A Complete Guide to PCI-DSS 4.0 Requirements for Businesses

If your business accepts credit or debit cards in any form, a set of security rules already applies to you, whether you have read them or not. Those rules are the Payment Card Industry Data Security Standard, and the current generation, version 4, represents the largest overhaul of the standard in its history. Understanding the PCI DSS 4.0 requirements is not optional for a business that handles cardholder data. The deadlines for the newest controls have now passed, which means the full standard is in effect today, and the cost of ignoring it ranges from monthly fines to losing the ability to accept cards at all. This guide explains what the standard is, what each of its twelve core requirements actually asks of you, what changed in version 4, how to figure out which validation path applies to your business, and the practical steps to reach and maintain compliance without being overwhelmed by a document written for security professionals.

What PCI DSS Is and Who Must Comply

The Payment Card Industry Data Security Standard is a global security standard that governs how organizations store, process, and transmit cardholder data. It was created by the major payment card brands and is administered by the PCI Security Standards Council. The goal is straightforward: reduce payment card fraud by forcing everyone in the payment chain to protect the data that fraudsters want.

A common misconception is that PCI DSS is a law. It is not. It is a contractual standard enforced by the card brands and the banks you work with, not by a government regulator. That distinction does not make it optional. When you sign a merchant agreement to accept cards, you agree to comply, and the penalties for failing are commercial but severe, including fines passed down by your bank, higher transaction fees, and in serious cases the termination of your ability to process card payments.

The standard applies to two broad groups. Merchants are businesses that accept cards for payment, from a single-location retailer to a large e-commerce operation. Service providers are companies that store, process, or transmit cardholder data on behalf of others, or that could affect the security of that data. If your business touches a card number at any point, the standard almost certainly applies to you, and importantly, it applies even if you outsource your payment processing, because how you handle the parts you touch still matters.

Which Version Is Current: 4.0 or 4.0.1?

Because this causes real confusion, it is worth settling immediately. Version 4.0 was published in March 2022 and was the major rewrite. In June 2024 the Council released version 4.0.1, a limited revision that corrected errors and clarified wording without adding or removing any requirements. Version 4.0 was formally retired at the end of December 2024, which means version 4.0.1 is now the only active version of the standard.

For practical purposes, when people search for PCI DSS 4.0 requirements they are asking about the same set of controls that 4.0.1 contains. The requirements are identical between the two; 4.0.1 simply fixed typographical and formatting issues and clarified intent. So this guide describes the version 4 requirements as they stand today under 4.0.1. The most significant date to know is that the future-dated requirements introduced in version 4 became mandatory on March 31, 2025, so the standard is now in full effect rather than in a transition period.

The 12 Core PCI DSS 4.0 Requirements

The standard is organized into twelve requirements grouped under six control objectives. Each requirement contains many detailed sub-controls, more than 300 in total, but understanding the twelve at a high level gives any business owner a clear map of what compliance involves.

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain network security controls. This covers firewalls and other controls that govern traffic into and out of your cardholder data environment. The aim is to separate systems that handle card data from untrusted networks, including the public internet.

Requirement 2: Apply secure configurations to all system components. Default passwords and settings from vendors are a gift to attackers. This requirement demands that you change them and harden every device and system before it goes into use.

Protect Account Data

Requirement 3: Protect stored account data. Cardholder data that you store must be protected, which in practice means strong encryption and strict limits on what you keep. The cardinal rule is to store as little as possible and never store sensitive authentication data after a transaction is authorized.

Requirement 4: Protect cardholder data with strong cryptography during transmission. Whenever card data crosses an open or public network, it must be encrypted in transit so that intercepting it yields nothing useful.

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems and networks from malicious software. Anti-malware protection must be deployed, kept current, and actively maintained across your systems, which is one of the everyday functions that managed cybersecurity solutions are built to handle.

Requirement 6: Develop and maintain secure systems and software. Security flaws are discovered constantly. This requirement covers patching known vulnerabilities promptly and building security into any software your business develops.

Implement Strong Access Control Measures

Requirement 7: Restrict access to system components and cardholder data by business need to know. People should be able to reach card data only if their specific job requires it. Everyone else should be unable to access it at all.

Requirement 8: Identify users and authenticate access to system components. Every user needs a unique ID so actions can be traced to an individual, and access must be protected by strong authentication. Under version 4, multi-factor authentication requirements expanded significantly, which is one of the standard's most impactful changes.

Requirement 9: Restrict physical access to cardholder data. Digital security means little if someone can walk up to a server or a stack of paper records. This requirement governs locks, access logs, and the handling of physical media.

Regularly Monitor and Test Networks

Requirement 10: Log and monitor all access to system components and cardholder data. You must record who did what and when, and review those logs, so that suspicious activity is detected rather than discovered months later by someone else.

Requirement 11: Test security of systems and networks regularly. This covers regular vulnerability scanning and penetration testing to find weaknesses before attackers do. Testing on a defined schedule, not once and forgotten, is the point.

Maintain an Information Security Policy

Requirement 12: Support information security with organizational policies and programs. Technology alone does not create security. This requirement covers written policies, risk assessments, security awareness training, and the human side of protecting card data.

What Changed in Version 4

Version 4 was not a minor update. It reshaped the standard to address how businesses and threats have evolved since the previous version. Several changes stand out as the ones most likely to affect a typical business.

