The PCI DSS v4 changes represent the biggest update to the standard in years, moving it from a rigid checklist toward a more flexible, risk-based model. Version 4.0 replaced v3.2.1, and a set of future-dated requirements that were best practice at first became mandatory in 2025. This guide summarises the PCI DSS v4 changes that matter most, what they mean for your validation, and how to get ready.

The timeline
- v4.0 was released in March 2022.
- v3.2.1 was retired, and organizations transitioned to v4.0.
- A set of future-dated requirements became mandatory as of the end of the transition (March 2025), so they now apply to everyone.
- v4.0.1 was published as a limited revision with clarifications — not new requirements.
Always confirm the current version and effective dates on the PCI Security Standards Council website, as the standard evolves.
The biggest PCI DSS v4 changes
1. The customized approach
The headline change. Alongside the traditional “defined approach” (follow the requirement as written), v4.0 introduced a customized approach — you can meet the intent of a requirement using alternative controls, supported by a risk analysis. It gives mature organizations flexibility to innovate.
2. Stronger authentication
Expanded multi-factor authentication requirements for access into the cardholder data environment, plus stronger password rules (including increased minimum length).
3. Targeted risk analyses
For certain activities, organizations now define how often they perform them based on a documented targeted risk analysis, rather than a fixed schedule — more tailored, but more to document.
4. E-commerce and phishing protections
New requirements address modern threats — for example, managing and monitoring the scripts on payment pages, and detecting unauthorized changes, to counter web-skimming attacks.
5. Clearer roles and responsibilities
Each requirement now expects documented roles and responsibilities, reinforcing accountability.
Documentation aligned to v4.0.
The PCI DSS Toolkit is built around the current version of the standard — policies, procedures, and risk-analysis templates mapped to PCI DSS v4.0, ready to tailor.
What it means for you
In practice, v4.0 is both more flexible (the customized approach) and more demanding (new controls and documentation). The through-line is stronger governance and more explicit evidence — which makes well-maintained policies and risk analyses more important than ever. Revisit the 12 requirements to see where the new sub-requirements land.
How to prepare for the PCI DSS v4 changes
Start by confirming which version and validation path apply to you, then run a gap analysis specifically against the new and future-dated requirements rather than assuming your v3.2.1 evidence still covers you. Several of the PCI DSS v4 changes expand documentation expectations — targeted risk analyses, clearer roles and responsibilities, and more frequent reviews — so budget time to write and approve those artefacts. If you validate with a self-assessment questionnaire, use the current v4.0 SAQ for your merchant type and map each question to existing evidence. The customised approach introduced in v4.0 offers flexibility for mature security teams, but it demands rigorous documentation and a formal risk assessment, so most organisations should stay with the defined approach until their programme is ready. Always confirm the current requirements and effective dates directly with the PCI Security Standards Council before planning remediation.
The bottom line: the PCI DSS v4 changes reward organisations that treat security as an ongoing, documented programme. Tackle the future-dated requirements now, keep your evidence current, and version 4.0 becomes a manageable evolution rather than a last-minute scramble.
Frequently asked questions
Do the 12 core requirements change in v4.0?
The 12 high-level requirements remain, but many sub-requirements were added, clarified, or strengthened.
Is the customized approach mandatory?
No — it’s optional. You can still use the defined approach for any or all requirements.
New to PCI DSS? Start with our complete guide.
