PCI DSS 4.0.1 migration deadline 2026 — what changes
- PCI DSS 4.0.1 is the current version; v3.2.1 is fully retired. Future-dated requirements activated March 31, 2025.
- Most e-commerce operators fall under SAQ A or SAQ A-EP with new requirements around script integrity (Req 6.4.3) and HTTP headers.
- If you are still operating to 3.2.1 practices, you are non-compliant and exposed — assessors are flagging this now.
On this page
PCI DSS 4.0 was released in March 2022 with a transition window through March 31, 2024 for the core standard and March 31, 2025 for future-dated requirements. PCI DSS 4.0.1 (a minor update) was released in mid-2024. As of 2026, the standard of the land is 4.0.1 and every merchant handling cardholder data should be compliant. Many are not.
Here is what changed, what the 2026 enforcement landscape looks like, and what to do if you are behind.
1. What changed in 4.0 and 4.0.1
(a) Customized approach — requirements can be met via alternative controls if the defined approach does not fit.
(b) Expanded focus on e-commerce skimming (Magecart-style attacks).
(c) Requirement 6.4.3 — authorize and verify each script loaded on checkout pages.
(d) Requirement 11.6.1 — change detection and alerting on HTTP headers and script content on checkout.
(e) Multi-factor authentication required for all access into cardholder data environment.
(f) Password requirements updated to 12+ characters.
(g) Additional requirements around risk analysis, targeted risk analysis, and documented policies.
2. The dates that actually matter
March 31, 2024: PCI DSS v3.2.1 retired. 4.0 became the required standard for all assessments.
March 31, 2025: Future-dated requirements (6.4.3, 11.6.1, and others) become mandatory.
2026 onward: Full compliance expected. QSAs and self-assessments must attest to 4.0.1 compliance.
3. SAQ A changes for e-commerce
SAQ A is the short form for merchants that fully outsource card data handling. Previously ~20 questions; now expanded with new requirements around iframe security and script integrity. If you use Stripe Checkout, Shopify Payments, or similar hosted redirect, you are still SAQ A but with more controls.
4. SAQ A-EP changes
SAQ A-EP applies when merchants have checkout pages that include third-party payment scripts (e.g., Stripe Elements on your own domain). New Req 6.4.3 and 11.6.1 most directly apply here. Implementation means: inventory every script on your checkout page, authorize each one, monitor for changes, alert on unauthorized changes.
5. Req 6.4.3 — script authorization
Maintain a list of all scripts loaded on payment pages. For each: what it does, why it is required, who authorized it. This is a document, updated quarterly. Implementations range from spreadsheet to tools like Feroot PaymentGuard or Source Defense.
6. Req 11.6.1 — integrity monitoring
Detect changes to scripts and HTTP security headers on checkout pages. Can be done with SRI (Subresource Integrity) attributes + monitoring, or dedicated tools. Manual review every 7 days at minimum.
7. MFA requirements
All access to cardholder data environment requires MFA. Admin access to processor dashboards, hosting accounts, database servers — all MFA. Password-only is non-compliant.
8. The customized approach
4.0 allows alternative controls if documented risk analysis justifies. For example, if you cannot implement a specific technical control, you can document a compensating control and the residual risk. Requires QSA review if you are Level 1-2.
9. Level determination
Still based on annual volume: Level 1 > 6M transactions, Level 2 1-6M, Level 3 20k-1M e-commerce, Level 4 < 20k e-commerce. Level 1 requires QSA audit; Levels 2-4 typically self-assess via SAQ.
10. The 2026 enforcement reality
Acquirers audit annual compliance attestations. Non-compliance results in PCI non-compliance fees ($20-50/month), increased liability for breach, and eventually termination. Large acquirers are now auditing 4.0.1 specifically — operators on stale 3.2.1 SAQs are getting flagged.
11. What to do if behind
- Determine current level and SAQ type.
- Pull current attestation; see if 4.0.1 was addressed.
- Inventory scripts on payment pages (Req 6.4.3).
- Implement change monitoring (Req 11.6.1) via SRI + alerting or tool.
- Audit MFA on all admin access.
- Update password policies.
- Re-attest via SAQ or QSA.
12. Multi-brand scoping
Each brand is typically its own SAQ scope. Shared CDE infrastructure can sometimes be collectively scoped — saves work but increases blast radius of a breach. Multi-brand operators benefit from clear scope diagrams. See PCI scope reduction.
Implementation cost
For SAQ A e-commerce operator: $0-$500/year if self-assess with basic tools. For SAQ A-EP with full monitoring: $2-15k/year for tool + attestation. For Level 1 QSA audit: $30-100k depending on scope.
What happens if breached and non-compliant
PCI fines $50-500 per exposed account + forensic audit costs + acquirer penalties + potential chargeback volume. Non-compliant at time of breach eliminates safe harbor. The math works against stale compliance.
Where to start
If you have not looked at PCI since 2023, start with a script inventory on your checkout page this week. That is Req 6.4.3 foundation. Everything else layers from there. See PCI multi-merchant, PCI compliance for merchants, pricing, or apply for a PCI scope audit.
13. Script inventory practical execution
Open your checkout page source. List every tag, every inline script, every third-party integration (Stripe Elements, Google Tag Manager, analytics, live chat, A/B testing). For each: document purpose, owner, business justification, and authorization date. Review quarterly. This document is Req 6.4.3 attestation material.
14. Subresource Integrity (SRI) implementation
SRI attributes on third-party scripts mean the browser verifies the script content against a known hash. Tampered scripts do not load. Good partial solution to Req 11.6.1 for static third-party resources. Limitation: dynamically updated scripts (Google Tag Manager, Optimizely) cannot use SRI easily. Supplement with monitoring tools for those.
15. HTTP security headers checklist
Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy. CSP is the most complex and most important for Req 11.6.1. Monitor headers for unauthorized change; alert on drift.
16. QSA selection for Level 1
PCI QSAs range from boutique (Coalfire, NetSPI, TrustedSec) to larger consultancies. For mid-market Level 1, boutique often delivers better assessor-merchant fit. Budget $30-80k for a Level 1 PCI assessment including remediation support.