What is the difference between PCI DSS 4.0 and 4.0.1?

PCI DSS 4.0.1 is a minor revision released in June 2024 that clarifies requirements and corrects errata from version 4.0. The core requirements remain the same, but guidance and applicability notes have been refined.

When do the new PCI DSS 4.0 requirements take effect?

The future-dated requirements in PCI DSS 4.0 became mandatory on 31 March 2025. All organisations assessed against PCI DSS must now comply with the full set of requirements.

What are the different SAQ types and which one do I need?

There are eight SAQ types: SAQ A for fully outsourced e-commerce, SAQ B for imprint or standalone terminals, SAQ B-IP for IP-connected terminals, SAQ C-VT for virtual terminals, SAQ C for internet-connected payment systems, SAQ A-EP for partially outsourced e-commerce, SAQ P2PE for validated point-to-point encryption, and SAQ D for all other merchants or service providers. Your acquirer and payment processing method determine the correct type.

How do I determine my PCI DSS scope?

Scope is determined by identifying all people, processes, and technologies that store, process, or transmit cardholder data, plus any systems connected to or capable of impacting the cardholder data environment (CDE). Start by mapping all data flows, documenting where card data enters, moves through, and exits your environment. PCI DSS 4.0 requires scope validation at least annually and after any significant change.

What changed in PCI DSS v4.0.1 compared to v3.2.1?

PCI DSS 4.0.1 introduced a customised approach for meeting security objectives, expanded multi-factor authentication mandates beyond just remote access, added targeted risk analysis requirements, strengthened e-commerce script integrity and phishing protections, and introduced new service provider accountability requirements. The standard shifted from prescriptive controls to outcome-based security objectives while maintaining backward compatibility through the defined approach.

How much does PCI DSS compliance cost?

Costs vary significantly by merchant level and environment complexity. Small merchants completing SAQ A may spend a few hundred dollars annually. Level 1 merchants requiring a QSA-led Report on Compliance can spend between $50,000 and $500,000 or more, depending on scope, remediation needs, and assessor fees. Major cost factors include security technology, qualified personnel, penetration testing, ASV scanning, and ongoing monitoring.

What evidence is required for a PCI DSS assessment?

Assessments require three categories of evidence: documentation (policies, procedures, network diagrams, data flow diagrams), technical evidence (configuration files, scan reports, log samples, screenshots), and observational evidence (interviews, process walkthroughs, live demonstrations). The specific evidence varies by requirement but must prove controls are documented, implemented, and actively maintained throughout the assessment period.

What are compensating controls in PCI DSS?

Compensating controls are alternative security measures used when an organisation cannot meet a specific PCI DSS requirement as written due to a legitimate technical or business constraint. They must meet the intent and rigour of the original requirement, provide an equivalent level of defence, and go above and beyond other PCI DSS requirements. Each compensating control must be documented in a formal worksheet with justification, risk analysis, and validation testing.

What are the four PCI DSS merchant levels?

Level 1 applies to merchants processing over 6 million card transactions annually and requires a QSA-led on-site assessment. Level 2 covers 1 to 6 million transactions and typically requires an SAQ validated by a QSA or ISA. Level 3 applies to 20,000 to 1 million e-commerce transactions. Level 4 covers fewer than 20,000 e-commerce or up to 1 million total transactions. Levels 3 and 4 typically self-assess using the appropriate SAQ.

How do I maintain continuous PCI compliance?

Continuous compliance requires ongoing security monitoring, quarterly internal and external vulnerability scans, daily log reviews, timely patch management, regular access control reviews, and annual security awareness training. Use a compliance management platform to automate evidence collection, track control effectiveness, and receive alerts when controls drift out of compliance between annual assessments.

What happens if I fail a PCI DSS assessment?

A failed assessment results in findings documented by your QSA that must be remediated within a timeframe agreed with your acquirer. Non-compliance can lead to monthly fines ranging from $5,000 to $100,000 imposed by card brands through your acquiring bank, increased transaction fees, mandatory remediation plans, and in severe cases, loss of the ability to process card payments. A data breach while non-compliant significantly increases financial liability.

Do I need a QSA or can I self-assess?

Level 1 merchants (over 6 million transactions) and certain service providers must engage a Qualified Security Assessor for a full Report on Compliance. Merchants at Levels 2, 3, and 4 may typically self-assess using the appropriate SAQ, though some acquirers require Level 2 merchants to have QSA or ISA validation. For complex environments, engaging a QSA for guidance during self-assessment is strongly recommended even when not mandatory.

