All insights
PCI DSS
· 11 min read

PCI DSS 4.0 — What Actually Changed for Merchants and Service Providers

Customised approach, targeted risk analyses, and the March 2025 future-dated requirements that quietly reshape scoping.

Published 4 March 2026 · Updated 18 June 2026

Defined vs customised approach

PCI DSS 4.0 lets mature organisations design their own controls to meet a requirement's objective — but the customised approach demands a written targeted risk analysis and QSA sign-off per control.

Most first-time 4.0 assessments still lean on the defined approach; customised is best reserved for controls where the prescriptive rule genuinely conflicts with the architecture.

Future-dated requirements now in force

As of 31 March 2025, requirements previously marked best practice — including authenticated internal vulnerability scans, phishing-resistant MFA on all CDE access, and payment-page script integrity monitoring — became mandatory.

Engage CHNYD Trace

Talk to a partner about PCI DSS — scoping calls are complimentary.

Request consultation →