What PCI DSS 4.0 Actually Requires Now — A Small Merchant’s Guide to the Changes That Took Effect in 2025 and the Assessments You’ll Face in 2026
PCI DSS 4.0’s “future-dated” requirements stopped being future on March 31, 2025. Small merchants who treated PCI DSS 4.0 as a 2025 problem are now facing 2026 assessments under PCI DSS v4.0.1 — and many will discover their processor’s PCI questionnaire just got significantly harder. This is what actually changed, what it means for a business processing under a million card transactions per year, and where the gaps tend to surface.
Where PCI DSS Actually Stands in 2026
The current standard is PCI DSS v4.0.1, released in June 2024 as a clarification of v4.0 (which was published in March 2022). PCI DSS v3.2.1 — the version most small merchants were assessed against for years — was retired on March 31, 2024. As of December 31, 2024, v4.0.1 became the only valid version of the standard. Any merchant completing a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) in 2026 is being assessed under v4.0.1.
The terminology is worth getting right. PCI DSS v4.0 introduced 64 new requirements — 13 effective immediately when v4.0 became active, and 51 designated as “future-dated best practices” until March 31, 2025. All 64 are now mandatory. v4.0.1 did not add or remove requirements; it corrected formatting, fixed typographical errors, and clarified ambiguous wording. The substantive obligations come from PCI DSS 4.0.
For a small merchant, what matters in practice is that the PCI DSS 4.0 SAQ form your processor sent you in 2026 is materially different from the one you completed in 2023. The questions are more specific, the documentation requirements are deeper, and several controls that were optional under v3.2.1 are now required. The standard itself is published by the PCI Security Standards Council, the body that maintains it on behalf of the major card networks.
Five Requirements That Are Genuinely New for Most Small Merchants
Most coverage of PCI DSS 4.0 focuses on enterprise-scale obligations — penetration testing, formal risk analyses, customized approaches. For a small merchant processing under $1 million in card-present volume or under 20,000 e-commerce transactions per year, these five PCI DSS 4.0 changes are the ones that actually show up on your questionnaire.
1. Twelve-Character Passwords (Requirement 8.3.6)
Passwords used to access systems handling cardholder data must now be at least 12 characters long. Under v3.2.1, the minimum was 7 characters. The 12-character requirement applies to all user accounts on systems in the Cardholder Data Environment (CDE) — not just administrators. If your point-of-sale system, payment gateway login, or back-office software touches card data, the accounts using those systems need 12-character passwords.
The exception: if a system genuinely cannot support 12-character passwords (older POS terminals, legacy software), the minimum reverts to 8 characters AND multi-factor authentication becomes mandatory on that system.
2. MFA for All Access to the Cardholder Data Environment (Requirement 8.4.2)
Multi-factor authentication is no longer required only for remote access. Under v4.0.1, MFA is required for all access into the CDE — including local access from inside your store, your office, or your network. A staff member logging into your POS system at the front counter needs MFA. A back-office user logging into your payment gateway from the office computer needs MFA.
For most small merchants, this means turning on MFA in the POS or gateway admin panel, configuring it for every user account, and training staff on the new login flow. The PCI SSC clarified in May 2025 that synced FIDO2 passkeys can satisfy this requirement as a single factor — useful for businesses that find traditional MFA tokens disruptive at the point of sale.
3. Quarterly ASV Scans for SAQ A E-Commerce Merchants (Requirement 11.6.1)
This is the change most likely to surprise small e-commerce merchants. SAQ A — the simplified questionnaire used by merchants who fully outsource their payment page to a third party — used to waive most vulnerability scanning requirements. Under v4.0.1, SAQ A merchants must now demonstrate that their payment page is being scanned at least quarterly by an Approved Scanning Vendor (ASV).
If you use Stripe Checkout, Square Online, or a similar fully-hosted payment page where the customer is redirected entirely off your site, the scanning is typically performed by the payment service provider on your behalf. You need a written attestation from your provider confirming this. If you use an embedded iframe (the payment form appears on your site but is technically loaded from the provider), FAQ 1588 from the PCI SSC clarified in March 2025 that you must either perform the scanning yourself or obtain a documented attestation from your provider.
