PCI 4.0.1 – A Year in Review and What’s Next for Compliance

Over the past year, the payment‑security world completed a major transition. The PCI Data Security Standard (DSS) v3.2.1 was retired in March 2024, leaving v4.0 and its limited update v4.0.1 as the only active versions. Version 4.0 introduced the most extensive changes in a decade, adding 64 new requirements and giving organizations two years to adopt most of them. The Council released v4.0.1 in June 2024 to fix typographical errors and clarify the intent of several controls. When v4.0 expired at the end of 2024, v4.0.1 became the only version of the standard, and all future‑dated requirements became mandatory on 31 March 2025.

What changed with PCI DSS v4.0.1

The shift from v3.2.1 to v4.0.x was more than a housekeeping exercise. It combined clarifications with new controls designed to address modern threats. The key themes are summarized below:

Clarifications and corrections

• Hashing and encryption – Requirement 3 clarifies that keyed cryptographic hashes used to protect stored account data must be generated with secure algorithms and protected against tampering.
• Vulnerability patching – The 30‑day patch requirement applies only to critical vulnerabilities. Less severe issues may follow a quarterly cycle.
• Phishing‑resistant authentication – Accounts that already use phishing‑resistant factors (such as hardware security keys) do not require an additional multi‑factor step.
• Third‑party responsibilities – Merchants must understand and document the PCI obligations of their service providers. A new requirement mandates an annual scope confirmation to ensure all in‑scope systems and staff responsibilities are up to date.

New controls effective March 31 2025

Many of the 64 new requirements were future‑dated when v4.0 was first released. They took full effect in spring 2025 and focus on stronger authentication, vulnerability management and monitoring:

• Stronger authentication – Passwords must be longer (at least 12 characters for end users and 15 for service accounts). Multi‑factor authentication (MFA) is required for all administrative and remote access.
• Robust encryption and key management – Primary account numbers and other sensitive data must be unreadable at rest, protected by strong cryptography and controlled through dual‑person processes. Communications must use contemporary encryption protocols.
• Quarterly vulnerability management – Internal and external scans are now mandatory at least every three months, and any significant change—such as installing new servers or modifying firewalls—triggers another scan. Critical vulnerabilities must be patched within 30 days.
• Script and e‑commerce security – New controls (6.4.3 and 11.6.1) require merchants to maintain an inventory of scripts running on payment pages and implement tamper detection to guard against Magecart‑style attacks.
• Targeted risk analyses – When the Council does not prescribe a schedule (for example, for certain testing activities), merchants may set their own cadence through a documented targeted risk analysis. Assessors expect to see evidence that the frequency is justified and that controls achieve the intent of the requirement.
• Service‑provider oversight – Merchants must review contracts and ensure that their providers are meeting the standard, particularly around vulnerability scanning and script management.

Why vulnerability scanning matters

External attackers often exploit weaknesses in internet‑facing systems and unpatched software. PCI DSS v4.0.x moved vulnerability scanning from best practice to obligatory security control. Requirement 11.3.2 stipulates that merchants perform external vulnerability scans at least quarterly using an Approved Scanning Vendor (ASV). Additional scans are required after any significant changes. Internal scans must also occur every three months using authenticated credentials to identify configuration weaknesses that unauthenticated scans might miss.

To pass an ASV scan, all vulnerabilities with a CVSS score of 4.0 or higher must be remediated. Merchants completing Self‑Assessment Questionnaire (SAQ) A must submit ASV reports and attestations of compliance along with their questionnaires. The Council even published a resource guide to help merchants understand the ASV process. Organizations that outsource their e‑commerce to third‑party providers must verify that those providers perform scans on their behalf and can produce evidence during audits.

The cost of non‑compliance

Ignoring PCI obligations is expensive. Card brands and acquiring banks can levy fines ranging from USD 5,000 to 100,000 per month for violations. Non‑compliant merchants may also face higher transaction fees, forced forensic investigations, or even suspension of card‑processing privileges. A single breach can trigger lawsuits, reputational damage and the cost of credit‑monitoring services for impacted customers. Failing to complete required ASV scans or submit clean reports can result in rejection of a self‑assessment and loss of a compliance certificate.

Looking ahead to 2026

PCI compliance is evolving toward continuous improvement rather than annual box‑checking. Several trends will shape assessments in 2026:

• Risk‑based scheduling – Assessors will expect documented targeted risk analyses to justify control frequencies when the standard leaves them open. Businesses should move away from “once a year” mind‑sets and adopt risk‑informed cadences.
• Automated monitoring – The volume of logs and scan results will grow. Automated tools and dashboards help track vulnerabilities, patch status and evidence of control execution. Artificial intelligence will begin to assist with anomaly detection and prioritization.
• E‑commerce script oversight – With attacks on payment pages on the rise, merchants need real‑time script monitoring, integrity checks and policies like Content Security Policy. Outsourcing card capture to hosted payment pages or tokenization reduces the compliance burden.
• Phishing‑resistant authentication – Expect broader adoption of FIDO2 security keys, passkeys and other strong factors that reduce reliance on passwords. Organizations should plan for evolving encryption standards as quantum‑safe algorithms emerge.
• Vendor management – Service providers will continue to represent a significant portion of the attack surface. Assessors will scrutinize provider contracts and require up‑to‑date attestations of compliance and evidence of regular scans.

Business benefits and a call to action

Meeting PCI DSS v4.0.1 is not merely about avoiding fines; it strengthens security and builds customer trust. Companies that embrace the new controls gain a deeper understanding of their cardholder‑data environment, reduce the attack surface and streamline operations. Regular vulnerability scanning, robust authentication and clear documentation of roles result in fewer incidents and quicker response when threats emerge.

Organizations don’t have to navigate the journey alone. Working with experienced security partners can simplify scanning and reporting, provide expert remediation guidance and ensure that controls meet both the letter and the spirit of the standard. Early adopters send a message to customers and partners that they take payment security seriously.

Conclusion

PCI DSS v4.0.1 represents a significant evolution in payment‑card security. The past year has seen organizations grapple with new authentication requirements, regular vulnerability scanning and greater scrutiny of third‑party providers. As we move into 2026, compliance will become more risk‑driven and automated. Businesses that implement strong controls now, adopt continuous monitoring and work closely with qualified vendors will be well positioned to protect cardholder data and maintain the trust that drives commerce.