Cyber Horizon
Back to Blog
PCI DSSPaymentsCompliance

PCI DSS 4.0: What Changed and How to Prepare

5 June 2026·8 min read·Cyber Horizon Team

If your business stores, processes or transmits payment card data, PCI DSS 4.0 now applies in full — including the future-dated requirements that became mandatory in 2025. The update is the biggest revision the standard has seen in years, and it shifts the emphasis from a fixed checklist towards continuous, risk-based security.

Why 4.0 is a meaningful change

Version 4.0 keeps the familiar twelve requirements but reworks how you meet them. The headline shift is flexibility paired with rigour: you can now satisfy many requirements through a customised approach that meets the security objective in your own way, provided you back it with a documented risk analysis — rather than following the prescriptive “defined approach” step for step.

The changes that catch teams out

Stronger authentication: Expanded MFA expectations and updated password length and strength rules.
Client-side script protection: New requirements to manage and monitor scripts on payment pages to counter skimming.
Targeted risk analyses: Several controls now require you to justify frequency and approach with a documented analysis.
Customised approach: Meet an objective your own way — but you must evidence and have it assessed.
Continuous mindset: More emphasis on controls operating as business-as-usual, not just at assessment time.

Know your level and your SAQ

Your obligations scale with how many transactions you process. Smaller merchants typically self-assess using the relevant Self-Assessment Questionnaire (SAQ); larger ones require an assessment by a Qualified Security Assessor and a Report on Compliance. The single most effective way to reduce your burden is to shrink your scope — minimise where card data flows and is stored, and use validated third parties or tokenisation so the sensitive data never touches your systems.

How to prepare

Map your cardholder data flows and aggressively minimise scope.
Gap-assess against 4.0, paying special attention to the newer requirements.
Document the targeted risk analyses the standard now expects.
Implement client-side script monitoring on payment pages.
Treat controls as continuous business-as-usual, with evidence captured throughout.

The “business-as-usual” emphasis in 4.0 is really a push towards continuous compliance — capturing evidence as controls operate rather than reconstructing it for an annual assessment. Our continuous compliance guide covers how to make that practical.

Track PCI DSS 4.0 controls continuously

Map the twelve requirements, document your risk analyses, and capture evidence as controls operate — so PCI assessment becomes a formality, not a fire drill.

Book a Demo