Post cover image

June 24, 2026

PCI DSS 4.0: What’s New and How Indian Businesses Can Prepare

The Clock Is Ticking

By Innovations Arm

7 min read

The Clock Is Ticking

March 31, 2025 came and went. If you're still operating under PCI DSS 3.2.1, you're already behind.

The new standard, PCI DSS v4.0, officially replaced v3.2.1 on March 31, 2024. A year later, all future-dated requirements became mandatory. What used to be "best practices" are now hard requirements.

This isn't a minor update. It's the first major overhaul of the standard in over a decade. We're talking about more than 50 changes here. 64 new or revised requirements. And a completely different way of thinking about payment security.

Let's break it down.

The Big Picture: What's Different

From Point-in-Time to Continuous Security

Under the old standard, plenty of companies treated compliance like an annual chore. Cram before the audit. Pass. Then pretend it never happened for the rest of the year.

That doesn't work anymore. Compliance now means staying on top of things every single day, not just when the auditor shows up. Ongoing monitoring. Frequent reviews. Proactive detection and response. The old model is dead.

The Customised Approach: More Flexibility, More Paperwork

Here's something new. PCI DSS 4.0 lets you choose how you meet each requirement.

You can follow the Defined Approach — implementing controls exactly as the standard prescribes.

Or you can go the Customised Approach route — building your ow

This flexibility is great for complex or cloud-based environments. But it comes with a catch. You need to document everything. Rigorous risk assessments. Testing. Evidence that your custom control is equally effective.

You can mix and match approaches for different requirements. But if you go custom, involve your QSA early.

The Must-Know Changes

1. MFA Is No Longer Optional

This is a big one. Multi-factor authentication is now required for all access into the Cardholder Data Environment — not just remote access, not just administrators.

That means every user, every vendor, every system account accessing the CDE needs MFA. SMS one-time codes? They don't cut it anymore. Your MFA implementation needs to resist common bypass techniques.

2. Password Rules Just Got Stricter

Minimum password length is now 12 characters. No more "eight characters and a number."

Application and system accounts need even stronger protection. If a password is used for interactive login, it must meet NIST standards — 15 characters minimum with complexity requirements. Hard-coded passwords in scripts or code? Not allowed anymore.

3. Client-Side Script Monitoring (6.4.3 & 11.6.1)

This one's new. And it's blindsiding quite a few teams.

Requirement 6.4.3: You need to maintain an inventory of every script running on your payment pages. Document who authorized each script. Verify their integrity.

Requirement 11.6.1: You need a change detection mechanism that alerts you to unauthorized modifications on payment pages.

Why? Magecart-style attacks. Attackers slip malicious JavaScript into payment pages and steal card data straight from the browser. Server-side security never detects it. The updated standard aims to put an end to those attacks.

4. Targeted Risk Analysis (TRA)

Several requirements now let you define compliance frequencies based on your own risk analysis. Malware scans. Access reviews. Password changes. Log reviews. POI inspections.

This means you can't just follow a fixed schedule anymore. You need to justify your decisions with documented risk analysis.

5. Stronger Encryption Requirements

TLS 1.1 is out. TLS 1.2 is the minimum now. Anything older won't pass muster. And if you're hashing PANs, you need keyed cryptographic hashing now — think HMAC-SHA256 or something equivalent.

On top of that, you need to review your cipher suites at least once a year. Document everything.

6. Vulnerability Management Gets Tougher

Critical patches now have a strict deadline. You've got 30 days from release to apply them.

Internal vulnerability scans now require credentialed scanning where applicable. This will uncover more vulnerabilities — and create more work for your IT team.

You can't just brush aside the low-priority findings anymore either. You need to track and manage every vulnerability scans uncover.

7. Expanded Logging and Monitoring

PCI DSS 4.0 requires more extensive logging of activity, access, and alerts across your environment. Log reviews should be automated for better detection of anomalies. You must also respond promptly to failures of critical security control systems. Logs must be retained for 12 months.

