PCI DSS 4.0: Compliance Without Slowing Core Modernization

On March 31, 2025, PCI DSS stopped being a list you review once a year. It's now a way of operating every day.

For any institution that processes, stores, or transmits cardholder data—bank, fintech, credit union—that date marked the moment version 4.0.1 of the standard became fully mandatory. And the counterintuitive good news is this: complying with it and modernizing your core aren't competing goals. Done right, they're the same project.

What changed, in order

The timeline is worth getting straight, because there's version confusion:

• March 2022: PCI DSS v4.0 is published, the first major revision in over a decade, according to the PCI Security Standards Council.

• June 2024: v4.0.1 appears, a limited revision—it corrects wording and clarifies intent, without adding or removing requirements, as the PCI SSC itself confirmed.

• March 31, 2024: v3.2.1 is retired, per the PCI SSC.

• December 31, 2024: v4.0.1 becomes the sole active version, according to the PCI SSC announcement.

• March 31, 2025: the "future-dated" requirements, best practices until then, become mandatory; of the 64 new requirements, 51 took effect on that date.

If your last assessment was against 3.2.1, you're not compliant today.

The deeper shift: from checklist to continuous

Beyond the specific controls, 4.0 brought a change in philosophy. Security stops being an annual audit effort and becomes "business as usual": evidence throughout the year that controls work, not a snapshot on assessment day. Add to that the "customized approach," the standard's most important novelty: alongside the usual prescriptive method, you can now meet each requirement's security objective with your own technical controls—if you document how you achieve it—a move from once-a-year audits toward continuous monitoring and risk analysis.

The controls with the most impact for a financial institution:

• Stronger authentication. Phishing-resistant MFA for administrative and cardholder-data-environment access, passwords of at least 12 characters, and MFA for all CDE access—not just administrators'.

• Skimming-proof payment pages. Every script running on a payment page must be inventoried, authorized, and integrity-monitored to alert on unauthorized changes, reviewed at least every seven days (requirements 6.4.3 and 11.6.1). It's the direct answer to Magecart-style attacks.

• Authenticated internal scanning and automated log review. Manual review is over: automation and targeted risk analyses that define frequencies are required.

Why your core decides how much it hurts

Here's the intersection with modernization, and where many institutions miss the connection. The cost and pain of PCI DSS compliance depend less on the standard and more on the architecture you run on.

A legacy, monolithic core, where cardholder data is scattered across the whole system, turns each requirement into a nightmare: the scope (the "CDE," the cardholder data environment) covers half the bank, segmentation is fragile, and every audit is a race against the clock.

A modern core does the opposite. With real network segmentation, scope shrinks to a bounded, verifiable slice. With API-first architecture and tokenization, sensitive data stops touching systems that don't need it—and the most effective PCI strategy is still exactly that: reduce the amount of card data in your environment, not armor every corner. With MFA, monitoring, and logging automated out of the box, continuous compliance stops being a project and becomes a property of the system.

Put simply: modernizing the core well is, to a large extent, complying with PCI by design.

How we approach it at WAU

At WAU we treat compliance as an architectural requirement, not an afterthought. We design cores with segmentation, tokenization, and automated controls that reduce PCI scope and turn the annual assessment into continuous evidence. Modernization doesn't move you away from compliance—it moves you toward it.

If you need to close the 4.0.1 gap and prefer to do it by modernizing rather than patching, let's talk. We'll help you align security and architecture in a single plan. 👉 Book a conversation with our team.

Sources

• PCI Security Standards Council — Now is the Time to Adopt the Future-Dated Requirements of PCI DSS v4.x (v4.0 Mar 2022; v3.2.1 retired Mar 31 2024; 51 of 64 requirements mandatory from Mar 31 2025)

• PCI Security Standards Council — Just Published: PCI DSS v4.0.1 (Jun 2024; limited revision, no new/deleted requirements; sole active version after Dec 31 2024)

• ClearlyPayments — PCI DSS 4.0: Facts and Compliance Insights (v4.0 Mar 2022; customized approach; from annual audits to continuous monitoring, 2025)

• HYPR — PCI DSS 4.0 Authentication Requirements: phishing-resistant MFA and 12-character passwords (2024)

• Foregenix — Introduction of new requirements 6.4.3 and 11.6.1 for PCI DSS v4.0 (payment-page scripts, ≥every 7 days, anti-Magecart)