Updated:
June 18, 2026
PCI DSS v4.0.1 Sets New Baseline For Cardholder Data Security
PCI DSS v4.0.1 has become the operative baseline for organizations that store, process, transmit, or affect the security of cardholder data, closing a long transition from PCI DSS v3.2.1 and placing more emphasis on continuous security, payment-page script control, stronger authentication, and evidence-based validation. The latest confirmed update came on June 3, 2026, when the PCI Security Standards Council opened a request-for-comments period on the current v4.0.1 standard that runs through July 20, 2026.
What Is PCI DSS v4.0.1 And Why Is It The Current Cardholder Data Security Baseline?
PCI DSS v4.0.1 is the current Payment Card Industry Data Security Standard used to protect payment account data across merchants, processors, acquirers, issuers, and service providers. PCI SSC said the standard provides a baseline of technical and operational requirements for entities that store, process, or transmit cardholder data or sensitive authentication data.
The council published PCI DSS v4.0.1 on June 11, 2024, as a limited revision to PCI DSS v4.0. PCI SSC said the update corrected formatting and typographical errors and clarified the focus and intent of requirements and guidance. It said the revision added no new requirements and removed no existing requirements.
That point matters for compliance teams. The compliance burden came mainly from PCI DSS v4.0, published on March 31, 2022, and from future-dated requirements that became enforceable on March 31, 2025. PCI DSS v4.0.1 is the clarified version against which organizations now validate.
What Is The Timeline For PCI DSS v4.0.1 From 2006 To 2026?
PCI SSC was formed in 2006 by American Express, Discover, JCB, Mastercard, and Visa to manage payment security standards. PCI DSS v4.0 was published on March 31, 2022, PCI DSS v3.2.1 retired on March 31, 2024, PCI DSS v4.0.1 was published on June 11, 2024, and PCI DSS v4.0 retired on December 31, 2024.
The next major milestone came on March 31, 2025, when the 51 future-dated PCI DSS v4.x requirements moved from best practice status into active assessment scope. PCI SSC said those requirements had been in the standard since March 2022.
PCI SSC then issued related materials. It released the PCI DSS v4.0.1 Report on Compliance template on August 28, 2024, SAQ updates in October 2024, SAQ A changes on January 30, 2025, e-commerce guidance on March 10, 2025, and a new request for comments on June 3, 2026.
What Requirements Became Mandatory Under PCI DSS v4.0.1 After March 31, 2025?
PCI DSS v4.0.1 made the future-dated PCI DSS v4.x requirements fully applicable in assessments after March 31, 2025. PCI SSC said PCI DSS v4.0 introduced 64 new requirements, including 51 future-dated requirements, with e-commerce controls under Requirements 6.4.3 and 11.6.1 drawing significant industry attention.
Requirement 6.4.3 focuses on payment-page scripts. Requirement 11.6.1 focuses on detecting unauthorized changes to payment pages and security-impacting HTTP headers. PCI SSC said the controls target e-skimming attacks, where attackers abuse scripts running in a consumer’s browser to steal payment data.
Other high-impact areas include stronger authentication, targeted risk analysis, vulnerability management, logging, security awareness, third-party service provider oversight, and customized approach documentation. PCI DSS v4.0.1 clarified how phishing-resistant authentication can affect multi-factor authentication expectations for certain non-administrative access into the cardholder data environment.
Which Merchants And Service Providers Are Affected By PCI DSS v4.0.1?
PCI DSS v4.0.1 affects all entities that store, process, or transmit cardholder data or sensitive authentication data, or that can affect the security of the cardholder data environment. PCI SSC names merchants, processors, acquirers, issuers, and service providers as the intended audience for the standard.
The effect reaches large retailers, e-commerce merchants, hospitality companies, healthcare payment environments, fintech providers, call centers, payment gateways, cloud service providers, managed service providers, and other third parties connected to payment data. Validation duties vary by payment brand, acquirer, transaction volume, and risk profile.
Small e-commerce merchants received special attention. PCI SSC modified SAQ A because stakeholders said Requirements 6.4.3 and 11.6.1 were complex for merchants that outsource account data functions to validated third parties and do not store, process, or transmit account data electronically on their own systems.
How Does PCI DSS v4.0.1 Enforcement Work For Merchants And Payment Providers?
