A CERT-In Empanelled Auditing Organization
Home/Blog/Regulatory Updates
Regulatory Updates

PCI DSS v4.0.1 in 2026: every requirement is now mandatory

If your business stores, processes or transmits payment card data, the transition period is firmly behind you. PCI DSS v4.0.1 is the active standard, and since 31 March 2025 the previously “future-dated” requirements are mandatory. Assessments in 2026 are conducted against the full standard, with every requirement in scope. If you validated under v4.0 in 2024 but treated the newer requirements as optional — as many organisations quietly did — your next assessment will not go well unless you have since implemented them. This is what changed, and what to do about it now.

How we got here

Version 4.0 was published in 2022 as the first major overhaul of PCI DSS in over a decade. It introduced dozens of new or updated requirements, and a large set of them were deliberately designated “future-dated” — best practice until 31 March 2025, and mandatory from that date onward. This phased approach gave organisations time to adapt to significant changes. Version 4.0.1, a limited revision published in 2024, followed to correct errors and clarify intent; crucially, it added and removed nothing of substance, and it did not move the deadline. So the picture in 2026 is simple and unforgiving: one active standard, every requirement in force, and no more grace period to hide behind.

What changed with v4.x

Beyond the dates, v4.x reflects how attacks and payment technology have evolved since the previous version. The most significant new requirements include:

The bigger shift is cultural

The most important change in v4.x is not any single control — it is a change in philosophy. Older versions were often treated as an annual event: assess, remediate, submit, and then return to business as usual until the following year, when the scramble repeated. Version 4.x explicitly rejects that model. It expects security controls to be operating and evidenced all year round, with roles and responsibilities documented and continuous monitoring in place. Compliance is meant to be a state you maintain, not a snapshot you produce once and forget. For many organisations this cultural shift is harder than any individual technical requirement, because it changes how the whole programme is run.

Exactly which requirements apply depends on how you validate — your merchant level and Self-Assessment Questionnaire type. The e-commerce requirements in particular vary significantly by SAQ, so confirm your specific scope before assuming a requirement does or does not apply to you.

What to do now

  1. Run a gap analysis against v4.0.1 to see precisely where you stand against the full requirement set, including the once-future-dated controls.
  2. Prioritise the newer controls. Payment-page integrity, web application firewalls, expanded MFA and authenticated scanning tend to need the most work and lead time, so start there.
  3. Build the year-round evidence habit, so your next assessment is a review of a genuinely working programme rather than a frantic reconstruction.
  4. Engage your QSA early if you validate at a level that requires one, so scope and expectations are clear well before the assessment window.

The takeaway

If you handle card data and have not revisited your PCI programme since the 2025 deadline, that review is overdue. A QSA-led assessment now expects the complete standard, operating continuously — and the organisations that treat payment security as genuine business-as-usual find compliance far less painful, and far less risky, than those still running the old annual scramble against a standard that no longer permits it.

PCI DSSCompliancePaymentsAudit
Share

Keep reading

Related insights

Regulatory Updates

RBI, SEBI and IRDAI: keeping pace with India’s financial-sector cyber rules

The financial regulators have raised the bar on cyber resilience. A high-level map of what RBI, SEBI and IRDAI expect - and how to stay current.

4 min read
Regulatory Updates

CERT-In’s six-hour incident reporting: what Indian organisations must do

CERT-In requires certain cyber incidents to be reported within six hours of detection. What that means in practice - and how to be ready.

4 min read
Regulatory Updates

GDPR for Indian companies serving EU customers

The GDPR reaches beyond Europe. When it applies to Indian companies, what it requires, and how it overlaps with your DPDPA work.

3 min read

Have a question this raised?

Our team turns guidance like this into working compliance and security programmes. Tell us where you are — we’ll help you plan the next step.