8. Scope Documentation

Merchants must document and review PCI DSS scope annually. Service providers need to do this every six months. Detailed artifacts — not just verbal explanations — are now required.

How Indian Businesses Should Prepare

Step 1: Run a PCI DSS Gap Assessment

Begin by figuring out exactly where you stand right now. Compare your current setup against PCI DSS 4.0 requirements, including everything that became mandatory in March 2025. Don't skip the future-dated ones. They're not optional anymore.

Identify where:

  • Compensating controls no longer qualify
  • Access policies need restructuring
  • Vendor environments must be reassessed
  • Security hygiene processes need updating

A PCI DSS gap assessment is your first step toward understanding what needs to change. Without it, you're flying blind.

Step 2: Upgrade Authentication

MFA for every user accessing the CDE. No exceptions. Update your password policies. Minimum 12 characters now. No exceptions. And if you're still relying on SMS for authentication, it's time to switch to something more secure.

Step 3: Secure Your Payment Pages

Inventory every script on your payment pages. Document justifications. Implement integrity monitoring and change detection.

For payment gateways and e-commerce merchants, this is critical. You're responsible for scripts across potentially thousands of pages.

Step 4: Review Encryption and Key Management

Every bit of data moving across networks needs TLS 1.2 or above. No exceptions. Annual cipher suite reviews. Documented key management procedures.

Step 5: Strengthen Vulnerability Management

Apply critical patches within 30 days. Run credentialed internal scans. Track and address non-critical findings.

Step 6: Enhance Logging and Monitoring

Automate your log reviews. Keep logs for 12 months minimum. And put procedures in place so you can act fast when security controls fail.

Step 7: Document Everything

PCI DSS 4.0 is documentation-heavy. Network diagrams. Data flow diagrams. Scope reviews. Risk analyses. Script inventories. Encryption documentation. If it's not documented, it doesn't exist.

Step 8: Engage Your PCI DSS QSA Audit Partner Early

Don't wait until audit time. Bring in your Qualified Security Assessor early to discuss your compliance roadmap — especially if you're considering the Customised Approach. They can help you avoid costly mistakes.

Step 9: Build a Continuous Compliance Culture

PCI DSS 4.0 isn't a once-a-year event. It's continuous. Integrate compliance activities into your daily operations. Ongoing monitoring. Regular reviews. Proactive security.

What About India-Specific Requirements?

Indian businesses have additional layers to navigate:

  • RBI Payment Aggregator Guidelines (2025) : Under RBI's 2025 Payment Aggregator guidelines, PAs need to maintain net worth between ₹15–25 crore. They also have to appoint nodal officers and get annual security audits done by CERT-In empanelled firms. Payment Gateways are encouraged to adopt baseline security standards voluntarily.
  • NPCI Requirements: If you're part of UPI, NACH, IMPS, RuPay, or FASTag, you need to follow PCI DSS. Quarterly vulnerability scans and annual penetration tests are mandatory.
  • DPDP Act 2023: The Digital Personal Data Protection Act creates additional obligations around data security. While PCI DSS compliance largely satisfies DPDP Act requirements, you need to address Data Protection Officer appointment and breach notification requirements.
  • Data Localization: All transaction data must be stored in India. Any foreign copies must be purged within 24 hours.

How ARM Innovations Can Help

Here's the reality. PCI DSS 4.0 is technically demanding. More than any previous version. And with RBI guidelines, NPCI requirements, and DPDP Act obligations, Indian businesses have more to navigate than ever.

What ARM Innovations Offers

PCI DSS Gap Assessment

Comprehensive review of your current controls against v4.0 requirements. Identify gaps before the audit. Fix them on your timeline. This is where every successful compliance journey starts.

PCI DSS Implementation Services

Actionable reports with PoC evidence and fix guidance. Not generic CVE numbers. Specific, developer-friendly instructions.

