Blog post

Are You Ready For PCI DSS 4.0?

Robert Curlee profile picture.

Robert Curlee

Product Marketing Manager

5 min read

  • SonarQube
  • Security
  • Security Reports
SonarQube and PCI DSS 4.0

What is PCI DSS 4.0?

PCI DSS 4.0, or the Payment Card Industry Data Security Standard v4.0, is the latest version of the globally recognized security standard that outlines requirements for organizations that handle cardholder data. 


On March 31, 2024, PCI DSS 3.2.1 will be retired, and PCI DSS 4.0 will become the new standard.

PCI DSS 4.0 implementation timeline

Timeline taken from Countdown to PCI DSS v4.0 by Lauren Holloway


Key changes in PCI DSS 4.0

  • Retains existing Defined Approach: In PCI DSS 3.2.1, the only way to obtain PCI compliance was to follow the prescribed requirements and implement the testing procedures stated in the standard. The good news for companies that implemented the standard using this approach is that they can continue to be certified in this manner, including implementing compensating controls for requirements not met explicitly.
  • Introduces new Customized Approach: A newly added approach in PCI DSS 4.0 allows organizations to implement security controls based on defined security outcomes. Companies can choose a security methodology that best suits their environment as long as they justify that their security strategies meet the desired outcomes defined by requirement. The customized approach gives risk-mature organizations more flexibility in achieving compliance if they can demonstrate effective risk management, for example, by leveraging a defense-in-depth strategy.
  • Adds 64 new requirements: There are 64 new requirements in PCI DSS 4.0. However, companies must implement only 13 of the new requirements by April 1st. The other 51 requirements are marked as “best practices” until March 31st, 2025, when they become effective. You still have time to implement the 51 requirements marked as best practices before next year.
  • Stronger authentication: Password requirements are more robust, such as having a longer minimum length and a stronger minimum complexity. MFA requirements are stronger, mandating successful completion of all factors for access, and the process cannot reveal which factor failed during an attempt. 
  • Improved cloud security: Cloud platforms and contactless payments have been an emerging trend, further accelerated by the COVID-19 pandemic. The changes in PCI DSS 4.0 are a direct response to this trend and the corresponding increase in cybercrime attacks in the cloud. The new standard provides more specific guidance on security controls within a cloud environment for areas like storing, processing, and transmitting cardholder data, encryption of data at rest and in transit, access control to cloud resources, logging and monitoring of cloud activity, and establishing incident response plans for handling security incidents involving cardholder data stored in the cloud.


How can I make sure I am PCI DSS 4.0 compliant?

For comprehensive PCI DSS 4.0 compliance, it's crucial to adopt a layered approach that combines static code analysis along with other security practices, such as secure coding training, dynamic application security testing (DAST), penetration testing, and regular security reviews. 


PCI DSS contains 12 high-level principal requirements with 240 low-level requirements under the 12 principal requirement categories. 


Using static code analysis, SonarQube Enterprise Edition provides coverage of PCI DSS application security vulnerabilities, detecting a wide range of PCI DSS issues in code.

Illustration showing how SonarQube fits in a defense-in-depth security strategy

How SonarQube fits in a defense-in-depth security strategy


How SonarQube aids in meeting PCI DSS 4.0 requirements

  • Identifies vulnerabilities: SonarQube scans and detects coding errors, bugs, and security weaknesses. Addressing these vulnerabilities with SonarQube significantly improves your code's security posture and reduces the risk of injection attacks, attacks on data and data structures, attacks on cryptography, attacks on business logic, and attacks on access control mechanisms, as defined in requirement 6.2.4.
  • Automates standards enforcement: SonarQube automates the enforcement of coding standards and best practices that align with secure coding principles. This helps developers write secure code “early in the development cycle when code is checked in” and confirms developers do not introduce new vulnerabilities in code as they develop.
  • Conducts regular code reviews: SonarQube conducts extensive code reviews that align with PCI DSS 4.0 standards specified in requirements 6.2.3. With downloadable PDF reports, SonarQube helps you report your compliance through a Qualified Security Assessor (QSA) or when using the Self Assessment Questionnaire (SAQ).
  • Trains developers on secure coding practices: With Learn as You Code, SonarQube educates developers about the issues it finds in code by teaching them why the issue exists and how to fix them, helping you comply with requirement 6.2.2.


You can find a security report for PCI DSS 4.0 in the Security Reports section of your project, with a clear presentation of coverage within each of the 12 high-level requirements of the standard, including a count of issues found under each. 


By clicking on the issues found in the report, SonarQube will guide you through issue resolution to quickly find and fix discovered issues.


Scree capture of SonarQube security reports page showing PCI DSS 4.0 requirements

SonarQube security reports page showing PCI DSS 4.0 requirements


In addition to PCI DSS 4.0 requirements, SonarQube Enterprise Edition includes coverage of other security standards, such as OWASP and CWE Top 25. 


By tracking each of these through the available security reports, you can get a big-picture view of your code’s compliance with these standards. 


Not only does SonarQube help you comply with these security standards, but it is also an extensive code quality tool that finds issues in code, such as bugs, security vulnerabilities, hidden secrets, and code smells. 


With its integrations into your Continuous Integration (CI) pipeline, it checks your code as you develop, inserts quality gates as part of your release automation control, and guides you through issue resolution, helping make sure your code is always production-ready.


Combining SonarQube with various tools and practices creates a more secure environment, protecting cardholder data while obtaining the greatest possible value from your code.


Try SonarQube Enterprise Edition today and see the PCI DSS 4.0 security report in action for yourself.


Get new blogs delivered directly to your inbox!

Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles. 

By submitting this form, you agree to the storing and processing of your personal data as described in the Privacy Policy and Cookie Policy. You can withdraw your consent by unsubscribing at any time.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.