What are the PCI DSS 4.0 transition deadlines?

PCI DSS v3.2.1 was retired on March 31, 2024. All assessments must now use v4.0. Future-dated requirements (those marked as best practices) became mandatory on March 31, 2025.

Which SAQ type do I need?

It depends on how you handle cardholder data. SAQ A is for e-commerce merchants that fully outsource payment processing. SAQ D is for the most complex environments. Our scoping wizard determines your correct SAQ type automatically.

Does PCI DSS 4.0 require MFA?

Yes. PCI DSS 4.0 requires multi-factor authentication for all access into the Cardholder Data Environment — not just remote access. This is one of the most impactful changes from v3.2.1.

Framework · Compliance Enablers

PCIDSS4.0

PCI DSS 4.0 — Payment Card Compliance Automated

PCI DSS 4.0 introduces significant new requirements for payment security. Our platform maps all 12 requirements with automated evidence collection and continuous monitoring.

Who needs it: Any organization that stores, processes, or transmits cardholder data.

Start Free Trial

Book a Demo

Core Requirements

New v4.0 Requirements

$100K

Monthly Non-Compliance Fines

6-10

Weeks to Assessment-Ready

The framework

What is PCI DSS 4.0?

PCI DSS (Payment Card Industry Data Security Standard) version 4.0 is the latest major update to the global standard for protecting payment card data. Published by the PCI Security Standards Council, it applies to every organization that stores, processes, or transmits cardholder data — from e-commerce startups to global retailers and payment processors.

Version 4.0 introduces a customized approach alongside the traditional defined approach, allowing organizations to meet security objectives with innovative controls. Key changes include mandatory multi-factor authentication for all access to cardholder data environments, enhanced encryption requirements, and a new focus on targeted risk analysis. Organizations had until March 31, 2025 to transition from v3.2.1.

The requirements

What you'll need to satisfy.

The core categories PCI DSS 4.0 auditors evaluate — and what we ship to cover each one.

Build and Maintain a Secure Network

Install and maintain network security controls
Apply secure configurations to all system components
Protect stored account data
Protect cardholder data with strong cryptography during transmission

Maintain a Vulnerability Management Program

Protect all systems against malware
Develop and maintain secure systems and software
Targeted risk analysis for customized approach

Implement Strong Access Control Measures

Restrict access to cardholder data by business need to know
Identify users and authenticate access to system components (MFA required)
Restrict physical access to cardholder data

Monitor and Test Networks

Log and monitor all access to network resources and cardholder data
Test security of systems and networks regularly
Quarterly internal and external vulnerability scans

Before → After

The problem we solve.

Why teams pick Compliance Enablers for PCI DSS 4.0 compliance.

Common challenges

PCI DSS 4.0 transition deadline creates urgency
Multiple payment channels mean scattered compliance evidence
Quarterly scans and annual assessments drain resources

What we provide

All 12 requirements mapped with evidence automation
Continuous control monitoring replacing quarterly point-in-time assessments
SAQ preparation with vendor compliance monitoring
Cross-mapping to SOC 2 and ISO 27001 for multi-framework efficiency
Incident response procedures specific to payment card breaches

Your journey

From kickoff to
audit-ready.

Step-by-step, exactly how we'll get you there.

Scoping

Define your Cardholder Data Environment (CDE) with our scoping wizard. Identify all systems that store, process, or transmit cardholder data and connected systems.

Gap Assessment

AI-powered assessment against all 12 PCI DSS 4.0 requirements. Identify gaps with clear remediation priorities and effort estimates.

SAQ Determination

Determine the correct Self-Assessment Questionnaire type based on your payment channels. Pre-populated templates reduce assessment effort by 70%.

Control Implementation

Implement required controls using our template library. Automated evidence collection from payment processors, cloud providers, and security tools.

Continuous Compliance

Replace quarterly point-in-time assessments with continuous monitoring. Automated scan scheduling, vulnerability tracking, and real-time compliance scoring.

Time to value

6-10 weeks to assessment-ready

PCI non-compliance fines: $5K-$100K per month. Plus liability for breaches involving cardholder data.

How we're different

PCI DSS compliance requires deep integration with payment infrastructure. While general GRC platforms offer basic control mapping, Compliance Enablers provides SAQ determination, CDE scoping, scan management, and continuous monitoring — plus cross-framework mapping so your PCI controls also satisfy SOC 2 and ISO 27001 requirements.

Key modules for PCI DSS 4.0.

Everything these modules ship, included in every tier.

Controls LibraryEvidence CollectionVendor Risk ManagementIncident Management

PCI DSS 4.0 FAQ

14-day free trial · no card required

Get PCI DSS 4.0
audit-ready.

6-10 weeks to assessment-ready. 513 pre-generated policies. 50+ evidence collectors. Everything you need to pass PCI DSS 4.0, out of the box.