Key Takeaways

  • PCI DSS v4.0.1 replaces v3.2.1 — all future-dated requirements are now mandatory
  • The customised approach allows flexible controls for mature security organisations
  • Targeted risk analysis replaces the single annual risk assessment model
  • MFA requirements now extend to all access to the cardholder data environment
  • Organisations already non-compliant after 31 March 2025 deadline

What is PCI DSS v4.0.1?

PCI DSS v4.0.1 is the latest version of the Payment Card Industry Data Security Standard, released by the PCI Security Standards Council (PCI SSC) in March 2022. It replaces PCI DSS v3.2.1 and represents the most significant update to the standard since its inception.

The new version was designed to address evolving payment security threats, promote security as a continuous process, and provide more flexibility for organisations to meet security objectives. For a comprehensive overview of all 12 PCI DSS requirements, see our PCI DSS Complete Compliance Guide.

Major Changes in PCI DSS v4.0.1

1. The Customised Approach

Perhaps the most significant structural change, the customised approach allows organisations to meet PCI DSS objectives through alternative security controls rather than following prescriptive requirements verbatim.

This doesn't mean lower standards — it means organisations with mature security programmes can implement controls that better fit their specific environment while still meeting the underlying security intent of each requirement.

Important: The customised approach requires rigorous documentation and a targeted risk analysis for each alternative control. It is not a shortcut — it typically requires more documentation than the traditional defined approach.

2. Targeted Risk Analysis

Under PCI DSS v3.2.1, a single annual risk assessment covered all requirements. Version 4.0 introduces targeted risk analysis — requiring organisations to perform focused risk assessments for specific requirements, particularly those where the organisation sets the frequency of an activity.

For example, the frequency of log reviews, vulnerability scans, and access reviews can now be determined by the organisation's own risk analysis rather than a one-size-fits-all mandate.

3. Enhanced Authentication Requirements

Multi-factor authentication (MFA) requirements have been significantly expanded. Under v3.2.1, MFA was required only for remote access to the cardholder data environment. Under v4.0.1, MFA is required for all access to the CDE — including local, on-premise access.

Not sure where you stand on v4.0.1?

Download our free PCI DSS v4.0.1 Compliance Checklist — all 12 requirements mapped.

4. Service Provider Requirements

PCI DSS v4.0.1 places additional requirements on service providers, including mandatory use of intrusion-detection and prevention systems, failure-detection mechanisms for security controls, and more frequent penetration testing. Our PCI DSS compliance service includes full v4.0.1 assessment coverage for both merchants and service providers.

5. Evolving Threat Coverage

New requirements address modern attack vectors including e-commerce skimming (Requirement 6.4.3), phishing protection (Requirement 5.4.1), and automated mechanisms for detecting and preventing web-based attacks on payment pages.

Timeline: What You Must Do Now

As of 31 March 2025, all future-dated requirements in PCI DSS v4.0.1 became mandatory. Organisations that haven't completed their transition from v3.2.1 are already operating outside of compliance.

According to the PCI Security Standards Council, there is no further grace period. Acquirers and card brands may impose fines, increased transaction fees, or revoke processing privileges for non-compliant entities.

EIC's recommendation: If you haven't yet completed your v4.0.1 transition, schedule an urgent scoping call. Our QSA team can assess your current posture, identify critical gaps, and create a remediation roadmap. With CardIntel, we can scope your cardholder data environment in 48 hours.

How This Affects Your Next Assessment

Your next PCI DSS assessment will be conducted entirely against v4.0.1 requirements. This means your QSA will evaluate new controls that didn't exist under v3.2.1 — including the expanded MFA requirements, targeted risk analyses, and any customised approach implementations.

EIC has completed 50+ PCI DSS assessments annually and has been delivering v4.0.1 assessments since the standard's release. Our assessors are trained specifically on the customised approach documentation requirements and can advise on the most efficient pathway for your organisation.

PCI DSSPCI DSS v4.0.1CompliancePayment SecurityQSA