Blog

Final Countdown to Compliance: Preparing for PCI DSS v4.x

Date published:

Mar 6, 2025

Natasja Bolton

Client Engagement Manager

SHARE ON
SHARE ON

If your business processes payment card data, you’ve likely been working on transitioning from PCI DSS v3.2.1 to PCI DSS v4.x—but the work isn’t over yet.  While the initial readiness deadline for PCI DSS v4.0 was March 31, 2024, many of the most critical security changes were future-dated—giving businesses an extra year to prepare.

That grace period is coming to an end. On April 1, 2025, all the future-dated requirements—or FDRs—will become mandatory. Organizations that fail to implement these new requirements risk failing compliance assessments, facing increased scrutiny, and leaving themselves open to evolving threats.

The good news?

You still have time to ensure you’re prepared. But you need to act now.

What are PCI DSS v4.x FDRs?

The FDRs were introduced as part of PCI DSS v4.0 to give organizations additional time to implement the most significant changes. These new requirements weren’t immediately enforced when PCI DSS v4.0 became effective in 2022 but were instead marked as “best practices” until March 31, 2025.

Why the delay? Many of these requirements involve significant operational and technical changes, and organizations needed time to assess their compliance gaps, invest in new security measures, and work with their Qualified Security Assessors (QSAs) to ensure implementation aligned with requirements for successful compliance.

Now, the deadline is quickly approaching, and the FDRs are about to shift from optional best practices to mandatory requirements.

Here’s what’s at stake:

Stronger technical security controls: New requirements include enhancing multi-factor authentication (MFA), e-commerce security, and authenticated internal vulnerability scanning.

Tailored risk management: Businesses must perform targeted risk analyses (TRA) to determine how often certain periodic security activities should be performed.

Inventory, management, and review requirements: FDRs require businesses to have a more detailed record and a greater understanding of the status of their environment.

The Consequences of Not Implementing Requirements by the Deadline

Organizations that don’t take PCI DSS v4.x compliance seriously face significant risks.

Increased Vulnerability and Data Breaches: Many of the new requirements address real-world threats, including Magecart attacks, phishing, and unauthorized access. Failure to comply increases the likelihood of a security breach.

Non-Compliance with the PCI DSS: Businesses that do not have applicable FDRs in place by the deadline will be non-compliant and may not pass their next compliance assessment. This could lead to reputational damage, and increased scrutiny from payment processors and regulatory bodies.

Breaking Down the Most Critical New Requirements

While PCI DSS v4.x introduces many updates, these are some of the most critical FDRs that become mandatory from April1, 2025:

  1. Expanded Multi-Factor Authentication (MFA) (Requirement 8.4.2)
    Under PCI DSS v3.2.1, MFA was only required for remote access or administrative access. Under PCI DSSv4.x, MFA must now be used for all access into the Cardholder Data Environment (CDE)—including non-console access for applications, systems, and network devices.
  2. E-commerce Security Enhancements (Requirements 6.4.3 & 11.6.1)
    New e-commerce requirements are designed to protect against digital skimming attacks (e.g.,Magecart and formjacking attacks). These requirements mandate that businesses:
    • Implement controls to verify and monitor all scripts on payment pages.
    • Detect and prevent unauthorized modifications to e-commerce payment pages.
  3. Authenticated Internal Vulnerability Scanning (Requirement 11.3.1.2)
    Organizations must now conduct authenticated internal vulnerability scans to detect security weaknesses inside their environment. This change addresses the blind spots that traditional unauthenticated scanning methods might miss.
  4. Targeted Risk Analysis (TRA) (Requirement 12.3.1)
    Rather than following fixed compliance activity schedules, organizations must perform targeted risk analyses to determine how often specific security measures—such as log reviews, card reading device inspections, and malware scans—should be performed.

What You Should Have Already Done

If you’ve been following the best practices, here’s what you should have already completed—and what’s still left to do before time runs out.

Phase 1: Conducted a Compliance Gap Analysis (Mid-2024 or earlier)

  • Identified which FDRs apply to your business.
  • Assessed existing security controls and determined where changes were needed.
  • Developed a roadmap for implementation, prioritizing any TRA’s needed (as the results may impact on the frequency some periodic activities are performed) and applicable high-impact requirements like MFA, authenticated internal vulnerability scanning, and e-commerce security measures.

Phase 2:  Taken Action on Your Implementation Roadmap (Late 2024 – Early 2025)

  • Ensured relevant personnel understand the new requirements and their role in implementing and maintaining the new requirements.
  • Documented or updated roles and responsibilities, policies and processes to satisfy new and updated requirements, such as for periodic account review processes.
  • Engaged with QSAs and TPSPs to confirm alignment with compliance requirements.

What’s Left to Do (Final Phase – March 2025)

Perform Pre-Assessments and Validate Compliance

  • Conduct final informal assessments to verify all FDRs have been fully implemented.
  • Verify that any TPSPs you rely on are also fully compliant.
  • Ensure documentation is assessment-ready—policies, risk analyses, and proof of implementation should be complete and accurate.
  • Work with your QSA to address any last-minute gaps before your formal PCI DSS assessment.

Are You Prepared?

PCI DSS v4.x FDRs represent some of the most significant security enhancements in recent years—but time is running out. Organizations that fail to act now will find themselves risking non-compliance and serious business consequences.

If you’re looking for more information as you prepare your organization on things like:

  • A detailed breakdown of each FDR and how they impact each SAQ Type.
  • Insights from experts during your transition.
  • A step-by-step compliance roadmap.

Download our free eBook to help you ensure your organization is compliant.

SHARE ON

Related Blogs

Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.
Blog
Mar 4, 2025
What is Penetration Testing as a Service (PTaaS)?
Blog
Feb 25, 2025
Risk-Based vs. Compliance-Based Security: Why One Size Doesn’t Fit All
Blog
Mar 3, 2025
Consulting Team Spotlight: ‍Keaton Lane
Andrea Sugden
Chief Sales and Customer Relationship Officer
Let’s Talk
To get started with a VikingCloud cybersecurity and compliance assessment, email, call or click:
Contact Us
Connect with us:
Linkedin Logo
Stay in the know
Get VikingCloud Resources, News, & Views delivered straight to your inbox.
Solutions
Cybersecurity
Compliance & Risk
Asgard Platform
Why AsgardTourTechnology
About Us
Why VikingCloudPress & NewsEvents & WebinarsLeadershipJoin Our TeamMedia Kit
Login
Asgard PlatformMyVikingCloudDigital Certificates Control CenterWeb Risk Monitoring
Resources
BlogPodcastCase StudiesDatasheetseBooksInfographicsReportsWhitepapersCybersecurity GlossaryPCI Compliance FAQs
Industries
Fuel & Convenience StoresHospitalityPharmacyRestaurantsRetailTravel
Contact
Contact Us24x7 Support
©2025 Viking Cloud, Inc. or its affiliates.