PCI DSS v4.0 became the only active version of the standard on 31 March 2024, with a final wave of new requirements becoming mandatory on 31 March 2025. For UAE organisations that process, store, or transmit cardholder data — e-commerce merchants, payment service providers, banks, and retail chains — the upgrade from v3.2.1 is not cosmetic. This guide explains what changed, what the 12 requirements cover, and what UAE payment companies need to do to stay compliant.
What Changed from PCI DSS v3.2.1 to v4.0
The Customised Approach
v4.0 introduces a “customised approach” alongside the traditional “defined approach.” Under the customised approach, organisations can implement alternative security controls that achieve the same security objective as the standard requirement, rather than following the prescriptive defined approach exactly. This gives mature security programmes more flexibility — but it requires more rigorous documentation and QSA validation. UAE organisations without a dedicated compliance team should default to the defined approach.
MFA Expansion — Requirement 8.4.2
v3.2.1 required MFA for remote access to the cardholder data environment (CDE). v4.0 extends this: MFA is now required for all access to the CDE, including access from within the internal network. If your developers, DBAs, or IT staff access CDE systems from inside your office network without MFA, you are now non-compliant. This is one of the most operationally impactful changes for UAE organisations.
Password Requirements — Requirement 8.3.6
Minimum password length increased from 7 to 12 characters for accounts that use passwords as the only authentication factor. Password history and complexity requirements are also strengthened.
E-Commerce Security — Requirement 6.4.3
New requirements for all payment page scripts: every script loaded on a payment page must be authorised, have its integrity verified, and be inventoried. This directly targets Magecart-style skimming attacks, which have affected UAE e-commerce merchants.
The 12 PCI DSS Requirements — Overview
| Requirement | Area | Key Focus in v4.0 |
|---|---|---|
| 1 | Network security controls | Firewall and network segmentation documentation |
| 2 | Secure configurations | Default credentials, hardening standards, inventory |
| 3 | Account data protection | Data retention, PAN masking, encryption key management |
| 4 | Transmission security | TLS 1.2+ required, certificate management |
| 5 | Anti-malware | EDR/AV on all applicable systems, periodic evaluation |
| 6 | Secure development | SAST/DAST, payment page script control (new 6.4.3) |
| 7 | Access control | Least privilege, access review, need-to-know |
| 8 | Identity and authentication | MFA expansion, password policy, service accounts |
| 9 | Physical access | POI device protection, visitor management |
| 10 | Logging and monitoring | Log retention 12 months, automated alerting |
| 11 | Security testing | ASV scans quarterly, penetration testing annually |
| 12 | Policies and programme | Risk assessment, incident response plan, awareness training |
UAE-Specific PCI DSS Context
Both Visa and Mastercard require UAE merchant and service provider compliance with PCI DSS as a contractual condition of card acceptance. Acquiring banks in UAE (Emirates NBD, ADCB, Mashreq, FAB) enforce PCI DSS compliance through their merchant agreements. Non-compliant merchants face fines, increased transaction fees, and ultimately suspension of card processing capability. CBUAE has issued guidance on e-payment security requiring licensed payment service providers to maintain PCI DSS compliance as part of their operational licensing conditions. Cyber security audits in UAE for financial sector clients routinely include PCI DSS assessment as part of CBUAE compliance work.
SAQ vs Full QSA Assessment
- SAQ (Self-Assessment Questionnaire): Suitable for smaller merchants meeting specific criteria. Multiple SAQ types (A, A-EP, B, C, D) depending on payment method. SAQ A is the simplest — for card-not-present merchants who fully outsource card processing.
- QSA Assessment: Required for Level 1 merchants (over 6 million Visa/Mastercard transactions annually), all Level 1 service providers, and organisations where a significant breach has occurred.
Common PCI DSS Gaps Found in UAE Assessments
- Incomplete CDE scoping — organisations under-scope their CDE, excluding systems that store PAN in application logs
- MFA not applied to internal CDE access — the v4.0 MFA expansion catches many UAE organisations who had MFA on remote access but not internal access
- Payment page script inventory missing — Requirement 6.4.3 is new and many UAE e-commerce teams have not inventoried third-party JavaScript on checkout pages
- Penetration test scope excludes internal network — PCI DSS requires both external and internal penetration testing; many UAE VAPT services UAE engagements are external only
- Log retention below 12 months — Requirement 10 mandates 12 months of log retention with 3 months immediately available
Frequently Asked Questions
When did PCI DSS v3.2.1 expire?
PCI DSS v3.2.1 was retired on 31 March 2024. The new requirements introduced in v4.0 became mandatory on 31 March 2025.
What happens if a UAE merchant is not PCI DSS compliant?
Non-compliant merchants can face fines of USD 5,000–USD 100,000 per month, increased transaction fees, mandatory forensic investigation costs following a breach, and ultimately termination of card processing capability.
How long does PCI DSS certification take?
A full QSA assessment for a UAE organisation typically takes 3-6 months from engagement to ROC issuance. Organisations with significant gaps should budget 6-9 months for first-time certification.
