PCI DSS 4.0: Key Changes Businesses Must Prepare for in 2025

PCI DSS 4.0 is here, and as of March 31, 2025, its requirements are mandatory for all organizations handling payment card data. More than just a regulatory shift, this update gives businesses the tools and flexibility to strengthen security, close gaps faster, and maintain continuous protection year-round.

This update impacts every organization that stores, processes, or transmits payment card data, from large retailers to small e-commerce shops. Whether you’re a business owner, security professional, or e-commerce manager, understanding these changes is critical to avoiding costly non-compliance penalties and safeguarding customer trust. For Salesforce users, detailed guidance on maintaining PCI compliance can be found here.

Below, we break down the most significant updates in PCI DSS 4.0 and provide actionable insights to help you navigate the transition.

A Shift to a Customized Approach

In previous PCI DSS versions, compliance was often seen as a checklist exercise – prescriptive steps that had to be followed exactly.

PCI DSS 4.0 changes that. Businesses now have the option to use a Customized Approach, implementing alternative controls as long as they can prove those controls meet the security objectives of the requirement.

What this means for you:

  • You have greater flexibility in designing security measures tailored to your infrastructure and operations.
  • However, you must document your approach in detail and validate its effectiveness.
  • Expect deeper discussions with assessors, as the focus shifts from “Did you implement control X?” to “Does your control meet the intended security goal?”

Action Step

If you’re considering the Customized Approach, develop a robust testing and documentation framework now so you can clearly demonstrate compliance during assessments.

Stronger E-commerce Security Requirements

E-commerce has become a prime target for web-skimming and form-jacking attacks, where malicious scripts harvest cardholder data directly from payment pages.

PCI DSS 4.0 introduces new client-side security requirements to address these threats:

  • Merchants must monitor and authorize all scripts running on payment pages.
  • Additional requirements vary based on your payment integration method:
    • iFrames or redirects: Simpler compliance path, as the payment process is hosted externally.
    • Direct integrations: Stricter controls, including real-time monitoring of script integrity.

Action Step

  • Inventory all scripts running on your checkout pages.
  • Implement Content Security Policies (CSPs) and subresource integrity checks.
  • If possible, consider moving to a redirect or iframe model to reduce compliance burden.

Expanded Multi-Factor Authentication (MFA)

Under PCI DSS 3.2.1, MFA was only required for remote access to the cardholder data environment (CDE).

In PCI DSS 4.0, MFA is now mandatory for all access, including internal access from within your corporate network.

Why this matters

Credential theft remains one of the most common attack vectors. Expanded MFA requirements close a major gap in protecting against compromised accounts.

Action Step

  • Extend MFA to every system and user with CDE access – administrators, developers, and even certain vendor accounts.
  • Use phishing-resistant authentication methods wherever possible, such as FIDO2/WebAuthn keys.

Enhanced Vulnerability Management

Previously, the standard prioritized addressing only high-risk vulnerabilities. PCI DSS 4.0 raises the bar: all vulnerabilities, regardless of risk level, must be addressed.

Key updates include

  • Software Bill of Materials (SBOM): You must maintain a detailed inventory of all software components, including open-source libraries, to track vulnerabilities.
  • Continuous vulnerability scanning: Annual scans are no longer enough – ongoing assessment is encouraged to maintain compliance.

Action Step

  • Implement an automated vulnerability management platform to detect and prioritize remediation.
  • Maintain and regularly update an SBOM for all applications and systems connected to the CDE.

Stronger Oversight of Third-Party Service Providers (TPSPs)

If you work with third-party vendors who handle cardholder data – such as payment processors, cloud service providers, or call centers – PCI DSS 4.0 requires more active oversight.

You must

  • Verify the vendor’s compliance by reviewing their Attestation of Compliance (AOC).
  • Clearly define security responsibilities in contracts.
  • Continuously monitor the vendor’s security posture, not just once a year.

Action Step

  • Create a vendor compliance management program.
  • Schedule periodic reviews and request updated AOCs from all TPSPs.

A New Compliance Mindset: Continuous Security

Image of two computers.

PCI DSS 4.0 represents a turning point in how businesses approach payment security.

The standard’s intent is clear: security can no longer be treated as a once-a-year project to “pass the audit” – it must be an ongoing, embedded discipline woven into everyday operations.

