What is PCI DSS, and what did v4.0.1 change?
PCI DSS (the Payment Card Industry Data Security Standard) is the security standard that applies to any organization that stores, processes or transmits payment-card data. It is maintained by the PCI Security Standards Council (PCI SSC), a body founded by the major card brands, and it sets out what you have to do to protect cardholder data wherever it touches your systems.
A point worth getting right early: PCI DSS is not enforced by a government. It is enforced by the payment-card brands and the banks and processors that sit between you and them, through your contracts. That also shapes the language. People say "PCI certified" in conversation, but strictly you validate compliance and produce an Attestation of Compliance — there is no government certificate, and being precise about that saves confusion later.
The current version is v4.0.1, published in June 2024. It is a limited revision of v4.0 that corrects and clarifies rather than adding new requirements, so when people talk about "what changed in version 4", they mean the larger v4.0 release that v4.0.1 tidies up. The previous version, v3.2.1, was retired on 31 March 2024, and the more substantial new requirements introduced in v4.x became mandatory on 31 March 2025.