PCI DSS v4.0 New Requirements
The significant new and updated controls introduced in PCI DSS version 4.0 that go beyond the foundational requirements of prior versions.
PCI DSS v4.0, finalized in March 2022 with full enforcement of new requirements by March 2025, introduced over 60 new requirements and significant modifications to existing controls. Key additions include mandatory multi-factor authentication for all access to the cardholder data environment (not just remote access), targeted risk analysis to justify customized implementation approaches, and an expanded Requirement 6 that adds specific controls for web-facing applications including detection of unauthorized script execution. The standard also formalized the "customized approach" — a path for mature organizations to meet the intent of a requirement using controls different from those specified, with enhanced validation obligations.
Engineering for v4.0 compliance requires revisiting previously satisfactory implementations. The new Requirement 10.7 mandates detection and reporting of failures of critical security controls — including firewalls, IDS/IPS, FIM, and antivirus — with defined response timelines. Requirement 11.6.1 introduces mandatory change and tamper detection for HTTP headers and payment page scripts, specifically targeting Magecart-style client-side skimming attacks. This requires implementing a Content Security Policy, Subresource Integrity checks, and a real-time monitoring mechanism that alerts on unauthorized script changes. The expanded scope of multi-factor authentication under Requirement 8.4 requires architecture changes for organizations that previously relied on single-factor authentication for internal CDE access from trusted networks.
The customized approach option in v4.0 creates both opportunity and risk. Organizations can design controls that better fit their architecture but must produce a "Customized Approach Objective" documentation set and submit it for QSA review, which significantly increases assessment complexity and cost. Targeted risk analyses, now required for many requirements that previously had prescriptive timelines, demand a documented risk methodology and management approval — elevating PCI compliance from a technical checklist to a risk governance process. Organizations with multiple merchant levels must also account for the fact that new requirements apply to all levels, not just Level 1 merchants, and that SAQ forms have been updated to reflect v4.0 controls.
We conduct v4.0 gap assessments against all 64 new and modified requirements, prioritizing the high-impact changes to MFA scope, payment page script monitoring, and security control failure detection. Our engineers implement Requirement 11.6.1 compliant script integrity monitoring and automate targeted risk analysis documentation workflows to reduce QSA assessment friction.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.