This change reflects the reality of today’s threat landscape. Cybercriminals don’t operate on annual schedules, and security gaps can be exploited within hours, not months. A static, snapshot-based compliance approach leaves organizations exposed between assessments.

From “Point-in-Time” to “All-the-Time”

Under PCI DSS 3.2.1, it was common for organizations to prepare intensely for the annual assessment, fix issues just in time, and then slip back into old habits. PCI DSS 4.0 pushes for continuous readiness through:

  • Ongoing monitoring of security controls to ensure they remain effective.
  • Automated alerts for deviations from compliance baselines.
  • Frequent internal reviews rather than relying solely on the annual external audit.

Example

Instead of running vulnerability scans quarterly and filing the results away, organizations should integrate scanning into their CI/CD pipelines so new code deployments are checked automatically.

Embedding Compliance into Company Culture

Technical controls alone won’t achieve continuous security – people play a critical role.

  • Security awareness training should be refreshed regularly and tailored to roles (e.g., developers get secure coding refreshers, customer service reps learn how to spot phishing attempts).
  • Shared accountability means compliance is not just the IT or security team’s job – every department that touches payment data must own its role in protecting it.

Example

An e-commerce manager should be just as aware of script injection risks on checkout pages as a web developer is, ensuring marketing scripts are vetted before deployment.

Leveraging Technology for Ongoing Compliance

The complexity of modern payment environments means manual tracking is impractical.

PCI DSS 4.0’s focus on continuous security aligns with adopting Security Information and Event Management (SIEM) tools, compliance automation platforms, and threat intelligence feeds to:

  • Detect anomalies in real time.
  • Maintain accurate system inventories.
  • Automatically log compliance evidence for assessors.

Example

Using a compliance automation platform to map each PCI requirement to its related control, then continuously monitor the control’s operational status – reducing surprises at audit time.

The Business Value of Staying Audit-Ready Year-Round

While continuous compliance may seem like a higher operational burden, it has measurable benefits:

  • Reduced breach risk means avoiding costly fines, legal exposure, and brand damage.
  • Faster incident response through real-time monitoring and alerting.
  • Greater customer trust by visibly demonstrating a security-first approach.
  • Lower audit stress when compliance artifacts and logs are already up to date.

Ultimately, PCI DSS 4.0 is a call to elevate compliance from a checklist to a business advantage – one that strengthens your security posture, builds resilience, and differentiates you from competitors who only aim to meet the bare minimum.

PCI DSS 4.0 Implementation Timeline and Next Steps

PCI Compliance

Immediate Actions (Next 30 Days)

  1. Scope assessment: Identify all systems handling payment card data
  2. Gap analysis: Compare current controls against PCI DSS 4.0 requirements
  3. Vendor inventory: List all third-party service providers with payment data access
  4. Budget planning: Allocate resources for new technology and process requirements

Short-term Implementation (3-6 Months)

  1. MFA rollout: Deploy universal multi-factor authentication
  2. E-commerce security: Implement script monitoring and CSP policies
  3. Vulnerability management: Deploy automated scanning and SBOM tools
  4. Staff training: Update security awareness programs for new requirements

Long-term Strategy (6-12 Months)

  1. Continuous monitoring: Implement SIEM and automated compliance tools
  2. Process optimization: Establish ongoing compliance workflows
  3. Vendor management: Launch enhanced TPSP oversight program
  4. Assessment readiness: Prepare for first PCI DSS 4.0 compliance assessment

A Fundamental Change

The transition to PCI DSS 4.0 isn’t just about avoiding penalties – it’s about building resilient, secure payment systems that protect your business and customers in an increasingly complex threat landscape. For some further reading, you can explore this Forbes article or this Business Reporter article

By embracing these changes now, you can:

  • Strengthen your defenses against evolving threats.
  • Protect your customers’ sensitive data.
  • Avoid fines, reputational damage, and operational disruption from non-compliance.

PCI DSS 4.0 marks a new chapter in payment security, requiring businesses to think beyond annual checklists and commit to continuous, adaptable protection. The right tools can make compliance easier, faster, and more reliable. Start your journey toward stronger payment security today – explore how you can reduce your PCI scope with our guide here.