4. Payment Page Script Integrity Monitoring (Requirement 6.4.3)
For e-commerce merchants, the payment page must be monitored for unauthorized script changes. This requirement targets a specific attack pattern — Magecart-style attacks where malicious JavaScript is injected into a checkout page to skim card numbers. Under v4.0.1, merchants must inventory all scripts loaded on their payment pages, detect unauthorized changes, and document how the integrity check is performed.
For SAQ A merchants using a fully-redirected payment page, this requirement is typically handled by the payment service provider. For merchants using embedded iframes or hosting their own payment forms, the responsibility falls on the merchant. The PCI SSC’s eligibility criteria for SAQ A were updated to reflect this — some merchants who qualified for SAQ A in 2023 may need to complete SAQ A-EP or SAQ D-Merchant in 2026.
5. Automated Audit Log Review (Requirement 10.4.1.1)
System logs covering activity in the CDE must now be reviewed using automated mechanisms — not manual spot-checks. The standard requires retention of audit logs for 12 months minimum, with the most recent 3 months immediately accessible without restoring from backup. For a small merchant, this typically means enabling automated log retention in your POS or gateway admin panel and confirming the retention period meets the 12-month/3-month requirement.
The PCI DSS 4.0 “automated review” language doesn’t require sophisticated SIEM software for most small merchants. Many POS and gateway providers now include automated log review features that satisfy the requirement. The questionnaire asks how the review is performed — pointing to the provider’s automated review tooling and confirming you receive alerts is usually sufficient.
Why “Simplified” PCI Compliance Got More Complicated for E-Commerce Merchants
Before PCI DSS 4.0, SAQ A was the path of least resistance for any small e-commerce merchant who fully outsourced their payment page. The questionnaire was short, the requirements were minimal, and the assessment took an afternoon.
Under v4.0.1, SAQ A is still the simplified path — but “simplified” no longer means “minimal.” The eligibility criteria changed (some merchants who qualified for SAQ A in 2023 don’t qualify in 2026). The questionnaire now includes payment page security questions that didn’t exist in the v3.2.1 version. Quarterly ASV scans are required where they previously weren’t. Script integrity monitoring is now in scope where it previously wasn’t.
For most small e-commerce merchants, this is manageable — but it requires actual confirmation from your payment provider rather than an assumption that “Stripe handles all of that.” The PCI SSC’s FAQ 1588 from March 2025 made this explicit: an iframe-based payment integration does not automatically shift compliance responsibility to the payment provider. The merchant must either perform the security controls themselves or obtain documented attestation that the provider is performing them.
The practical implication: ask your payment processor or gateway provider for their PCI DSS v4.0.1 Attestation of Compliance (AOC), and verify in writing which specific requirements they handle on your behalf. Two providers may both claim to “handle PCI compliance” while drawing the line in very different places.
What Happens If You Don’t Comply — And What Your Processor Doesn’t Tell You
PCI DSS is not a government regulation. There is no PCI police agency that audits small merchants. PCI DSS 4.0 compliance is enforced through contractual obligations between the major card networks (Visa, Mastercard, Discover, American Express), the acquiring banks, and the payment processors. For a small merchant, enforcement happens through the processor.
The penalties for non-compliance fall into two categories:
Monthly non-compliance fees. If your annual SAQ is not on file with your processor, most processors charge a PCI non-compliance fee — typically $20 to $50 per month, but some processors charge significantly more. This fee is industry-standard and continues until the SAQ is completed and submitted. The fee is profit for the processor; it is not paid to PCI SSC or the card networks. For more on how this fee works and how to eliminate it, see why you’re probably paying a PCI non-compliance fine right now.
Breach-related penalties. If a card data breach occurs and your business is found to have been non-compliant at the time, the card networks can levy fines through your acquiring bank. These fines historically range from $5,000 to $100,000 per month of non-compliance, plus per-record costs ($50–$90 per compromised card record). These penalties are rare for small merchants because they require an actual breach to trigger — but they are also financially catastrophic when they apply. The Verizon Payment Security Report has historically shown that fewer than half of organizations maintain full compliance after their initial validation, which is the real risk surface.
For most small merchants, the practical concern is the monthly non-compliance fee rather than breach penalties. Completing your SAQ correctly and on time eliminates the recurring fee and demonstrates the documentation needed if a breach ever occurs.