What is the difference between a ROC and an SAQ?

A Report on Compliance (ROC) is a comprehensive assessment performed on-site by a Qualified Security Assessor, required for Level 1 merchants and some service providers. An SAQ is a self-assessment questionnaire completed by the merchant. The ROC involves detailed testing, evidence review, personnel interviews, and system observations over several weeks. Both produce an accompanying Attestation of Compliance (AOC) submitted to your acquirer.

How long does a PCI DSS assessment take?

Timeline depends on environment complexity and current security posture. A QSA-led ROC engagement typically takes 2 to 8 weeks of active assessment, with remediation potentially adding 3 to 12 months beforehand. SAQ completion for simpler environments can take days to weeks. Organisations starting from scratch should plan 6 to 18 months for full compliance. Annual reassessment is required, with quarterly scans and ongoing monitoring in between.

All Frameworks

322 Controls

PCI DSS 4.0.1

Payment Card Industry Data Security Standard

PCI DSS 4.0.1 is the latest version of the Payment Card Industry Data Security Standard, introducing significant changes with new requirements effective March 2025. It applies to all entities that store, process, or transmit cardholder data.

Start Free Trial Request Demo

Ideal For

MerchantsPayment ProcessorsService ProvidersAcquirers

What is PCI DSS 4.0.1?

PCI DSS 4.0.1 is the latest version of the Payment Card Industry Data Security Standard, introducing significant changes with new requirements effective March 2025. It applies to all entities that store, process, or transmit cardholder data.

PCI DSS applies to any entity that stores, processes, or transmits cardholder data, as well as entities that can impact the security of cardholder data environments. This includes merchants of all sizes, payment processors, acquirers, issuers, and service providers. The scope is determined by the Cardholder Data Environment (CDE) and all connected or security-impacting systems.

Key Requirements

Core areas of PCI DSS 4.0.1 that organisations must address.

Install and maintain network security controls

Apply secure configurations to all system components

Protect stored account data with encryption

Protect cardholder data with strong cryptography during transmission

Protect systems and networks from malicious software

Develop and maintain secure systems and software

Restrict access to system components by business need to know

Identify users and authenticate access to system components

How GRCTrack Supports PCI DSS 4.0.1

Complete control library with 322 requirements

SAQ A through SAQ D questionnaires

Evidence mapping and gap analysis

ROC and AOC report generation

Compensating control documentation

Targeted Risk Analysis templates

Reduce Assessment Time

Cut your PCI assessment time by up to 60%.

Stay Current

Always up-to-date with the latest requirements.

Expert Guidance

Built-in auditor guidance for every control.

Frequently Asked Questions

PCI DSS Resources

PCI DSS Resources and Tools

Explore our comprehensive library of PCI DSS compliance tools, industry-specific guides, and expert resources.

PCI DSS Readiness Assessment

Evaluate your compliance posture with our free 15-question assessment and get a personalised readiness score.

PCI Compliance FAQ

Get authoritative answers to 55+ frequently asked questions about PCI DSS compliance.

PCI DSS Glossary of Terms

Look up 60+ key PCI DSS terms and compliance definitions in our searchable glossary.

PCI Compliance Timeline

Generate a customised compliance timeline based on your organisation size and assessment type.

PCI for Retail Businesses

POS security, omnichannel payments, and SAQ selection for in-store and multi-location retailers.

PCI for E-Commerce Guide

Payment page architecture, script security, SAQ A vs A-EP, and third-party integration guidance.

PCI for SaaS Platforms

Multi-tenancy, container security, cloud responsibility models, and CI/CD pipeline compliance.

PCI for Healthcare Organisations

PCI-HIPAA dual compliance, patient portal payments, and medical device scope considerations.

PCI for Hospitality Industry

Pre-authorisation, card-on-file, PMS security, and guest Wi-Fi isolation for hotels and restaurants.

PCI for Financial Services

Core banking integration, ATM networks, open banking APIs, and Level 1 service provider requirements.

PCI Compliance Cost Calculator

Estimate your annual PCI DSS compliance costs based on organisation size, transaction volume, and SAQ type.

Ready to Simplify PCI DSS 4.0.1 Compliance?

Join hundreds of organisations using GRCTrack to manage compliance.

Start Free Trial View All Frameworks