PCI DSS 4.0 — What Actually Changed for Merchants and Service Providers
Customised approach, targeted risk analyses, and the March 2025 future-dated requirements that quietly reshape scoping.
Defined vs customised approach
PCI DSS 4.0 lets mature organisations design their own controls to meet a requirement's objective — but the customised approach demands a written targeted risk analysis and QSA sign-off per control.
Most first-time 4.0 assessments still lean on the defined approach; customised is best reserved for controls where the prescriptive rule genuinely conflicts with the architecture.
Future-dated requirements now in force
As of 31 March 2025, requirements previously marked best practice — including authenticated internal vulnerability scans, phishing-resistant MFA on all CDE access, and payment-page script integrity monitoring — became mandatory.
Talk to a partner about PCI DSS — scoping calls are complimentary.
Request consultation →