PCI DSS v4.0 Enforceable Requirements
PCI DSS v4.0 Compliance: The 51 Future-Dated Requirements Are Now Enforceable
Payment card terminal with security lock representing PCI DSS compliance. PCI DSS v4.0 introduces 51 future-dated requirements that became enforceable starting in April 2025. Organizations still on v3.2.1 face a March 31, 2026 hard deadline.
Why PCI DSS v4.0 Matters Right Now
As of July 2026, the transition window for PCI DSS v4.0 is nearly closed. The Payment Card Industry Security Standards Council (PCI SSC) published version 4.0 in March 2022, and by April 1, 2025, all new assessments were required to use the new standard. The final deadline for all organizations to retire v3.2.1 assessments is March 31, 2026, less than nine months from today.

Major Changes from v3.2.1 to v4.0
According to CSO Online analysis by Michelle Drolet, PCI DSS v4.0 contains 64 requirements, 13 of which were already in effect upon publication. The other 51 “future-dated” requirements were classified as best practices until they became mandatory in April 2025. The PCI SSC began enforcing requirements 6.4.3 (change management for production environments) and 11.6.1 (change-detection technology on public-facing web pages) starting March 31, 2025.
Non-compliance carries real financial consequences. According to NordLayer’s analysis of PCI DSS penalties, fines vary by duration of non-compliance and merchant’s transaction volume, with monthly penalties ranging from $5,000 for low-level organizations in early non-compliance to $100,000 for higher-volume merchants with prolonged violations. Acquiring banks may also terminate processing agreements entirely. For service providers, stakes are higher: a failed assessment can mean losing the ability to process payments altogether.
Key Takeaways:
- PCI DSS v4.0 contains 64 total requirements, with 51 future-dated mandates now in effect as of April 2025
- Passwords must be a minimum of 12 characters (up from 7 in v3.2.1) and MFA must be replay-resistant
- Targeted risk analysis replaces prescriptive checkbox compliance across multiple requirements
- The March 31, 2026 deadline means all organizations must complete their transition or face penalties
- Disk-level encryption alone no longer satisfies PAN protection requirements
Major Changes from v3.2.1 to v4.0

The shift from v3.2.1 to v4.0 is not an incremental update. It represents the most significant restructuring of the standard since its inception in 2004. The Council’s stated goal was to move from a static, prescriptive standard to one that accommodates evolving threats and diverse organizational risk profiles.
Targeted Risk Analysis Becomes a First-Class Requirement
The single biggest conceptual change in v4.0 is the introduction of targeted risk analysis (TRA) as a formal compliance mechanism. Under v3.2.1, organizations followed a fixed checklist. Under v4.0, many requirements allow organizations to define the scope and frequency of controls based on a documented risk assessment. This means a small e-commerce merchant and a global payment processor can both comply with the same requirement using different implementations, but only if each can produce a written risk analysis justifying their choices.
The TRA requirement appears across multiple control domains: frequency of vulnerability scans, scope of log review, password rotation schedules, and security awareness training intervals all now require documented risk justification.
Authentication Overhaul: 12-Character Passwords and Replay-Resistant MFA
Version 3.2.1 set minimum password length at seven characters. As CSO Online analysis notes, seven-character passwords can be cracked in a matter of hours according to Hive Systems’ annual password audit. If a system genuinely cannot support 12-character passwords, organizations may implement a minimum of eight characters as a compensating control, but this exception must be documented and approved.
Requirement 8.5.1 is arguably the most impactful authentication change. It requires multi-factor authentication that is not vulnerable to replay attacks. Traditional MFA implementations that use time-based one-time passwords (TOTP) or SMS codes can be intercepted through adversary-in-the-middle (AiTM) phishing attacks. As noted by Forbes Technology Council, organizations must now deploy MFA systems that incorporate cryptographic verification of the authentication session, such as FIDO2/WebAuthn or PKI-based certificates.
Encryption and PAN Protection
Disk-level and partition-level encryption, where the entire drive is encrypted with a single key and automatically decrypted upon authentication, no longer satisfies the requirement to render primary account numbers (PAN) unreadable. The rule now specifies that PAN must remain encrypted except during a specific window when a legitimate business process requires access. This forces organizations to implement column-level, field-level, or application-layer encryption rather than relying on full-disk encryption as a catch-all.
Web Application Firewall and Anti-Phishing Controls
Requirement 6.4.3 now mandates a web application firewall (WAF) in front of all public-facing web applications. The WAF must be actively running, kept up to date, generate audit logs, and be configured to either block web-based attacks or generate alerts that can be immediately investigated. According to CSO Online analysis, researchers tracked more than 18 billion attacks against public-facing web applications in 2023, highlighting why this control was prioritized for early enforcement.
Organizations must also implement automated mechanisms to detect and protect personnel against phishing attacks.
