Elevate

PCI DSS v4.0.1: The Current Standard and What Your Organization Must Do

If your organization touches credit card data in any way, the Payment Card Industry Data Security Standard (PCI DSS) is central to how you operate. The standard underwent its first major overhaul in more than a decade with the release of v4.0, and the transition is now complete. The future-dated requirements that were once optional are mandatory, the older versions are retired, and v4.0.1 is the sole active standard. This guide explains where PCI DSS stands today, what changed, and what you need to have in place to remain compliant.

Where PCI DSS Stands Today

Here is the current state of the standard, which matters because organizations still operating under older assumptions are now out of compliance.

PCI DSS v4.0.1 is the current and sole active version of the standard. It became the only valid version on December 31, 2024, when PCI DSS v4.0 was retired. The previous major version, v3.2.1, retired earlier still. The PCI Security Standards Council officially retired PCI DSS v3.2.1 on March 31, 2024, leaving v4.0 and then v4.0.1 (collectively v4.x) as the active standard.

Most importantly, the phase-in period is over. As of March 31, 2025, all 51 future-dated requirements from PCI DSS v4.0 are mandatory and must be validated during PCI DSS assessments, with no grace period. If your organization is still operating as though v3.2.1 controls are sufficient, or if you validated under v4.0 in 2024 but treated the future-dated requirements as optional, your next assessment will not pass unless those controls are now implemented.

How PCI DSS Got Here: The Timeline

The path from the old standard to today’s requirements unfolded over three years, and the milestones explain why the requirements you face now are not negotiable.

PCI DSS v4.0 was published in March 2022, the result of a multi-year revision process. The PCI SSC had gathered over 3,000 feedback items from participating organizations through a formal request-for-comment process to shape the update. Version 4.0 introduced 64 new or updated requirements: 13 became effective immediately, and 51 were designated as future-dated best practices until March 31, 2025.

The Council deliberately built in a long runway. Organizations were given roughly two years to understand the impact of the changes and prepare for when the new requirements would become required. After v3.2.1 retired on March 31, 2024, all assessments had to be conducted against v4.0 or v4.0.1. Then, in June 2024, the Council issued v4.0.1.

What v4.0.1 Changed (and Did Not)

A common point of confusion is whether v4.0.1 added new obligations. It did not. Version 4.0.1 was a limited revision that corrected typographical and formatting errors, clarified the intent and applicability of certain requirements, and improved guidance. It introduced no new requirements and deleted none.

This distinction matters for planning. All substantive changes to merchant and service-provider obligations come from the v4.0 requirements themselves, including the future-dated requirements that became mandatory on March 31, 2025. The v4.0.1 limited revision did not change the March 31, 2025 effective date for those new requirements. In other words, if you are working from a v4.0 understanding of the controls, v4.0.1 did not move the goalposts; it only sharpened the language.

The Biggest Shift: Compliance Is Now Continuous

Beyond any single requirement, v4.x changed the philosophy of PCI compliance. The most significant shift is that compliance is now treated as an ongoing practice rather than an annual event. Controls need to be in place and documented year-round, not assembled in the run-up to an assessment.

This reframes what readiness means. An organization that scrambles to document controls before its annual assessment is no longer aligned with how the standard expects security to operate. The future-dated requirements reinforce this, emphasizing continuous monitoring, defined roles and responsibilities, and documented processes that run throughout the year.

Examples of Now-Mandatory Requirements

The future-dated requirements that became enforceable in March 2025 reflect modern threats, particularly around web-based payment pages and authentication. A few illustrate the scope of what is now required.

For payment page security, Requirement 6.4.3 calls for keeping an inventory of client-side scripts on payment pages, authorizing them, and documenting their purpose, while Requirement 11.6.1 requires deploying tamper and change-detection mechanisms on payment pages that alert on unauthorized modifications. These address e-skimming and Magecart-style attacks that target the browser.

Authentication also tightened significantly. Most changes specific to Requirement 8 took effect on March 31, 2025, and because of the complexity of the new multi-factor authentication requirements, organizations were warned not to wait until the last minute to bring their identity systems and policies up to standard.

Many of these controls are simply modern cybersecurity good practice, so implementing them addresses real risk in addition to satisfying the assessment.

What Your Organization Should Do Now

The transition window has closed, so the priorities are straightforward. Confirm that you are assessing against v4.0.1, not any earlier version, since it is the only active standard. Treat all 51 formerly future-dated requirements as mandatory, because they are, and verify each is implemented and documented rather than planned. Shift your posture from annual scramble to year-round operation, with controls live and evidence maintained continuously. And give particular attention to the newer, more complex requirements, especially payment-page script integrity (6.4.3 and 11.6.1) and the expanded MFA obligations under Requirement 8, which tend to take the most time to implement correctly.

If you validated under v4.0 in 2024 and deferred the future-dated items, treat closing those gaps as the immediate priority, because your next assessment depends on them.

How Elevate Can Help

Using payment card technology safely is essential to your organization’s reputation, and the current PCI DSS standard demands continuous, documented security rather than a once-a-year exercise. Elevate Consult is well-versed in PCI DSS controls and the v4.x requirements, and we help organizations confirm their environment meets the current standard, close gaps left by deferred future-dated requirements, and build the year-round compliance posture v4.0.1 expects. Schedule a PCI DSS consultation to assess where your environment stands against the current standard.

Frequently Asked Questions

What is the current version of PCI DSS? PCI DSS v4.0.1 is the current and sole active version. It became the only valid version on December 31, 2024, when v4.0 was retired. The earlier v3.2.1 retired on March 31, 2024.

Did PCI DSS v4.0.1 add new requirements? No. Version 4.0.1 was a limited revision that corrected errors and clarified guidance. It introduced no new requirements and removed none. All substantive obligations come from v4.0, including the future-dated requirements.

Are the future-dated requirements mandatory now? Yes. As of March 31, 2025, all 51 future-dated requirements from PCI DSS v4.0 are mandatory and must be validated during assessments. There is no grace period.

What happens if my organization still meets only v3.2.1? You are non-compliant. All assessments since March 31, 2024 must be conducted against v4.x, and since March 31, 2025 they must include the formerly future-dated requirements. Operating on v3.2.1 controls leaves you out of compliance with the current standard.