PCI DSS v4 came into force in March 2022, but many of its new requirements became mandatory only in March 2025. For European merchants this is a significant update: the standard brings over 60 new requirements compared to v3.2.1, with reinforced focus on authentication, continuous monitoring and risk management. Anyone who has not yet complied is already out of compliance.
The main changes in PCI DSS v4 compared to v3.2.1
PCI DSS v4 maintains the 12 main requirements of v3.2.1 but enriches them with new sub-requirements and updated evaluation criteria. The areas with the most relevant changes are authentication (requirement 8), system monitoring (requirement 10) and vulnerability management (requirement 6). v4 also introduces the concept of customised approach: organisations with mature security controls can demonstrate compliance with alternative methods, provided they document and justify the equivalence of controls.
Among the most impactful novelties is the extended multi-factor authentication (MFA) requirement: in v4, MFA becomes mandatory for all access to the CDE, not just for remote access as in v3.2.1. The approach to protecting checkout pages also changes: requirement 6.4.3 now requires an inventory and integrity analysis of all scripts present on payment pages, to counter e-skimming attacks.
PCI DSS v4 deadlines: what was mandatory from 2024
PCI DSS v3.2.1 was retired on 31 March 2024: from that date all compliance reports (ROC and SAQ) must reference standard v4. The requirements labelled "future-dated" in the original v4, however, became mandatory on 31 March 2025. These include new controls on payment page scripts, reinforced requirements on password management and updated criteria for security log monitoring.
For European merchants the 2025 deadline is particularly relevant because many acquirers are beginning to require v4-updated SAQs in onboarding and annual renewal procedures. Presenting a SAQ based on v3.2.1 is no longer sufficient. Failure to comply exposes merchants to remediation requests from the acquirer and, in the most serious cases, suspension of the ability to accept cards.
How to comply with PCI DSS v4 without major investments
The most efficient path for most merchants goes through reducing the compliance perimeter. If card data does not transit through the company's systems, many of the new v4 requirements do not apply. Tokenization with a certified PCI DSS Level 1 provider shifts responsibility for card data protection outside the company perimeter. This does not eliminate all obligations, but drastically reduces the number of systems, processes and people falling within the CDE.
An e-commerce merchant that integrates a tokenization system before checkout can typically drop to SAQ A, the simplest self-assessment questionnaire, with fewer than 50 requirements versus over 200 in SAQ D. This reduction directly impacts annual compliance costs: fewer vulnerability scans, fewer systems to monitor, pen testing on a reduced perimeter. With PCI DSS v4 scope reduction becomes even more cost-effective than in the past.
Frequently asked questions
Is PCI DSS v4 already mandatory?
Yes. PCI DSS v3.2.1 was retired on 31 March 2024. From that date all compliance reports must reference v4. The "future-dated" requirements of v4 became mandatory on 31 March 2025. A merchant presenting a SAQ based on v3.2.1 today is no longer considered compliant by acquirers.
How many requirements does PCI DSS v4 have?
PCI DSS v4 maintains the 12 main requirements but introduces over 60 new sub-requirements compared to v3.2.1, bringing the total number of controls to over 300 for organisations with complex CDEs. The actual number of requirements applicable to a single merchant depends on the type of integration and the reference SAQ.
How does the SAQ change with PCI DSS v4?
SAQ templates have been updated to v4 with new questions, revised test criteria and additional requirements. SAQ A, the one for merchants with minimal scope, has undergone relatively contained changes. SAQ D, which applies to merchants with a full CDE, includes new requirements on MFA, script monitoring and vulnerability management. It is advisable to check with your acquirer which version of the SAQ is required for renewal.
Complying with PCI DSS v4 starting from the tokenization infrastructure is the fastest and most cost-effective path for most merchants. Discover PCI Proxy EU.