PCI DSS 4.0 is the fourth major version of the Payment Card Industry Data Security Standard, published by the PCI Security Standards Council in March 2022. It replaced PCI DSS 3.2.1, which retired on March 31, 2024. Version 4.0 introduced a customized implementation approach allowing organizations to design their own controls that meet the intent of each requirement, expanded multi-factor authentication requirements, stronger password policies (minimum 12 characters), new anti-phishing requirements for personnel, and enhanced protections for e-commerce payment pages. Critically, 64 "future-dated" new requirements that were initially optional became mandatory on March 31, 2025. These include requirements around targeted risk analysis, authenticated internal vulnerability scans, and protections against payment page script tampering (Requirement 6.4.3 and 11.6.1). PCI DSS 4.0.1, a clarifying revision, was published in June 2024 and is the current active standard.
PCI DSS merchant levels are determined by the card brands based on your annual transaction volume. Level 1: more than 6 million Visa or Mastercard transactions per year, or any merchant that has experienced a cardholder data breach. Level 2: 1 million to 6 million Visa/Mastercard transactions. Level 3: 20,000 to 1 million Visa/Mastercard e-commerce transactions. Level 4: fewer than 20,000 e-commerce transactions, or any merchant processing up to 1 million total card transactions annually. Note that American Express and Discover use their own tier definitions that may differ from Visa/Mastercard. Your acquiring bank assigns your official level, and merchants that experience a confirmed data breach may be elevated to Level 1 regardless of transaction volume.
A Self-Assessment Questionnaire (SAQ) is a validation tool for eligible merchants who are not required to undergo a full QSA on-site audit. The appropriate SAQ type depends on how you process card payments. SAQ A: Card-not-present merchants that fully outsource card data handling to a compliant third party — simplest, approximately 22 requirements. SAQ A-EP: E-commerce merchants using a redirect or iframe where your payment page script could affect how card data flows. SAQ B: Merchants using only imprint machines or standalone dial-out terminals. SAQ B-IP: Standalone IP-connected terminals that do not store electronic cardholder data. SAQ C: Merchants with payment application systems connected to the internet, no electronic storage of card data. SAQ C-VT: Merchants manually entering transactions through a virtual terminal only. SAQ D: All other merchants and all service providers — the most comprehensive, covering all 12 PCI DSS requirements. Level 1 merchants must complete a full Report on Compliance (ROC) by a certified QSA rather than a SAQ.
PCI DSS penalties are imposed by payment card brands and acquiring banks, not by a government agency. Monthly non-compliance fines are typically: Level 4 merchants: $5,000–$10,000 per month. Level 2–3 merchants: $25,000–$50,000 per month. Level 1 merchants: $50,000–$100,000 per month. Following a data breach involving cardholder data, brands may also impose card replacement costs ($3–$10 per compromised card), forensic investigation fees, and fraud reimbursement obligations. The most severe consequence is revocation of card acceptance privileges — effectively preventing the business from accepting credit or debit cards. Additionally, all 50 U.S. states have breach notification laws that impose independent notification and remediation requirements when cardholder data is compromised.
A Qualified Security Assessor (QSA) is required for all Level 1 merchants and Level 1 service providers (those storing, processing, or transmitting more than 300,000 card transactions per year for service providers). Level 1 merchants must undergo an annual on-site assessment producing a Report on Compliance (ROC), signed by a PCI SSC-certified QSA company. Level 2 merchants may be required by their acquiring bank to use a QSA rather than self-assessing — review your merchant agreement. Levels 3 and 4 merchants can self-assess using the appropriate SAQ. Even when not required, Level 2–3 merchants often hire a QSA for guidance on the customized implementation approach introduced in PCI DSS 4.0, compensating controls, and preparation for ASV scans. An Internal Security Assessor (ISA) certification — available to individual employees — allows organizations to conduct some QSA-equivalent assessments internally, subject to limitations.
<\!-- EDITORIAL CONTENT -->
Understanding PCI DSS 4.0 Compliance in 2026
The Payment Card Industry Data Security Standard (PCI DSS) governs how merchants and service providers protect cardholder data. Version 4.0, now fully in effect, introduced the most significant changes since version 3.0 — including a customized implementation pathway, expanded authentication requirements, and 64 new requirements that became mandatory on March 31, 2025. Organizations that have not yet implemented these requirements are now technically non-compliant with PCI DSS 4.0.
The March 31, 2025 Deadline: What Became Mandatory
The 64 "future-dated" PCI DSS 4.0 requirements that became mandatory on March 31, 2025, include several high-impact controls. Requirement 6.4.3 mandates that all payment page scripts loaded and executed in the consumer's browser be authorized, with integrity verified through a method such as a cryptographic hash. Requirement 11.6.1 requires a change- and tamper-detection mechanism for the payment page, alerting on unauthorized modifications. Multi-factor authentication (MFA) is now mandatory for all accounts with access to the cardholder data environment (CDE), not just administrative access — a significant scope expansion from PCI DSS 3.2.1. Additionally, targeted risk analyses are now required to document the rationale for every control frequency decision.
E-Commerce Merchants: Heightened Scrutiny Under 4.0
E-commerce and card-not-present environments face the highest compliance burden under PCI DSS 4.0. Magecart-style skimming attacks — where malicious JavaScript is injected into payment pages to steal card numbers in real time — prompted the PCI SSC to add the script authorization (Req. 6.4.3) and tamper detection (Req. 11.6.1) requirements. Merchants using third-party payment processors via redirect or iframe must evaluate whether they qualify for the simplified SAQ A or must complete the more demanding SAQ A-EP, depending on whether their website scripts can affect the consumer's payment data flow.
ASV Scans and Network Security Controls
Quarterly Approved Scanning Vendor (ASV) scans are required for all merchants that accept card-present transactions or have internet-facing systems within scope of PCI DSS. ASV scans test external-facing IP addresses and domain names for known vulnerabilities. A passing ASV scan is a prerequisite for SAQ and ROC submission. New in PCI DSS 4.0, Requirement 11.3.1.1 mandates that internal vulnerability scans be performed via authenticated scanning — a significant configuration change for organizations that previously relied on unauthenticated scans.
Service Providers: Higher Bar Than Merchants
Service providers — entities that store, process, or transmit cardholder data on behalf of merchants — face Level 1 obligations at a much lower transaction threshold than merchants. Any service provider processing more than 300,000 transactions per year is a Level 1 service provider, requiring an annual ROC and quarterly ASV scans. Service providers must also maintain a controls environment that spans all systems they operate on behalf of merchants, and must clearly document the "shared responsibility matrix" showing which PCI DSS requirements they own versus those their merchant customers must implement.