The Five-Item Checklist for Small Merchants
If you have not formally re-validated PCI compliance under v4.0.1, the following five items are worth confirming with your processor before your next assessment cycle:
SAQ A, SAQ A-EP, SAQ B, SAQ C, SAQ C-VT, SAQ D-Merchant, or SAQ P2PE. The form depends on how you accept payments. If your processor still has you on the same SAQ form you used in 2023, ask them to confirm it remains correct under v4.0.1.
Your payment processor, gateway, and any third-party service provider that touches cardholder data must provide a current AOC under v4.0.1. Request these in writing and verify the version on each document.
If you have an e-commerce site, quarterly ASV scans are required. Either you or your provider must perform them. Ask which one and request the most recent scan report.
12-character passwords, MFA on all CDE access, and documented account inventories are now baseline. Most POS and gateway admin panels have these controls available — they may need to be enabled.
Network diagrams of your CDE, employee training logs, screenshots of password and MFA settings, encryption key management procedures, and copies of provider AOCs. Documentation is half of v4.0.1 compliance — assessors expect to see proof, not attestation.
Frequently Asked Questions
PCI DSS v4.0.1, released June 2024. v3.2.1 was retired March 31, 2024, and v4.0.1 became the only valid version on December 31, 2024 — any merchant completing an SAQ or Report on Compliance in 2026 is assessed under it. The substantive obligations come from PCI DSS 4.0; v4.0.1 corrected formatting and clarified wording but added or removed no requirements. The 4.0 SAQ your processor sent in 2026 is materially different from the 2023 form: more specific questions, deeper documentation, and several controls that were optional under v3.2.1 are now required.
Five PCI DSS 4.0 changes show up on small-merchant questionnaires. Twelve-character minimum passwords on systems handling cardholder data (up from seven), with eight-character + MFA fallback where twelve isn’t supported. MFA required for all access to the Cardholder Data Environment, not just administrators. Quarterly ASV scans now required for SAQ A e-commerce merchants. Script integrity monitoring on payment pages, addressing client-side skimming. Documented account and access inventories, maintained as part of the assessment record. Most coverage focuses on enterprise obligations like penetration testing; these five are what actually appears on a small merchant’s 4.0 SAQ.
No, and PCI DSS 4.0 made this explicit. PCI SSC FAQ 1588 (March 2025) confirmed an iframe-based payment integration does not automatically shift compliance responsibility to the payment provider. The merchant must either perform the controls or obtain documented attestation that the provider does. The practical step: ask your provider for their current PCI DSS 4.0 Attestation of Compliance, in writing, with the version on the document. If they can’t provide an AOC under v4.0.1, you’re on the hook for those controls yourself.
PCI DSS isn’t a government regulation — there’s no PCI police auditing small merchants. Enforcement runs through contracts between the card networks, acquiring banks, and processors, and penalties fall into two categories. Monthly non-compliance fees: most processors charge $20 to $50 per month (some more) when an annual SAQ isn’t on file — profit for the processor, continuing until the SAQ is completed. Breach-related penalties: if a breach occurs and the business is non-compliant at the time, the networks can levy fines through the acquiring bank, historically $5,000 to $100,000 per month of non-compliance plus per-card forensic costs. The first is the immediate pain; the second is the catastrophic risk.
Confirm which SAQ form applies — A, A-EP, B, C, C-VT, D-Merchant, or P2PE depending on how you accept payments; if your processor still has you on the 2023 form, ask them to confirm it’s still correct under v4.0.1. Get each provider’s v4.0.1 Attestation of Compliance in writing — processor, gateway, and any third party touching cardholder data. Verify ASV scanning if you have an e-commerce site (quarterly scans required). Audit access controls — 12-character passwords, MFA on all CDE access, and documented account inventories are now baseline. Document everything in writing with version numbers and dates, not on a single laptop or held verbally.
Companion references for compliance and processor accountability
Not Sure Where Your Business Stands Under PCI DSS v4.0.1? We Will Tell You.
Send us your most recent processing statement. We will identify which SAQ form applies to your business, flag any PCI-related fees on your statement that look out of range, and confirm whether your processor’s documentation reflects current v4.0.1 attestation. The review takes 1-2 business days and produces a clear summary you can use to direct conversations with your processor.
Request a Free Statement ReviewNo obligation • Advisor-format deliverable • Response within one business day