Automated Log Analysis
Under v3.2.1, organizations could satisfy log review requirements through manual review processes. Version 4.0 requires log harvesting, parsing, and alerting tools, typically a security information and event management (SIEM) system, to deliver a repeatable, consistent, and automated log review process. This is a direct response to the reality that understaffed security teams cannot manually review the volume of log data generated by modern payment environments.
The Transition Timeline: What’s Already Passed and What’s Next
The PCI SSC designed a phased transition to give organizations time to adapt, but many organizations underestimated the scope of work required. Here is where the timeline is of July 2026:
| Date | Milestone | Status |
|---|---|---|
| March 2022 | PCI DSS v4.0 published by PCI SSC | Complete |
| March 2024 | Initial transition period began; v3.2.1 still accepted | Complete |
| March 31, 2025 | Enforcement began for Requirements 6.4.3 (WAF) and 11.6.1 (change detection) | Complete |
| April 1, 2025 | All new assessments must use PCI DSS v4.0; 51 future-dated requirements become mandatory | Complete |
| March 31, 2026 | All assessments must use v4.0; v3.2.1 permanently retired | Less than 9 months away |
| March 31, 2027 | Future-dated requirements deadline (if any additional phased requirements apply) | Pending |
The most critical takeaway: if your organization is still operating under a v3.2.1 assessment, you have less than nine months to complete your gap analysis, implement controls, and pass a v4.0 assessment. Given that a typical PCI DSS assessment cycle takes 3 to 6 months for a mid-size organization, the window for starting is essentially now or never.
Gap Analysis Checklist: 12 Critical Controls to Audit
Conducting a thorough gap analysis is the first step toward v4.0 compliance. Below is a structured checklist organized by requirement domain. Each control includes a specific requirement reference and the action needed to close the gap from v3.2.1.
| Req # | Control Area | v4.0 Change | Gap Analysis Action |
|---|---|---|---|
| 3.5.1.2 | PAN Encryption | Disk-level encryption no longer sufficient; PAN must remain encrypted except during authorized access | Replace full-disk encryption with column-level or app-layer encryption; document access windows |
| 5.4.1 | Anti-Phishing | Automated phishing detection and protection required; DMARC, SPF, DKIM mandatory | Deploy email auth protocols; implement link scrubbers and server-side anti-malware |
| 6.4.3 | Web App Firewall | WAF required on all public-facing web apps; must be actively managed and generate audit logs | Deploy or validate existing WAF; confirm blocking or alerting configuration; test coverage |
| 8.3.6 | Password Length | Minimum 12 characters (up from 7); alphanumeric required | Update password policies; audit all systems for max length support; identify exceptions |
| 8.5.1 | MFA Replay Resistance | MFA must resist replay attacks; TOTP alone may not satisfy | Deploy FIDO2, WebAuthn, or PKI-based MFA; disable SMS-based MFA for CDE access |
| 8.6.3 | Service Account Passwords | Application and system account passwords must be changed periodically; no hardcoded passwords | Inventory all service accounts; implement periodic rotation; remove hardcoded credentials |
| 10.4.1 | Automated Log Review | SIEM or log harvesting/parsing/alerting tools required; manual review no longer sufficient | Deploy SIEM; configure automated correlation rules; test alerting workflows |
| 11.6.1 | Change Detection | Change-detection technology on public-facing web pages required | Deploy file integrity monitoring or equivalent; configure alerts for unauthorized changes |
| 12.3.2 | Targeted Risk Analysis | Risk analysis required to justify control frequency and scope across multiple requirements | Create TRA template; perform initial risk assessments for each applicable requirement |
| 12.6.2 | Security Awareness | Frequency of training must be risk-based; phishing simulations recommended | Document training schedule based on risk analysis; implement phishing simulation program |
| 3.2.1 | PAN Retention | Stricter retention and disposal requirements; documented business justification required | Audit stored PAN; implement automated purging; document retention schedules |
| 9.5.1 | Physical Security | Video cameras and access control mechanisms must be risk-assessed and documented | Review physical security controls; document risk assessment for camera placement and access logs |
For each control above, pass/fail criteria are straightforward: if the control is not implemented, it is a finding. If it is implemented but not documented with a targeted risk analysis where required, it is a finding. If compensating controls are used without written approval from the acquiring bank or QSA, it is a finding.

Organizations should assemble a cross-functional working group that includes IT security, compliance, legal, and payment operations teams to complete the gap analysis before year-end 2026.
Implementation Priorities by Organization Type
Not all organizations face the same compliance burden under v4.0. The scope of effort depends on whether you are a merchant, service provider, or third-party payment processor, as well as your transaction volume.
Level 1 Merchants (Over 6 Million Transactions Per Year)
These organizations face the most rigorous assessment requirements, including an annual on-site assessment by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV). The biggest lift for Level 1 merchants in v4.0 is the targeted risk analysis requirement, which demands documented justification for control frequency across all 12 requirements. Organizations starting from scratch should plan for 4 to 6 months for full implementation.
