PCI DSS v4 came into force in March 2022, but many of its new requirements became mandatory only in March 2025. For European merchants this is a significant update: the standard brings over 60 new requirements compared to v3.2.1, with reinforced focus on authentication, continuous monitoring and risk management. Anyone who has not yet complied is already out of compliance.
The main changes in PCI DSS v4 compared to v3.2.1
PCI DSS v4 maintains the 12 main requirements of v3.2.1 but enriches them with new sub-requirements and updated evaluation criteria. The areas with the most relevant changes are authentication (requirement 8), system monitoring (requirement 10) and vulnerability management (requirement 6). v4 also introduces the concept of customised approach: organisations with mature security controls can demonstrate compliance with alternative methods, provided they document and justify the equivalence of controls.
Among the most impactful novelties is the extended multi-factor authentication (MFA) requirement: in v4, MFA becomes mandatory for all access to the CDE, not just for remote access as in v3.2.1. The approach to protecting checkout pages also changes: requirement 6.4.3 now requires an inventory and integrity analysis of all scripts present on payment pages, to counter e-skimming attacks.
PCI DSS v4 deadlines: what was mandatory from 2024
PCI DSS v3.2.1 was retired on 31 March 2024: from that date all compliance reports (ROC and SAQ) must reference standard v4. The requirements labelled "future-dated" in the original v4, however, became mandatory on 31 March 2025. These include new controls on payment page scripts, reinforced requirements on password management and updated criteria for security log monitoring.
For European merchants the 2025 deadline is particularly relevant because many acquirers are beginning to require v4-updated SAQs in onboarding and annual renewal procedures. Presenting a SAQ based on v3.2.1 is no longer sufficient. Failure to comply exposes merchants to remediation requests from the acquirer and, in the most serious cases, suspension of the ability to accept cards.
What the 2025 mandatory requirements mean in practice
The requirements labelled "future-dated" in the original PCI DSS v4 became fully mandatory on 31 March 2025. Requirement 6.4.3 requires a documented inventory of all JavaScript scripts present on payment pages, with mechanisms to verify their integrity — including third-party scripts from providers like Google Analytics or Meta Pixel if present on the checkout page. Requirement 11.6.1 adds continuous monitoring of payment pages to detect unauthorised changes to scripts and HTTP headers.
For MOTO (Mail Order/Telephone Order) merchants, requirement 8.4.2 extends the MFA obligation to all access to the CDE, including internal network access. Every workstation of call centre operators who enter card data must now be protected by multi-factor authentication. This often requires updates to telephone order management platforms and a review of agent operational procedures. The most direct solution is to remove card data from the call centre environment using real-time tokenization.
How to comply with PCI DSS v4 without major investments
The most efficient path for most merchants goes through reducing the compliance perimeter. If card data does not transit through the company's systems, many of the new v4 requirements do not apply. Tokenization with a certified PCI DSS Level 1 provider shifts responsibility for card data protection outside the company perimeter. This does not eliminate all obligations, but drastically reduces the number of systems, processes and people falling within the CDE.
An e-commerce merchant that integrates a tokenization system before checkout can typically drop to SAQ A, the simplest self-assessment questionnaire, with fewer than 50 requirements versus over 200 in SAQ D. This reduction directly impacts annual compliance costs: fewer vulnerability scans, fewer systems to monitor, pen testing on a reduced perimeter. With PCI DSS v4 scope reduction becomes even more cost-effective than in the past.
Frequently asked questions
Is PCI DSS v4 already mandatory?
Yes. PCI DSS v3.2.1 was retired on 31 March 2024. From that date all compliance reports must reference v4. The "future-dated" requirements of v4 became mandatory on 31 March 2025. A merchant presenting a SAQ based on v3.2.1 today is no longer considered compliant by acquirers.
How many requirements does PCI DSS v4 have?
PCI DSS v4 maintains the 12 main requirements but introduces over 60 new sub-requirements compared to v3.2.1, bringing the total number of controls to over 300 for organisations with complex CDEs. The actual number of requirements applicable to a single merchant depends on the type of integration and the reference SAQ.
How does the SAQ change with PCI DSS v4?
SAQ templates have been updated to v4 with new questions, revised test criteria and additional requirements. SAQ A, the one for merchants with minimal scope, has undergone relatively contained changes. SAQ D, which applies to merchants with a full CDE, includes new requirements on MFA, script monitoring and vulnerability management. It is advisable to check with your acquirer which version of the SAQ is required for renewal.
Will my acquirer ask me for PCI DSS v4 immediately?
It depends on the acquirer and the existing contract. Many European acquirers are already updating onboarding and renewal processes to require v4-compliant SAQs. If you have an imminent annual renewal, check with your acquirer which version of the questionnaire is required. Do not wait for them to flag non-compliance: the risk of contractual penalties is real.
Do the v4 requirements apply to Level 4 merchants too?
Yes. Level 4 merchants (fewer than 20,000 annual e-commerce transactions or up to 1 million transactions of any type) are still subject to PCI DSS v4. The difference from higher levels concerns the validation method (SAQ instead of ROC), not the applicability of the standard. The new v4 requirements apply to all merchants accepting cards from major schemes.
Complying with PCI DSS v4 starting from the tokenization infrastructure is the fastest and most cost-effective path for most merchants. Discover PCI Proxy EU.
Stay ahead of PCI DSS & payment compliance
Monthly digest for European merchants, fintechs and PSPs. No spam — unsubscribe any time.