PCI DSS 4 is the latest set of global standards for protecting payment card data. It replaces version 3.2.1 and introduces dozens of new and updated requirements to keep up with evolving cybersecurity threats. Any merchant that accepts, processes credit cards, or stores card information must now be compliant with PCI DSS 4.0. This can be done by completing a Self-Assessment Questionnaire (SAQ), maintaining ongoing security practices, and securing any systems that handle card data.
This guide will serve as a practical resource to help you understand what’s changed with PCI DSS 4.0 and what’s required to stay compliant. Note that this is not a security manual; it’s more like a checklist to help you figure out where you stand and what to do next. With data breaches costing $4.4 million dollars on average, the stakes are too high to treat compliance as optional.
Key Takeaways
- PCI DSS 4.0.1 is the current standard and requires ongoing security—not annual checklists. MFA, monitoring, and documented processes must be maintained year-round.
- Compliance now requires proof, not just attestation. Merchants need to show that controls are working with evidence like access logs, system inventories, and payment page monitoring.
- Becoming PCI compliant comes down to a few core steps: map data flow, reduce exposure, and complete the required validation (SAQs, AOCs, and scans).
PCI DSS 4.0 in 2026: What Version Is Current and What Deadlines Matter?
As of 2026, PCI DSS 4.0.1 is the current version. It’s not “upcoming” anymore. This is the standard merchants are expected to follow today.
For most small and mid-sized businesses, compliance typically means:
- Completing a Self-Assessment Questionnaire (SAQ)
- Submitting an Attestation of Compliance (AOC)
- Running quarterly vulnerability scans (if applicable)
The confusion around deadlines usually comes from phased requirements. But from a practical standpoint, merchants should now treat PCI DSS 4.0 as the operating baseline.
What Changed in PCI DSS 4.0?
The biggest change with PCI DSS 4.0 is that it’s no longer just an annual checkbox. Instead, it expects ongoing security practices throughout the year. It now explicitly requires that organizations document and confirm their PCI DSS scope at least once every 12 months. Beyond that, there’s a stronger focus on:
Access control – Version 4.0 expands MFA requirements to cover all access into the Cardholder Data Environment (CDE), including administrative and internal access, not just remote access.
Evidence validation – You’re expected to prove controls are in place, not just say they are.
Online payment environments – Merchants must maintain an inventory of scripts running on payment pages and implement controls to detect unauthorized changes to those pages.
PCI DSS 4.0 Requirements: Merchant Checklist
Need an easy reference for PCI DSS 4.0 requirements? These are the main areas PCI expects merchants to cover:
- Secure access – Give every user their own login, limit access to only what they need, and regularly clean up old accounts that no longer belong.
- Keep systems updated – Stay on top of updates for your POS, apps, and network equipment. Delays here are one of the easiest ways to create risk.
- Protect card data – Don’t store card data unless you absolutely have to. If you’re not sure where it lives, that’s a red flag.
- Run required scans and tests – Complete scans on schedule, address high-risk issues quickly, and keep records in one place.
- Monitor systems – Keep logs enabled and review alerts so issues don’t go unnoticed.
- Manage vendors – Know which providers touch card data and confirm they can prove their own compliance.
- Document the basics – Keep a simple, organized record of your policies, systems, and evidence so you’re not scrambling during validation.
PCI DSS 4.0 for Websites (What to Watch)
When it comes to PCI DSS 4.0 compliance for websites, it’s about carefully managing scripts and consistently monitoring changes.
Scripts and Plugins
Third-party scripts are one of the biggest risks in online payments. Things like analytics tools, chat widgets, and plugins can all interact with your checkout page. But if one of them is compromised, it can expose cardholder data.
- Keep an inventory of all scripts on payment pages
- Only allow approved scripts
- Limit what loads on checkout pages
Changes and Monitoring
PCI DSS 4.0 requires stronger controls over changes to your payment pages.
- Tracking updates to checkout pages
- Using change detection tools
- Setting up alerts for unexpected modifications
- Reviewing changes on a regular schedule
Ways to Reduce Scope
The best way to stay PCI-compliant is to limit the requirements you actually need to comply with. Consider these fast wins:
- Use hosted checkout or redirect pages – Let a third party handle the payment page.
- Implement tokenization – Avoid storing raw card data.
- Minimize exposure – Reduce the number of systems that touch card data.
