The v4.0 deadline passed, but many merchants still have not addressed the requirements that changed the most. Here is where the gaps usually are.
What Changed Most Significantly
PCI DSS v4.0 introduced a 'customised approach' alongside the traditional prescriptive requirements — organisations can now meet the intent of a requirement using compensating controls, but they must document the control objective and demonstrate equivalence. This sounds like more flexibility; in practice, it requires significantly more documentation and internal assessment rigour. The other major shift is the expanded scope of multi-factor authentication (MFA) — v4.0 requires MFA for all access to the cardholder data environment, not just administrative access.
The Web Application and API Requirements
Requirements 6.4 and 6.5 in v4.0 expanded web application security requirements significantly. All public-facing payment pages must now implement one of the following: a web application firewall (WAF), an automated technical solution to detect and alert on unauthorised modifications to payment page scripts, or security testing that validates no unauthorised changes. The script integrity monitoring requirement — ensuring that third-party JavaScript loaded on payment pages has not been tampered with — is new and catches most organisations unprepared. Content Security Policy headers and Subresource Integrity tags are the technical implementation.
The Targeted Risk Analysis Requirement
v4.0 introduced a requirement for targeted risk analysis for several controls where the frequency of an activity (like log review or vulnerability scanning) was previously prescriptive. Organisations must now document a risk analysis that justifies their chosen frequency. This is more flexible than 'weekly scans required' — but it requires a documented, defensible rationale that can be validated by a QSA. Organisations that have not updated their risk analysis documentation since v3.2.1 will have gaps here.
What Assessors Are Actually Focusing On
Based on 2025 assessments, QSAs are most frequently finding gaps in: MFA completeness (especially for system and database administrators who previously used privileged access without MFA), script inventory and monitoring for e-commerce payment pages, and documentation quality in the System Security Standard and network segmentation evidence. The documentation expectations in v4.0 are materially higher than v3.2.1 — organisations that operated well informally will need to formalise evidence.
- MFA is now required for all CDE access, not just administrative — verify coverage for system and database administrators
- Payment page script integrity monitoring (CSP headers, SRI tags) is a new requirement most e-commerce merchants have not implemented
- Targeted risk analysis documentation is now required for several controls — frequency justifications must be written and defensible
- QSAs in 2025 focused most on MFA completeness, script monitoring, and documentation quality