PCI DSS v4.0.1 enforcement generally works through payment brand rules, acquiring banks, processors, and merchant agreements rather than a government regulator. PCI SSC maintains the standard, while payment brands and acquirers determine validation requirements, reporting duties, and consequences for non-compliance.
PCI SSC states that whether an entity must comply with or validate compliance to a PCI standard is decided by the organizations that manage compliance programs, such as payment brands, acquirers, or other responsible entities.
The practical consequences can include failed assessments, required remediation, additional reporting, forensic investigation after a breach, higher processing costs, contractual penalties, and loss of payment acceptance privileges. Exact penalty amounts vary by card brand, acquirer, merchant agreement, transaction volume, and breach circumstances, so PCI SSC does not publish a single universal fine schedule.
What Should Organizations Do Now To Meet PCI DSS v4.0.1?
Organizations should treat PCI DSS v4.0.1 as an active security and evidence program rather than a once-a-year assessment. Payment teams should confirm scope, update cardholder data environment diagrams, test payment-page script controls, validate MFA coverage, review third-party responsibilities, and retain evidence for each applicable requirement.
Practical work should start with scoping. Teams need to document where cardholder data is stored, processed, or transmitted, which systems can affect the cardholder data environment, and which third parties support payment flows. E-commerce teams should review scripts, iframe use, HTTP headers, and change-detection tooling.
Security teams should schedule vulnerability scanning, penetration testing, log reviews, risk analyses, access reviews, incident response testing, and targeted risk analysis activities. Compliance teams should map evidence to the Report on Compliance, Attestation of Compliance, or applicable Self-Assessment Questionnaire.
How Did Industry Respond To PCI DSS v4.0.1 And The 2025 Deadline?
Industry response focused on implementation difficulty, reporting burden, e-commerce script security, SAQ A scope, and the complexity of customized controls. PCI SSC said it received stakeholder feedback on payment-page requirements, reporting templates, and the need for clearer guidance before the March 31, 2025 deadline.
PCI SSC changed SAQ A after stakeholder feedback. It removed Requirements 6.4.3, 11.6.1, and 12.3.1 from SAQ A, added an eligibility criterion tied to scripts affecting e-commerce systems, and said the change did not remove or weaken the underlying PCI DSS requirements.
Assessor feedback shaped reporting templates. PCI SSC said the v4.0.1 ROC template addressed concerns that the PCI DSS v4.0 ROC template took too long to complete, required redundant information, and produced large reports with performance problems.
What Are The Financial And Business Consequences Of PCI DSS v4.0.1?
PCI DSS v4.0.1 raises business costs through technical work, assessment preparation, third-party oversight, evidence collection, and ongoing control monitoring. Costs vary sharply based on transaction volume, environment scope, outsourcing model, current control maturity, and whether the organization needs a QSA-led Report on Compliance or an SAQ.
The largest operational pressure points are e-commerce script management, MFA expansion, vulnerability management, penetration testing, logging, incident response, customized approach documentation, and third-party service provider management. These tasks can require new tools, additional staff time, assessor support, and engineering changes in payment flows.
The business downside of weak compliance is broader than assessment failure. Merchants can face breach costs, processor scrutiny, higher fees, forensic investigation requirements, customer trust damage, and legal exposure where payment card compromise triggers contractual, privacy, or consumer-protection claims.
What Open Questions Remain For PCI DSS v4.0.1 In 2026?
The main open question is how PCI DSS will change after the 2026 request-for-comments period. PCI SSC invited eligible stakeholders to review and comment on the current PCI DSS v4.0.1 standard from June 3, 2026, to July 20, 2026, with feedback intended to shape the next iteration.
PCI SSC said the comment process seeks input on how PCI DSS is implemented, including strengths, opportunities, future technology, and AI innovation. That wording signals future changes could address AI use in payment environments, emerging e-commerce risks, cloud architectures, and practical assessment issues.
No new version had replaced PCI DSS v4.0.1 as of June 18, 2026. The standard remains the operative baseline, and organizations should not treat the RFC as a delay or safe harbor for missed v4.0.1 controls.
Why Does PCI DSS v4.0.1 Matter For Payment Security?
PCI DSS v4.0.1 matters because attackers continue to target payment data through e-commerce scripts, weak authentication, exposed systems, third-party dependencies, and poorly monitored cardholder data environments. The standard moves payment security toward continuous control validation rather than periodic paperwork.