Level 2-4 Merchants (Smaller Volume)
Smaller merchants can use Self-Assessment Questionnaires (SAQs) rather than full on-site assessments, but the SAQ for v4.0 is more detailed than its v3.2.1 predecessor. The most common pain points for smaller merchants are the 12-character password requirement, since many legacy point-of-sale systems max out at 8 characters, and the WAF requirement, which typically adds a monthly cost for cloud-based e-commerce platforms.
Service Providers
Service providers face the highest scrutiny under v4.0. Requirements 6.4.3 (WAF) and 11.6.1 (change detection) were the first to be enforced starting March 31, 2025, precisely because service providers handle cardholder data for multiple downstream merchants. Service providers must also ensure their own compliance programs account for a shared responsibility model. If a merchant relies on a service provider’s controls, both parties are on the hook for validation.
Common Compliance Pitfalls and Enforcement Trends
Based on assessment data and industry reports, the following areas generate the most findings in v4.0 assessments:
1. Treating targeted risk analysis as optional. This is the single most common mistake. Organizations complete technical controls but skip the written risk analysis, then fail their assessment because documentation is missing. The TRA is a requirement, not a suggestion.
2. Relying on full-disk encryption for PAN protection. Organizations that previously passed v3.2.1 assessments using BitLocker or FileVault as their primary encryption control must now implement column-level or field-level encryption. This is a significant architectural change for many organizations.
3. Deploying MFA that is vulnerable to replay attacks. TOTP-based MFA (Google Authenticator, Microsoft Authenticator in standard mode) does not satisfy Requirement 8.5.1 unless combined with additional controls that prevent session interception. FIDO2 security keys or certificate-based authentication are the most straightforward paths to compliance.
4. Underestimating the password length change. The jump from 7 to 12 characters breaks compatibility with many legacy payment applications and embedded systems. Organizations must inventory all systems in the cardholder data environment and identify which ones cannot support 12-character passwords, then document compensating controls for each exception.
5. Assuming compliance is a one-time project. The PCI SSC has explicitly designed v4.0 to require continuous compliance, not point-in-time validation. Automated log analysis, continuous change detection, and ongoing risk assessments mean that organizations must maintain compliance processes year-round, not just during assessment season.
Crypto.com’s upgrade to PCI DSS v4.0 certification, announced in October 2024, shows that even organizations in fast-moving digital asset spaces can achieve compliance with proper planning. As reported by Crowdfund Insider, the certification covered the platform’s payment card processing infrastructure and required updates to authentication, encryption, and monitoring controls.
On the enforcement side, the PCI SSC does not directly levy fines. That authority rests with the card brands (Visa, Mastercard, American Express, Discover, JCB). According to NordLayer’s analysis, monthly fines vary by duration of non-compliance and merchant level: organizations in non-compliance for 1 to 3 months may face fines of $5,000 per month for low-volume merchants and $10,000 per month for higher-volume merchants, with amounts escalating to $50,000 to $100,000 per month for violations lasting seven months or longer. Additionally, card processors may fine companies $50 to $90 for each exposed customer record during a data breach. A failed assessment triggered by v4.0 non-compliance can lead to increased transaction fees, higher reserve requirements, or termination of processing privileges.
For organizations that already maintain compliance programs aligned with NIST CSF 2.0 or ISO 27001, the transition to v4.0 may be less disruptive. Many of the risk analysis and continuous monitoring concepts overlap. The key is treating PCI DSS v4.0 not as a standalone compliance obligation but as an integral part of your broader security program.
Key Takeaways
PCI DSS v4.0 represents a fundamental shift from checkbox compliance to risk-based security. The 51 future-dated requirements are now in effect, and the March 31, 2026 deadline for retiring v3.2.1 is approaching fast. Organizations that have not started their gap analysis are already behind the typical 3 to 6 month implementation cycle.
The most impactful changes to prioritize are: replacing disk-level encryption with field-level PAN protection, deploying replay-resistant MFA, implementing a WAF on all public-facing web applications, and building a targeted risk analysis framework that can be applied across all 12 requirements.
The organizations that will navigate this transition most successfully are those that start gap analysis now, budget for authentication and encryption upgrades, and build the documentation discipline that v4.0 demands. Nine months is enough time, but only if you start today.
Related Reading
More in-depth coverage from this blog on closely related topics:
- GDPR vs CCPA: Building a Dual Privacy Program
- GDPR Data Protection by Design in 2026
- NIST CSF 2.0 & ISO 27001: Healthcare Vendor
- GDPR Compliance Checklist 2026
Sources and References
Sources cited while researching and writing this article:
Nadia Kowalski
Has read every privacy policy you've ever skipped. Fluent in GDPR, CCPA, SOC 2, and several other acronyms that make people's eyes glaze over. Processes regulatory updates faster than most organizations can schedule a meeting about them. Her idea of light reading is a 200-page compliance framework, and she remembers all of it.
