PCI-DSS 4.0 represents the most significant update to the Payment Card Industry Data Security Standard in over a decade. For payments companies and any fintech that processes, stores, or transmits cardholder data, the new requirements introduce meaningful changes that require real effort to implement—not just documentation updates.

What Changed in PCI-DSS 4.0

PCI-DSS 4.0 was released in March 2022. The standard introduces over 60 new requirements, with all requirements now mandatory as of March 31, 2025. Organizations that haven't implemented these new requirements are already out of compliance.

Expanded Multi-Factor Authentication Requirements

PCI-DSS 4.0 significantly expands where MFA is required. Under 3.2.1, MFA was required for remote access and administrative access to the cardholder data environment. Under 4.0, MFA is required for all access into the cardholder data environment—including from internal networks. This is one of the most common gaps companies are discovering.

Customized Approach Option

Version 4.0 introduces a customized approach that allows organizations to meet security objectives through controls that differ from the standard prescriptive requirements. While this sounds like more flexibility, it requires significantly more documentation and assessor involvement—and is generally only appropriate for mature security organizations.

Targeted Risk Analysis

Many requirements now call for a targeted risk analysis to determine the frequency of activities like vulnerability scans, log reviews, and security testing. Organizations need to formally document their risk reasoning for the frequency of security activities.

Enhanced E-Commerce Security Requirements

For organizations with web-facing payment pages, PCI-DSS 4.0 introduces new requirements around script management and the integrity of payment page code. Companies must maintain an inventory of all scripts on payment pages, document the authorization for each script, and have a method to confirm script integrity.

Where Companies Are Finding the Biggest Gaps

The requirements generating the most remediation work are the expanded MFA requirements for internal access, the new payment page script management requirements for e-commerce, targeted risk analysis documentation for previously calendar-driven activities, and network security control updates required by the revised requirement structure.

What Payments Companies Should Do Now

If you haven't done a formal PCI-DSS 4.0 gap assessment, that's your first step. A gap assessment maps your current controls against all 4.0 requirements and identifies specifically what needs to change. Without a gap assessment, you're guessing about your compliance status—and guessing is not a position you want to be in when your acquiring bank or a major card brand asks for your Report on Compliance.

Also review your contracts with acquiring banks, payment processors, and card brands. Non-compliance with PCI-DSS can result in fines, increased transaction fees, and in serious cases, loss of the ability to process card payments.