March 31, 2025 is the date that made all PCI DSS v4 requirements previously labelled "future-dated" mandatory. For many European merchants this deadline passed under the radar, but the practical consequences are real. The new obligations change how online payments, call centres and any system interacting with card data must be managed. Tokenization remains the most effective way to absorb these changes without redesigning the entire infrastructure.
The v4 requirements that became mandatory in 2025
The "future-dated" requirements of PCI DSS v4 that became mandatory in March 2025 touch specific, high-operational-impact areas. Requirement 6.4.3 requires a documented inventory of all JavaScript scripts present on payment pages, with mechanisms to verify their integrity. This was created in response to e-skimming attacks that hit thousands of e-commerce sites in previous years. Requirement 11.6.1 adds continuous monitoring of payment pages to detect unauthorised changes to scripts and HTTP headers.
On the authentication front, requirement 8.4.2 extends the MFA obligation to all access to the CDE, including from internal networks. In v3.2.1, MFA was mainly required for remote access. This extension has a direct impact on access policies for internal payment systems and administration tools. Merchants managing their own systems through which card data transits must review their authentication policies to be aligned.
The practical impact on e-commerce and MOTO merchants
For e-commerce merchants the most impactful requirement is 6.4.3 on scripts. If the payment site loads third-party JavaScript libraries, external CSS or tracking pixels, each of these elements must be catalogued and monitored for integrity. This also applies to scripts from providers like Google Analytics or Meta Pixel if present on the checkout page. Many merchants discover they have dozens of undocumented external dependencies requiring a complete review of their checkout.
For MOTO (Mail Order/Telephone Order) merchants, the new MFA requirements impact the workstations of call centre operators who enter card data. Every access to the system managing PANs must now be protected by multi-factor authentication. This often requires an update to telephone order management platforms and a review of agent operational procedures. The most direct solution is to completely remove card data from the call centre environment using masking or real-time tokenization technologies.
How tokenization absorbs the new requirements
Tokenization with a certified PCI DSS Level 1 provider eliminates at the root many of the problems created by the new v4 requirements. If card data never enters the merchant's environment, requirement 6.4.3 on scripts applies to a very reduced perimeter or does not apply at all, depending on the checkout architecture. With a hosted payment page or tokenization form managed by the provider, the merchant's payment pages contain no scripts that process card data, eliminating most of the monitoring obligation.
Similarly, the extension of the MFA obligation to the CDE loses practical relevance if the CDE itself is minimised or eliminated from the merchant's infrastructure. A merchant with SAQ A architecture has no systems of their own that store, transmit or process card data: their compliance perimeter is limited and the most onerous new v4 requirements do not apply. This makes scope reduction the most cost-effective v4 compliance strategy both in terms of immediate costs and recurring burdens.
Frequently asked questions
Will my acquirer ask me for PCI DSS v4 immediately?
It depends on the acquirer and the existing contract. Many European acquirers are already updating onboarding and renewal processes to require v4-compliant SAQs. If you have an imminent annual renewal, check with your acquirer which version of the questionnaire is required. Do not wait for them to flag non-compliance: the risk of contractual penalties is real.
Do I need to redo the SAQ with PCI DSS v4?
Yes, the next SAQ you complete must be based on v4 templates. Updated SAQ templates are available on the PCI Security Standards Council website. The type of SAQ (A, A-EP, B, D, etc.) depends on your payment acceptance architecture, not the standard: if you already use tokenization with hosted fields, you may already qualify for the simpler SAQ A.
Do the v4 requirements apply to Level 4 merchants too?
Yes. Level 4 merchants (fewer than 20,000 annual e-commerce transactions or up to 1 million transactions of any type) are still subject to PCI DSS v4. The difference from higher levels concerns the validation method (SAQ instead of ROC), not the applicability of the standard. The new v4 requirements apply to all merchants accepting cards from major schemes.
PCI DSS v4 compliance without redesigning the infrastructure: tokenization is the fastest path for most merchants. Discover PCI Proxy EU.