What Changed in PCI DSS v4.0.1
A comprehensive guide to the changes from PCI DSS v3.2.1 to v4.0.1 — covering the customised approach, targeted risk analysis, expanded MFA, e-commerce protections, and the migration timeline.
All future-dated requirements became mandatory on March 31, 2025. Every organisation must now comply with the full PCI DSS v4.0.1 standard.
Overview of Major Changes
PCI DSS v4.0 represents the most significant update to the standard since its inception. The paradigm shift from v3.2.1 to v4.0 moves the standard from a prescriptive, checkbox-oriented approach to an outcome-based framework that emphasises security as a continuous process.
The introduction of the customised approach gives mature organisations the flexibility to meet security objectives using controls that best fit their environment, rather than being constrained to a single prescribed method. This is paired with targeted risk analysis, which requires organisations to formally document their risk-based decisions.
Beyond the structural changes, v4.0.1 introduces substantial new technical requirements addressing modern threats: client-side script attacks on payment pages, phishing, insufficient authentication, and manual log review processes. These requirements reflect the evolution of the threat landscape since v3.2.1 was published in 2018.
Key New Requirements
Customised Approach Validation
New option allowing organisations to meet security objectives using alternative controls, validated through targeted risk analysis. Provides flexibility for mature security programmes while maintaining equivalent protection.
Targeted Risk Analysis (Req 12.3.1)
Formal risk analysis now required for any requirement where the organisation determines its own frequency or approach. Replaces the previous ad hoc approach with documented, repeatable risk methodology.
Enhanced MFA Everywhere into CDE (Req 8.4.2)
Multi-factor authentication is now required for all access into the cardholder data environment, not just remote access. This significantly expands the MFA deployment footprint for most organisations.
Client-Side Script Management (Req 6.4.3, 11.6.1)
Critical for e-commerce: all scripts loaded on payment pages must be inventoried, authorised, and monitored for integrity. Addresses Magecart-style attacks that skim payment data from browser sessions.
Automated Log Review (Req 10.4.1.1)
Automated technical mechanisms must be used to perform log reviews. Manual-only log review processes are no longer sufficient. Requires SIEM or equivalent technology for real-time or near-real-time analysis.
Phishing Protection (Req 5.4.1)
Technical mechanisms must be in place to detect and protect against phishing attacks. This goes beyond awareness training to require email filtering, anti-phishing tools, and other automated protections.
Authenticated Internal Scans (Req 11.3.1.2)
Internal vulnerability scans must now use authenticated scanning techniques. Unauthenticated scans alone no longer satisfy this requirement, as they miss vulnerabilities visible only after authentication.
Security Awareness Training (Req 12.6.3.1)
Enhanced training requirements including coverage of phishing, social engineering, and threats specific to the organisation. Training must be updated to reflect current threat landscape.
Migration Timeline
The PCI SSC published v4.0 alongside v3.2.1, beginning the transition period.
Limited revision with corrections, clarifications, and minor updates to v4.0. No new requirements added.
PCI DSS v3.2.1 was officially retired. All assessments from this date must use v4.0 or v4.0.1.
Requirements previously designated as best practice became mandatory. This includes client-side script management, authenticated scanning, automated log review, and phishing protections.
All 322 requirements of PCI DSS v4.0.1 are now mandatory for all organisations. There are no remaining grace periods or transitional provisions.
Impact by Merchant Type
| Industry | Most Impactful Changes | Priority Actions |
|---|---|---|
Retail | POS terminal updates, network segmentation enhancements, MFA for all CDE access | Upgrade POS firmware, deploy MFA for in-store systems, update network diagrams |
E-Commerce | Client-side script management (6.4.3, 11.6.1), payment page integrity, browser security | Implement script inventory and CSP, deploy change detection on payment pages, review third-party scripts |
SaaS | Authenticated scanning, automated log review, enhanced access controls, container security | Deploy authenticated vulnerability scanning, implement SIEM with automated alerting, review API security |
Healthcare | MFA expansion, phishing protections, dual PCI-HIPAA control alignment, medical device scoping | Extend MFA to all CDE access points, deploy anti-phishing tools, map PCI controls to HIPAA safeguards |
Hospitality | POS and PMS security, guest Wi-Fi segmentation, card-on-file protections, terminal management | Segment guest networks from PMS, implement script controls on booking pages, update pre-auth procedures |
Financial Services | Customised approach documentation, targeted risk analysis, ATM network controls, issuer requirements | Evaluate customised approach for complex controls, formalise risk analysis process, update issuer-specific documentation |
How GRCTrack Supports v4.0.1 Migration
PCI DSS v4.0.1 Changes FAQ
What is the customised approach in PCI DSS v4.0?
The customised approach is a new validation option introduced in PCI DSS v4.0 that allows organisations to meet the security objective of a requirement using controls that differ from the defined approach. Instead of implementing the specific control described in the requirement, organisations can design their own control and demonstrate through a targeted risk analysis that it meets the same security intent. This approach requires more documentation and QSA validation but provides flexibility for organisations with mature security programmes or unique environments.
Are all future-dated requirements now mandatory?
Yes. All requirements that were designated as future-dated (best practice until March 31, 2025) are now fully mandatory. This includes client-side script management (Requirements 6.4.3 and 11.6.1), authenticated internal vulnerability scans (Requirement 11.3.1.2), automated log review mechanisms (Requirement 10.4.1.1), and enhanced phishing protections (Requirement 5.4.1). Organisations that have not yet implemented these controls are currently non-compliant and should prioritise remediation.
How does PCI DSS v4.0.1 differ from v4.0?
PCI DSS v4.0.1 is a limited revision of v4.0 released in June 2024. It contains corrections, clarifications, and minor updates but does not introduce new requirements. The changes include clarified language for several requirements, corrected typographical errors, and updated guidance sections. Organisations that were compliant with v4.0 should review the errata document to ensure their implementations align with the clarified intent, but no major re-implementation is required.
What should e-commerce businesses prioritise in v4.0.1?
E-commerce businesses should prioritise Requirements 6.4.3 and 11.6.1, which mandate management and monitoring of all scripts loaded in the consumer browser on payment pages. These requirements address attacks like Magecart where malicious scripts skim payment data from checkout pages. Implementation requires maintaining an inventory of all scripts, justifying each script, ensuring integrity monitoring, and having a mechanism to detect unauthorised changes. These are now mandatory and represent a significant new control area for most e-commerce organisations.
Related PCI DSS Resources
Assess Your v4.0.1 Readiness
All PCI DSS v4.0.1 requirements are now mandatory. Find out where you stand and close your gaps with GRCTrack.