What changed in PCI DSS 4.0?

The biggest changes are mandatory MFA for all access to the cardholder data environment (not just remote), a 12-character minimum password, payment page script management for e-commerce (Requirement 6.4.3), authenticated internal vulnerability scans, and the customised approach which lets organisations meet objectives via alternative controls backed by targeted risk analysis.

When does PCI DSS 4.0 take effect?

Version 3.2.1 retired in March 2024. PCI DSS 4.0 has been mandatory since then. The 51 future-dated requirements that were optional during the transition (script management, authenticated scanning, expanded MFA scope) became mandatory in March 2025.

What is PCI DSS 4.0 requirement 6.4.3?

Requirement 6.4.3 mandates managing all scripts loaded by the payment page. You must inventory every script, authorise it, and verify integrity. It targets Magecart-style skimming attacks where attackers inject card data exfiltration code into third-party tags. Implementation typically costs $3,000 to $10,000 a year in monitoring tooling.

Is PCI DSS 4.0 mandatory?

Yes, for any organisation that stores, processes, or transmits cardholder data. It is enforced contractually through your acquiring bank and the card brands. A handful of US states (Nevada, Minnesota, Massachusetts, Washington) have also codified PCI-related requirements into law.

PCI DSS 4.0

All 12 requirements, explained with implementation cost

The standard is 350 pages of legal-grade prose. This is the plain-English version: what each requirement asks, what it typically costs to implement, what audits flag most often, and what changed in 4.0.

Updated April 2026

Total implementation, all 12

$23,500 - $245,000

Highest single requirement

Req 6

Secure software, payment page scripts

Most common audit failure

Req 10

Logging and daily review

Six goals, twelve requirements

Build and maintain a secure network

Medium

Install and Maintain Network Security Controls

Configure and maintain firewalls and other network security controls to protect cardholder data. Includes defining traffic rules, restricting inbound/outbound access, and reviewing rule sets every six months.

Common gapsFirewall rules not reviewed semi-annually, flat network without segmentation, default configurations not changed.

4.0 changeExpanded to include all network security controls (not just firewalls). New emphasis on cloud environments.

Implementation

$2,000 - $25,000

Tools needed

Next-gen firewall, network segmentation tools, configuration management

Medium

Apply Secure Configurations to All System Components

Remove default passwords and unnecessary services from all systems. Apply secure configuration standards (CIS benchmarks). Manage all system components with documented configuration baselines.

Common gapsDefault credentials on devices, unnecessary services running, no documented configuration baselines.

4.0 changeRenamed from 'Do not use vendor-supplied defaults'. More explicit about inventory requirements.

Implementation

$1,000 - $15,000

Tools needed

Configuration management, vulnerability scanner, CIS benchmark tools

Protect account data

High

Protect Stored Account Data

Minimise stored cardholder data. Encrypt stored PAN using strong cryptography. Mask PAN when displayed. Never store sensitive authentication data after authorisation.

Common gapsPAN stored in log files, full track data retained, encryption keys poorly managed, data retention policy not enforced.

4.0 changeEnhanced requirements for disk-level encryption and key management. SAD must be removed after authorisation even for issuers.

Implementation

$3,000 - $30,000

Tools needed

Encryption/tokenization platform, data discovery tools, key management system

Low

Protect Cardholder Data with Strong Cryptography During Transmission

Encrypt cardholder data over open, public networks using strong cryptography (TLS 1.2+). Never send unprotected PAN via messaging technologies (email, SMS, chat).

Common gapsOutdated TLS versions, self-signed certificates, PAN sent in emails, internal traffic unencrypted.

4.0 changeUpdated to reference TLS 1.2 as minimum. Certificates must be valid and not expired.

Implementation

$500 - $5,000

Tools needed

TLS certificates, certificate management, email DLP

Maintain a vulnerability management programme

Low

Protect All Systems and Networks from Malicious Software

Deploy anti-malware on all systems commonly affected by malware. Ensure solutions are kept current, perform periodic scans, and generate audit logs. Protect against phishing attacks.

Common gapsAnti-malware not on all in-scope systems, signatures out of date, no phishing protection.

4.0 changeAdded explicit anti-phishing requirement (5.4.1). Expanded beyond traditional anti-virus to all anti-malware.

Implementation

$1,000 - $10,000

Tools needed

Endpoint protection platform, email security gateway, anti-phishing training

High

Develop and Maintain Secure Systems and Software

Apply security patches within defined timeframes. Develop software securely. Protect web-facing applications against common attacks. Manage payment page scripts.