PCI SSC’s e-skimming guidance shows the shift clearly. The council said external scripts and complex e-commerce platforms have become common attack paths, and Requirements 6.4.3 and 11.6.1 are meant to reduce risk during online transactions.
The broader significance is that payment security now depends on evidence, ownership, and live control operation. Merchants and service providers that only prepare near assessment time face a harder compliance cycle under PCI DSS v4.0.1.
How Bright Defense Helps Merchants And Service Providers Meet PCI DSS v4.0.1
Bright Defense helps merchants, payment service providers, SaaS platforms, and e-commerce businesses meet PCI DSS v4.0.1 through PCI DSS Compliance Services, Penetration Testing, Continuous Compliance, and Security Assessments focused on payment environments. These services support scoping, evidence collection, vulnerability validation, and remediation planning.
For PCI DSS v4.0.1, Bright Defense can test payment applications, assess cardholder data environment exposure, validate segmentation, review cloud and network controls, test e-commerce attack paths, and examine security controls tied to Requirements 6, 8, 10, 11, and 12. That work helps teams prepare for SAQ, ROC, and acquirer-driven validation requirements with stronger operating evidence.
Sources Cited In This PCI DSS v4.0.1 Report
- PCI Security Standards Council – Just Published: PCI DSS v4.0.1 (June 11, 2024)
https://blog.pcisecuritystandards.org/just-published-pci-dss-v4-0-1 - PCI Security Standards Council – PCI Data Security Standard (PCI DSS) (2026)
https://www.pcisecuritystandards.org/standards/pci-dss/ - PCI Security Standards Council – Securing The Future Of Payments: PCI SSC Publishes PCI Data Security Standard v4.0 (March 31, 2022)
https://www.pcisecuritystandards.org/about_us/press_releases/securing-the-future-of-payments-pci-ssc-publishes-pci-data-security-standard-v4-0/ - PCI Security Standards Council – PCI DSS v4.x Resource Hub (March 31, 2022)
https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub - PCI Security Standards Council – PCI SSC Releases ROC Template For PCI DSS v4.0.1 (August 28, 2024)
https://blog.pcisecuritystandards.org/pci-ssc-releases-roc-template-for-pci-dss-v4-0-1 - PCI Security Standards Council – Important Updates Announced For Merchants Validating To Self-Assessment Questionnaire A (January 30, 2025)
https://blog.pcisecuritystandards.org/important-updates-announced-for-merchants-validating-to-self-assessment-questionnaire-a - PCI Security Standards Council – New Information Supplement: Payment Page Security And Preventing E-Skimming (March 10, 2025)
https://blog.pcisecuritystandards.org/new-information-supplement-payment-page-security-and-preventing-e-skimming - PCI Security Standards Council – Coffee With The Council Podcast: Guidance For PCI DSS E-Commerce Requirements Effective After 31 March 2025 (March 26, 2025)
https://blog.pcisecuritystandards.org/coffee-with-the-council-podcast-guidance-for-pci-dss-e-commerce-requirements-effective-after-31-march-2025 - PCI Security Standards Council – Request For Comments: PCI Data Security Standard (PCI DSS) v4.0.1 (June 3, 2026)
https://blog.pcisecuritystandards.org/request-for-comments-pci-data-security-standard-pci-dss-v4.0.1 - PCI Security Standards Council – PCI SSC Publishes New Guidance On Compensating Controls And The Customized Approach (June 10, 2026)
https://blog.pcisecuritystandards.org/pci-ssc-publishes-new-guidance-on-compensating-controls-and-the-customized-approach - Mastercard – Site Data Protection Program And PCI (2026)
https://www.mastercard.com/us/en/business/cybersecurity-fraud-prevention/site-data-protection-pci.html - Verizon – Verizon Business 2024 Payment Security Report: Simplifying The Complexities Of Payment Security (October 3, 2024)
https://www.verizon.com/about/news/verizon-business-2024-payment-security-report - Federal Reserve Bank Of Atlanta – A Look At PCI Compliance And The New Data Security Standards (August 19, 2024)
https://www.atlantafed.org/research-and-data/publications/take-on-payments/2024/08/19/look-at-pci-compliance-and-new-data-security-standards - JPMorgan – PCI Compliance Guide: Protect Payment Data And Prevent Fraud (April 15, 2025)
https://www.jpmorgan.com/insights/payments/security-trust/pci-compliance-guide-protect-payment-data-and-prevent-fraud
Get In Touch