PCI DSS QSA Audit Support

Full support through every phase of the audit. Pre-audit preparation. Onsite assessment. Post-audit verification. Having the right PCI DSS audit partner makes all the difference.

PCI DSS VAPT Services

Vulnerability Assessment and Penetration Testing — required annually for Level 1 merchants. CERT-In empanelled pentesters actively try to bypass your security controls before the official assessment.

PCI DSS ASV Scan

Approved Scanning Vendor scans — required quarterly. Ensure your external vulnerability scans are done by an authorized ASV.

PCI DSS Readiness Assessment

We'll sit down with you, map out your compliance path, and figure out what needs fixing right away. No guesswork. Just a clear plan.

Client-Side Script Monitoring

ARM Innovations helps payment gateways track scripts across thousands of merchant payment pages. Real-time monitoring. Automated compliance reports. Integration with existing security tools.

Why ARM Innovations?

  • CERT-In empanelled — government-recognized cybersecurity experts
  • QSA-led team with deep technical expertise
  • Manual + automated testing — zero false positives
  • PoC evidence with actionable remediation
  • Expertise in both global standards and Indian regulatory requirements
  • PCI DSS certification services across 7 countries including India

Whether you need help with PCI DSS compliance services, PCI DSS security assessment, or PCI DSS audit India support, ARM Innovations provides end-to-end guidance.

Final Thought

PCI DSS 4.0 is here. It's stricter. It's more technical. It requires more ongoing effort than any previous version.

But it's doable.

Get your preparation right. Keep your documentation in order. Find the right people to work with. That's the formula for getting compliant and staying that way.

The grace period is behind us. The only question now is whether you're prepared for what lies ahead.

Frequently Asked Questions

What is PCI DSS 4.0?

It's the newest version of the Payment Card Industry Data Security Standard. It took over from v3.2.1 on March 31, 2024, and all the future-dated requirements became mandatory on March 31, 2025.

What are the biggest changes in PCI DSS 4.0?

The major ones are MFA for everyone accessing the CDE, client-side script monitoring (6.4.3 and 11.6.1), stricter encryption rules, mandatory Targeted Risk Analysis, credentialed vulnerability scanning, and a 12-character minimum password length.

What is the Customised Approach?

It's a new way to validate compliance. You get to design your own controls as long as they meet the same security objectives. But you need solid documentation, risk assessments, and testing to back it up.

Is MFA now mandatory for everyone?

Yes. Multi-factor authentication is required for all access into the Cardholder Data Environment — not just remote access or administrative users.

What is client-side script monitoring?

You must maintain an inventory of every script on payment pages and implement change detection to alert on unauthorized modifications. Designed to prevent web skimming attacks.

Do I need to comply if I outsource payment processing?

Yes. Even if you outsource, you're still responsible. Under SAQ A, you must certify your site isn't susceptible to script attacks.

How can ARM Innovations help?

PCI DSS gap assessment, implementation services, QSA audit support, VAPT services, ASV scans, client-side script monitoring, and managed compliance calendars. CERT-In empanelled with expertise in both global standards and Indian regulatory requirements.

What is a PCI DSS QSA Audit?

It's a formal assessment for Level 1 merchants carried out by a Qualified Security Assessor. The end result is a Report on Compliance that proves your organisation meets PCI DSS standards.

What is PCI DSS VAPT?

Vulnerability Assessment and Penetration Testing. It's mandatory every year for Level 1 merchants to find and patch up security gaps.

What is PCI DSS Compliance Cost in India?

That depends. It varies based on your company's size, how complex your setup is, and where you currently stand with compliance. A gap assessment will give you a clearer picture.

About the Author

ARM Innovations is a CERT-In empanelled cybersecurity company providing PCI DSS audit services, penetration testing, vulnerability assessment, secure code review, and compliance services across 7 countries, including India. Their QSA-led team brings together human expertise and automated testing. Scanners alone miss things. Their people catch what machines overlook. And they understand both global PCI DSS standards and India's regulatory landscape. That combination helps businesses get compliant and stay that way.