Common gapsPatches not applied within 30 days, no secure SDLC, payment page scripts not inventoried or monitored.

4.0 changeMajor new requirement 6.4.3: manage all payment page scripts (inventory, authorize, integrity checking). This is the most impactful 4.0 change for e-commerce.

Implementation

$3,000 - $40,000

Tools needed

Patch management, WAF, SAST/DAST tools, script monitoring (Req 6.4.3)

Implement strong access control

Medium

Restrict Access to System Components and Cardholder Data by Business Need to Know

Limit access to cardholder data to only those personnel whose jobs require it. Implement role-based access control. Define and document access needs for each role.

Common gapsOverly broad access rights, shared accounts, access not reviewed periodically, no documented access control policy.

4.0 changeMore granular requirements for defining and documenting access needs. Application and system accounts must also be managed.

Implementation

$1,000 - $10,000

Tools needed

Identity and access management (IAM), privileged access management (PAM)

Medium

Identify Users and Authenticate Access to System Components

Assign unique IDs to each person. Implement strong authentication. Use multi-factor authentication for all access to the cardholder data environment. Minimum 12-character passwords.

Common gapsShared accounts, MFA not deployed for all CDE access, passwords under 12 characters, no password manager.

4.0 changeMFA required for ALL access into CDE (not just remote). Minimum password length increased from 7 to 12 characters. Password must be at least 12 characters or passphrase of at least 15.

Implementation

$2,000 - $20,000

Tools needed

MFA solution, password manager, identity provider (IdP), SSO

Medium

Restrict Physical Access to Cardholder Data

Restrict physical access to systems and media containing cardholder data. Use video cameras or access controls at sensitive areas. Protect POS devices from tampering.

Common gapsServer room not secured, visitor logs missing, POS devices not inventoried or inspected, media not encrypted.

4.0 changeEnhanced requirements for POS device inspection and tamper detection. Targeted risk analysis for monitoring frequency.

Implementation

$1,000 - $15,000

Tools needed

Physical access controls, security cameras, POS device inventory and inspection process

Monitor and test networks

High

Log and Monitor All Access to System Components and Cardholder Data

Implement audit trails for all access to cardholder data and system components. Review logs daily. Use automated log monitoring. Retain audit history for at least 12 months.

Common gapsNo centralised logging, logs not reviewed daily, insufficient log retention, no alerting on anomalies.

4.0 changeAutomated mechanisms required to detect and alert on security-relevant events. Targeted risk analysis for log review frequency.

Implementation

$3,000 - $30,000

Tools needed

SIEM or log management platform, automated alerting, log retention storage

High

Test Security of Systems and Networks Regularly

Conduct quarterly external ASV scans and annual penetration tests. Perform internal vulnerability scans. Use intrusion detection. Monitor for unauthorised wireless access points.

Common gapsPen test not conducted annually, ASV scans failing, no internal scanning, segmentation not tested.

4.0 changeInternal vulnerability scans must be authenticated. Segmentation testing frequency based on risk analysis. New requirement for managing all payment page scripts.

Implementation

$5,000 - $35,000

Tools needed

ASV scanning vendor, penetration testing firm, internal vulnerability scanner, IDS/IPS

Maintain an information security policy

Medium

Support Information Security with Organisational Policies and Programs

Establish and publish a comprehensive information security policy. Conduct risk assessments annually. Implement security awareness training. Manage third-party service providers.

Common gapsPolicy not reviewed annually, no risk assessment process, training not role-specific, TPSP compliance not validated.

4.0 changeTargeted risk analysis approach (customized approach) is a major theme. TPSP management requirements strengthened. Security awareness must include phishing and social engineering.

Implementation

$1,000 - $10,000

Tools needed

Policy management platform, risk assessment framework, training platform, vendor management

Need the official standard?

The PCI Security Standards Council publishes the full PCI DSS 4.0.1 document, the SAQ templates, and the prioritised approach worksheet. All free.

PCI SSC document library →

Frequently asked

PCI DSS 4.0 has six goals subdivided into 12 numbered requirements: 1 and 2 cover network security and configuration, 3 and 4 cover stored and transmitted card data protection, 5 and 6 cover malware and software development, 7 to 9 cover access control (logical, identity, physical), 10 and 11 cover logging and testing, and 12 covers organisational policy and risk management.

Requirement 11 scanning

ASV and pen test pricing in detail.

Pen testing cost reference

Cross-portfolio pen test rate card.

Who audits these requirements

QSA cost and selection.