Quick PCI Check for Your Business
If you need to do a sense check around where you stand with PCI compliance, here’s a short readiness self-assessment:
- Do you store card data anywhere (spreadsheets, CRM notes, saved cards)? If so, document exactly where it’s stored, why it’s there, and if you really need it. If you don’t need it, stop storing it.
- Where do payments happen: in person, mobile, website, or invoices/virtual terminal? For each of your payment methods and sales channels, ensure you understand how card data flows and who is responsible for securing it.
- Who are your providers (processor, gateway, eCommerce platform)? Confirm each provider is PCI compliant and obtain their current Attestation of Compliance (AOC).
Do you have the following:
- device/software list
- access list
- scan history (if applicable)
- basic policies/evidence folder
If so, keep a simple, up-to-date record of your environment so you always know what you have, who has access, and what’s been done. That includes your device and software list, user access list, scan history (if applicable), and a central folder for policies and evidence.
How to Get PCI DSS 4.0 Compliant (Steps)
These are the steps you should take to make your business PCI DSS-compliant.
- Map your payment flow – Document exactly how Cardholder Data (CHD) enters, moves through, and leaves your system.
- Reduce scope – Limit how many systems touch card data by using hosted payments or tokenization.
- Confirm service provider compliance – Collect current Attestations of Compliance (AOC) from all third parties. Maintain a “Responsibility Matrix” that defines which PCI requirements you handle vs. what they handle.
- Identify your validation path – Determine your merchant/service provider level and which Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) applies to you.
- Implement “MFA Everywhere” – Move beyond remote access; 4.0 requires Multi-Factor Authentication for any administrative access into the CDE, even from within the office.
- Secure eCommerce scripts – If you process payments via a web browser, implement a process to authorize and monitor all JavaScript/scripts running on your payment pages.
- Lock down devices and passwords – Enforce strong passwords (at least 12 characters, or longer if MFA is not used).
- Run scans and penetration tests – Perform quarterly external scans via an Approved Scanning Vendor (ASV), and conduct penetration testing where required based on your environment.
- Collect evidence continuously – Maintain ongoing evidence of security controls through automated logging and monitoring.
- Submit attestation/validation – Complete your SAQ/ROC and have it signed by a company officer.
- Maintain a “Business as Usual” (BAU) cadence – Establish monthly or quarterly reviews of logs, user access, and firewall rules to ensure you are always audit-ready.
Picking a PCI-Compliant Payment Processor
Your payment processor has a direct impact on the complexity of PCI compliance for your business. Here’s what to ask:
- Can you provide PCI compliance documentation (AOC, certifications)?
- How do you help reduce my PCI scope?
- What support do you offer during validation?
- What tools or dashboards are available?
- What happens if my setup changes?
Red flags to watch for:
- They won’t share documentation
- Answers are vague or deflected
- Their setup increases your scope
- Support disappears when you need it most
How Kurv Helps Simplify PCI Compliance
Payment processors are required to maintain PCI DSS compliance as part of card network requirements. Kurv meets those requirements and is designed to support a cleaner, simpler setup for merchants. PCI Compliance can be daunting, so instead of adding complexity, Kurv streamlines how payments flow through your systems and helps you be compliant on the processor side. That means fewer unknowns and a more manageable path to compliance. It doesn’t automatically make you compliant, but it does make the process easier to handle.
Ready to Grow Your Business?
Apply and start accepting payments within a day
Frequently Asked Questions
What is PCI DSS Level 4?
PCI DSS Level 4 typically applies to merchants processing fewer than 20,000 eCommerce transactions annually or under 1 million total transactions, though exact classification is determined by card networks and acquiring banks.
What’s the latest PCI DSS version?
PCI DSS 4.0.1 is the most updated, current version as of 2026.
What’s the difference between PCI DSS 4.0 and 4.0.1?
PCI DSS 4.0.1 includes clarifications and minor updates. It doesn’t introduce major new requirements but improves consistency and guidance.
When did PCI DSS 4.0.1 come out?
PCI DSS 4.0.1 was released in June 2024 as an update to version 4.0.
When did PCI DSS 4.0 become required?
PCI DSS 4.0 became the active standard following the retirement of version 3.2.1 and the end of the transition period on March 31, 2025.
Do I still need PCI if I use a processor?
Yes. Even if your processor is PCI compliant, you still have responsibilities depending on how you handle payments.
