If your business accepts credit or debit cards, PCI compliance is essential. The latest version of the Payment Card Industry Data Security Standard, PCI DSS 4.0, is now fully in effect. It introduces major changes designed to strengthen cardholder data protection and adapt to today’s complex digital payment landscape.

This version replaces the older 3.2.1 standard and includes critical enhancements for fraud prevention, authentication, and risk management. Here’s what you need to know and how to stay current in 2025.

What is PCI DSS 4.0 and 4.0.1

PCI DSS 4.0 is the global security standard for any organization that stores, processes, or transmits cardholder data. It was officially released in March 2022 and became the mandatory standard as of March 31, 2024. A clarification update, version 4.0.1, was published in mid-2024 to refine language and improve implementation guidance without changing the core requirements.

The real shift came in April 2025, when many of the formerly “best practice” or future-dated requirements became enforceable. Merchants must now fully align with PCI DSS 4.0 and address all applicable requirements, including those phased in over the past year.

Why PCI DSS 4.0 Matters Now

April 1, 2025, marked the date when PCI DSS 4.0 enforcement began in full. Businesses that have not transitioned from 3.2.1 risk fines, higher merchant fees, breach liability, and potential disruption of card processing services.

The update reflects the growing complexity of modern payments, where merchants may process card data across physical points of sale, mobile apps, e-commerce platforms, and cloud environments. PCI DSS 4.0 provides a more flexible framework while raising the bar for security, accountability, and risk management.

Key Requirements Now in Effect as of April 2025

1. Scope Definition and Maintenance
   Merchants must define and document their PCI scope annually. For service providers, this must be done every six months. This includes identifying all systems and components involved in storing, processing, or transmitting cardholder data.
2. Multi-Factor Authentication (MFA)
   MFA is now required for all access to the cardholder data environment, both internal and external. This eliminates prior exemptions and greatly improves protection against unauthorized access.
3. Stronger Password Controls
   User passwords must now be at least 12 characters long unless a system limitation exists. This aligns PCI DSS with modern password standards for increased security.
4. Web Application Security
   Public-facing payment pages must use a web application firewall or equivalent controls. Merchants must also monitor the integrity of all scripts loaded into these pages to prevent tampering or injection attacks.
5. Automated Logging and Monitoring
   Merchants must implement automated logging systems to detect and alert on failures in critical security controls. Manual log reviews are no longer sufficient.
6. Vulnerability Management and Software Inventory
   All internal vulnerability scans must be authenticated. Merchants must also maintain an inventory of software components using a Software Bill of Materials (SBOM) to quickly address known vulnerabilities.
7. Phishing Defense and Awareness
   Anti-phishing technologies and employee training are required. This includes protecting users from fraudulent emails that could lead to credential theft or unauthorized access.
8. Incident Response and Data Discovery
   Incident response plans must now include procedures for detecting unauthorized storage of cardholder data, not just responding to breaches.

What’s New Since April 2025

While the 4.0 standard is stable, version 4.0.1 introduced clarification on several areas including encryption expectations, hashing, and vendor responsibilities. The PCI Council emphasized the importance of maintaining SBOMs and reinforced that organizations should now be implementing customized approaches only when clearly documented and reviewed.

Key reminders from recent updates include:

• Use of keyed hashing algorithms
• Proper encryption key lifecycle management
• Annual scope validation
• Documented roles for shared responsibility with third-party vendors

What Merchants Should Do Now

If your business is still catching up with PCI DSS 4.0 requirements, here are key action items to prioritize:

• Perform a gap analysis against current operations and 4.0 requirements
• Implement MFA for all users accessing systems in scope
• Deploy or validate use of web application firewalls
• Set up automated logging and alerting tools
• Complete an SBOM for all software in your cardholder environment
• Train staff annually on security awareness, phishing, and incident response
• Confirm your third-party service providers are PCI compliant and responsibilities are clearly defined

Why This Is Important to Your Business

Compliance is not just a technical checklist. PCI DSS 4.0 is about protecting your customers, your reputation, and your financial stability. Data breaches can be devastating, both in terms of brand damage and regulatory penalties. By staying compliant, you reduce risk, maintain trust, and avoid potential disruptions to your ability to process payments.

How Viking Can Help

At Viking, we offer platforms and services built with compliance in mind. Whether you’re using VIKExpress for card-not-present transactions, VIKEdge for ACH with bank balance verification, or VIKEngage for transaction monitoring, we make sure your payments are processed securely and responsibly.

We can also help with:

• PCI compliance assessments
• Policy and documentation support
• Vendor responsibility checklists
• Technical integrations for MFA, logging, and scanning
• Ongoing training and incident response planning

If you’re unsure whether you’re ready for PCI DSS 4.0.1 or need help getting your systems in line with the new standards, reach out to your Viking representative today.

Let’s make sure your payment security is not just compliant, but resilient.