If your business stores, processes or transmits payment card data, the transition period is firmly behind you. PCI DSS v4.0.1 is the active standard, and since 31 March 2025 the previously “future-dated” requirements are mandatory. Assessments in 2026 are conducted against the full standard, with every requirement in scope. If you validated under v4.0 in 2024 but treated the newer requirements as optional — as many organisations quietly did — your next assessment will not go well unless you have since implemented them. This is what changed, and what to do about it now.
How we got here
Version 4.0 was published in 2022 as the first major overhaul of PCI DSS in over a decade. It introduced dozens of new or updated requirements, and a large set of them were deliberately designated “future-dated” — best practice until 31 March 2025, and mandatory from that date onward. This phased approach gave organisations time to adapt to significant changes. Version 4.0.1, a limited revision published in 2024, followed to correct errors and clarify intent; crucially, it added and removed nothing of substance, and it did not move the deadline. So the picture in 2026 is simple and unforgiving: one active standard, every requirement in force, and no more grace period to hide behind.
What changed with v4.x
Beyond the dates, v4.x reflects how attacks and payment technology have evolved since the previous version. The most significant new requirements include:
- E-commerce page protection. Payment-page scripts must be authorised and integrity-checked, with a mechanism to detect tampering, to counter e-skimming (Magecart-style) attacks that inject malicious code into checkout pages — a threat that barely existed when earlier versions were written.
- Web application firewalls. Public-facing web applications must be protected by an automated technical solution; periodic manual review alone is no longer sufficient.
- Stronger authentication. Expanded multi-factor authentication requirements and longer minimum password lengths.
- Authenticated internal scanning and more rigorous, risk-informed vulnerability management.
- Targeted risk analyses. For certain activities, you now justify the frequency based on a documented risk analysis rather than a fixed calendar — more flexible, but demanding more accountability and judgement.
The bigger shift is cultural
The most important change in v4.x is not any single control — it is a change in philosophy. Older versions were often treated as an annual event: assess, remediate, submit, and then return to business as usual until the following year, when the scramble repeated. Version 4.x explicitly rejects that model. It expects security controls to be operating and evidenced all year round, with roles and responsibilities documented and continuous monitoring in place. Compliance is meant to be a state you maintain, not a snapshot you produce once and forget. For many organisations this cultural shift is harder than any individual technical requirement, because it changes how the whole programme is run.
Exactly which requirements apply depends on how you validate — your merchant level and Self-Assessment Questionnaire type. The e-commerce requirements in particular vary significantly by SAQ, so confirm your specific scope before assuming a requirement does or does not apply to you.
What to do now
- Run a gap analysis against v4.0.1 to see precisely where you stand against the full requirement set, including the once-future-dated controls.
- Prioritise the newer controls. Payment-page integrity, web application firewalls, expanded MFA and authenticated scanning tend to need the most work and lead time, so start there.
- Build the year-round evidence habit, so your next assessment is a review of a genuinely working programme rather than a frantic reconstruction.
- Engage your QSA early if you validate at a level that requires one, so scope and expectations are clear well before the assessment window.
The takeaway
If you handle card data and have not revisited your PCI programme since the 2025 deadline, that review is overdue. A QSA-led assessment now expects the complete standard, operating continuously — and the organisations that treat payment security as genuine business-as-usual find compliance far less painful, and far less risky, than those still running the old annual scramble against a standard that no longer permits it.