When the PCI Security Standards Council set 31 March 2025 as the date its “future-dated” requirements became mandatory, most compliance teams treated it as a finish line. Hit the date, validate against v4.0.1, move on. More than a year later, that framing looks like a mistake. The deadline wasn’t a finish line — it was the point at which a much harder set of controls became permanent, assessable, and unforgiving.
For anyone responsible for payment-card compliance, the relevant question is no longer “will we make the deadline?” It’s “now that these requirements are being assessed in earnest, is our program standing up to them — or did we paper over the gaps to get through one cycle?”
A quick reset on what changed
PCI DSS v4.0 was the first major revision of the standard in over a decade. Of the requirements it introduced, 51 were future-dated, meaning organisations had a transition window before they became mandatory. That window closed on 31 March 2025. v4.0.1, released in mid-2024, was a limited revision — clarifications and corrections, not new obligations. It did not move the deadline, and it remains the version every assessment is now conducted against.
The practical effect is that a long list of controls that used to be “best practice” are now simply required, with no grace period left to lean on.
The requirements that are quietly causing the most pain
In our assessment work, four areas come up repeatedly as the ones organisations underestimated.
Payment-page script controls (Requirements 6.4.3 and 11.6.1). These target e-commerce skimming — the class of attack where malicious JavaScript is injected into a checkout page to harvest card data. The standard now expects you to inventory and authorise every script that runs on your payment page, and to monitor for unauthorised changes to the page and its HTTP headers. This sounds modest until you try to do it across a real estate of third-party tags, analytics, and marketing scripts that nobody has fully mapped. The PCI SSC itself acknowledged these were among the hardest requirements for stakeholders to implement and issued dedicated guidance for them. If your answer to “what scripts run on your checkout page?” is a shrug, this is your first project.
Multi-factor authentication, expanded. MFA is no longer limited to administrative access. It now applies to all access into the cardholder data environment. For organisations that had MFA on the perimeter but soft authentication internally, this is a meaningful re-architecture, not a checkbox.
Targeted Risk Analysis (TRA). Several controls no longer come with a fixed frequency baked into the standard. Instead, you’re expected to perform a documented risk analysis to justify how often you do them. This is a genuine philosophical shift: the standard is asking you to think, document your reasoning, and defend it — rather than follow a number someone else chose. Assessors will ask to see the analysis, not just the activity.
Stronger authentication and password standards. Length and complexity expectations rose, and the rules around how authentication factors are handled tightened. Individually small; collectively, enough to trip up an environment that hadn’t been touched in a few years.
Why “we passed last year” isn’t the reassurance it sounds like
The risk we see most often is the organisation that treated 2025 validation as a one-time scramble. They stood up controls quickly, gathered enough evidence to satisfy a single assessment, and then let the operational discipline slip.
PCI DSS v4.0.1 is built to expose exactly that. The TRA requirement, the emphasis on continuous monitoring of payment pages, and the broadened scope of authentication all assume these are living processes, not annual events. An assessor looking at a TRA from fourteen months ago that has never been revisited is entitled to ask whether your risk posture has actually changed since — and whether anyone is paying attention.
Compliance, in other words, has shifted from a periodic state you achieve to a posture you maintain. The standard now rewards organisations that operationalise these controls and quietly penalises those who treat each assessment as a fresh fire drill.
What a Head of Compliance should be checking now
If you want a short diagnostic to run against your own program, start here:
- Script inventory. Can you produce, today, a current list of every script authorised to run on your payment pages, with a record of who approved each one and how you’d detect an unauthorised change?
- MFA coverage. Is multi-factor authentication enforced on all access into the CDE, including internal and non-administrative paths — or only at the edge?
- Live TRAs. Do you have documented, current Targeted Risk Analyses for the controls that require them, and have they been reviewed since the last assessment?
- Evidence as a habit. Is your compliance evidence being generated continuously as a by-product of operations, or assembled in a panic before each assessment?
- Ownership. Is there a named owner for each future-dated requirement, or did responsibility evaporate once the 2025 deadline passed?
If any of those questions produces hesitation, that hesitation is the finding. Better you surface it now, on your own terms, than have an assessor surface it for you.
The honest takeaway
PCI DSS v4.0.1 didn’t make compliance harder for the sake of it. The future-dated requirements map closely to the threats that are actually causing breaches — e-commerce skimming, weak authentication, and controls run on autopilot at the wrong frequency. The organisations that will fare best aren’t the ones that hit the March 2025 date. They’re the ones that used it as the start of a sustainable program rather than the end of a project.
If you’re not certain which of those describes your organisation, that uncertainty is worth resolving before your next assessment cycle does it for you.
Locked Stack is a certified PCI DSS QSA company providing payment-security and compliance advisory across the UK, Europe, and North America. If you’d like a candid review of where your v4.0.1 program stands, we’re happy to talk it through.