly Update Antivirus Software
6. Develop and Maintain Secure Systems and Applications
7. Restrict Access to Cardholder Data (Business Need-to-Know Principle)
8. Identify Users and Authenticate Access (Unique User IDs, MFA, etc.)
9. Limit Physical Access to Cardholder Data
10. Log and Monitor All Access to Cardholder Data
11. Continuous Security Testing (Penetration Testing & Risk Assessments)
12. Maintain an Information Security Policy

How can threat modeling help with PCI DSS? 

As stated in this article from the European Financial Review, “One of the best ways to test your preparedness is by using threat modeling tools. Threat modeling is designed to identify potential risks that could threaten regulatory compliance and to help you develop defenses against those risks.”

Here are some examples below of how threat modeling - and in particular, IriusRisk - can support with meeting the compliance needs of PCI DSS 4.0:

Requirement 3 - Protect Stored Cardholder Data: Threat modeling can identify risks to the data and make recommendations to mitigate those risks, in the form of countermeasures.  

Requirement 6 - Develop and Maintain Secure Systems and Applications: IriusRisk integrates secure coding practices into the SDLC (software development lifecycle) to create robust, vulnerability-free systems. 

Requirement 12 - Maintain an Information Security Policy: Threat modeling’s auditing, version history, and reporting support activities that feed into security policies to show what actions have been taken with exportable information to include in other risk tools and procedures.

Overall: in general, threat modeling can help identify and make recommendations across all the aforementioned 12 requirements. Whether that be better ways to process and store credit card data, to adopting least privilege principles. 

Conclusion and overall impact of threat modeling 

PCI DSS 4.0 is now enforced (March 2025 onwards), and while it is not a legal requirement, noncompliance can lead to significant financial penalties. By integrating threat modeling into security strategies, companies can proactively work toward meeting the 12 operational and technical requirements of the standard by:

• Improving the security of stored and processed credit card data
• Enhancing risk identification and mitigation
• Encouraging adoption of least-privilege access principles

Learn more about threat modeling here: https://www.iriusrisk.com/threat-modeling-platform. 

‍

References 

1. European Financial Review, The https://www.europeanfinancialreview.com/the-importance-of-threat-modeling-for-pci-dss-4-0-compliance/ 
2. PCI Security Standards Council https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub 
3. Openai (ChatGPT) was used to format and summarize sections of this article  

‍