• Expanded multi-factor authentication. MFA is now required for all access into the cardholder data environment, not just remote access from outside the network. This is one of the most widely felt changes.
• Stronger password rules. The standard raised minimum password length and tightened related authentication controls.
• The customized approach. Version 4 introduced a new way to meet requirements. Alongside the traditional, prescriptive controls, mature organizations can now design their own controls that meet a requirement's security objective, provided they can demonstrate effectiveness. This adds flexibility for sophisticated businesses while keeping the defined approach for everyone else.
• Targeted risk analyses. Several requirements now let an organization set the frequency of certain activities based on a documented risk analysis rather than a fixed schedule, shifting some control from the checklist to the business's own reasoned judgment.
• Tighter focus on e-commerce and phishing. New requirements address payment page scripts and anti-phishing measures, reflecting where card fraud has actually been happening.
• More continuous, less point-in-time. The overall direction of version 4 treats security as an ongoing program rather than an annual scramble before an assessment.

The throughline is that version 4 expects security to be lived continuously and tailored to real risk, not performed once a year to pass a test.

How to Determine Your PCI DSS Level and Validation Path

Not every business proves compliance the same way. How you validate depends mainly on how many card transactions you handle annually, which places you into one of four merchant levels. The thresholds are set by the card brands and broadly align as follows: the largest merchants, processing more than six million transactions a year, are Level 1 and must undergo a formal annual assessment by a Qualified Security Assessor. Mid-sized and smaller merchants generally fall into Levels 2 through 4 and validate using a Self-Assessment Questionnaire appropriate to how they accept payments.

The Self-Assessment Questionnaire is not one document but a family of them, and choosing the right one matters enormously, because it determines how many of the requirements apply to you. The questionnaire for a business that has fully outsourced its payment handling to a compliant third party is far shorter than the one for a business that stores card data on its own systems. Many small businesses dramatically reduce their compliance burden simply by structuring payments so that card data never touches their own environment, for example by using a hosted payment page from a compliant processor.

Most businesses also must complete regular network vulnerability scans by an Approved Scanning Vendor and, depending on level and setup, penetration testing. The key practical step is to confirm your level and the correct validation path with your acquiring bank or payment processor, because they are the ones who enforce your obligations and can tell you exactly which questionnaire and scans apply to your situation.

The Cost of Non-Compliance

Because PCI DSS is enforced contractually rather than by statute, the consequences come from the card brands and your bank rather than a government fine, but they are real and they compound. Businesses found non-compliant can face monthly penalties that escalate the longer the problem persists. After a breach, an organization that was not compliant can be held liable for fraud losses, forensic investigation costs, and card reissuance expenses. Your processing fees can rise, and in the most serious cases your bank can revoke your ability to accept cards entirely, which for most businesses is an existential threat.

There is also the breach itself to consider. A payment data breach brings reputational damage, potential lawsuits, and, for businesses operating in California, exposure under state data breach laws that can run alongside the card-brand consequences. Compliance is far cheaper than any of these outcomes, which is the practical argument for treating it as a standing part of operations rather than a box to tick.

Practical Steps to Reach and Maintain Compliance

The full standard is daunting, but the path to compliance for most businesses follows a sensible order. Approaching it as a sequence rather than a single overwhelming project makes it manageable.

1. Map where card data flows. Identify every place card data is accepted, processed, transmitted, or stored. You cannot protect what you have not located, and this map defines your cardholder data environment, which is the scope of everything that follows.
2. Reduce your scope. The single most effective move for a small business is to shrink the environment that handles card data, ideally so that sensitive data never touches your own systems. Less scope means fewer applicable requirements and a far simpler validation.
3. Confirm your level and questionnaire. Work with your bank or processor to identify your merchant level and the correct Self-Assessment Questionnaire, so you know precisely which requirements you must meet.
4. Run a gap assessment. Compare your current controls against the applicable requirements to find what is missing. This turns an abstract standard into a concrete to-do list.
5. Remediate the gaps. Close the missing controls, prioritizing the ones that protect data directly, such as encryption, access control, and multi-factor authentication.
6. Validate and document. Complete your questionnaire or formal assessment, run the required scans, and keep thorough records. Documentation is itself part of compliance.
7. Maintain it continuously. Version 4 expects ongoing security. Keep patching, monitoring logs, reviewing access, scanning, and refreshing training throughout the year, not just before your annual deadline.

Several requirements sit squarely at the intersection of compliance and day-to-day IT, which is where outside help is often worthwhile. Keeping the whole program organized, documented, and current is the work that structured compliance and risk management services are designed to support.

GlobeVM is a managed IT and cybersecurity firm serving small and mid-sized businesses across the Los Angeles area, with CCSP-certified expertise and hands-on experience helping businesses meet frameworks including HIPAA and PCI DSS. That local presence matters, because a California business handling card data faces both the card-brand requirements and state data protection obligations, and a compliance plan that addresses one without the other leaves a gap. For businesses that want the underlying technology managed properly so that compliance becomes sustainable, GlobeVM provides managed IT services that keep the controls behind the standard running day to day.

If you are unsure where your business stands against the current PCI DSS 4.0 requirements, a scoping and gap assessment with a knowledgeable local partner is the most direct way to find out what applies to you and what it will take to comply.