Education center PCI DSS
July 11, 2025

What is PCI DSS 4.0?

July 11, 2025
Ivan Tsarynny
Ivan Tsarynny

Summary

PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard, designed to improve how organizations protect cardholder data. It introduces stronger authentication rules, better client-side controls, and continuous risk-based compliance—critical for security teams, developers, and compliance leads managing payment systems.

What Is PCI DSS 4.0?

PCI DSS 4.0 is the newest release of the Payment Card Industry Data Security Standard, published by the PCI Security Standards Council (PCI SSC) in March 2022. It replaces version 3.2.1 and sets updated requirements for securing cardholder data across all organizations that store, process, or transmit payment card information.

The goal of version 4.0 is to strengthen security practices while offering more flexibility in how businesses meet compliance obligations.

How It Works

PCI DSS 4.0 maintains the 12 core requirements but modernizes them through three major updates:

  • Risk-Based Flexibility: Organizations can now adopt “customized approaches” to meet objectives, with documentation and risk justification.
  • Client-Side Security Focus: New requirements like 6.4.3 and 11.6.1 aim to protect against JavaScript-based threats on payment pages.
  • Continuous Compliance: Emphasis shifts from annual audits to real-time security monitoring and targeted risk analysis.

These updates reflect the evolving threat landscape, including supply chain attacks, third-party script abuse, and client-side vulnerabilities.

Who Does This Requirement Concern

PCI DSS 4.0 applies to any entity involved in payment card processing, including:

  • eCommerce businesses
  • SaaS platforms that collect payment information
  • Payment processors and gateways
  • Developers managing checkout experiences
  • IT and compliance teams responsible for cardholder data environments

Non-compliance can result in penalties, breach-related costs, and suspension of payment processing privileges.

How to Stay Compliant

Organizations can align with PCI DSS 4.0 by focusing on:

  • Client-side controls: Implement monitoring for all scripts on payment pages (Requirement 6.4.3)
  • Tamper detection: Set up real-time alerts for unauthorized changes to page scripts (Requirement 11.6.1)
  • MFA and authentication upgrades: Ensure all access to cardholder data meets the stronger authentication policies
  • Automated compliance tools: Use platforms that offer continuous visibility into your PCI environment
PCI DSS 4.0

How Feroot Helps

Feroot’s PaymentGuard AI directly addresses PCI DSS 4.0’s new client-side requirements:

  • Detects and blocks unauthorized JavaScript on payment pages
  • Helps you meet 6.4.3 (script inventory and authorization) and 11.6.1 (tamper detection)
  • Provides visual behavior mapping for script activity and data access

Feroot makes continuous compliance easier with automation tailored to evolving PCI rules.

FAQ

When did PCI DSS 4.0 go into effect?

Organizations had to fully transition by March 31, 2025.

What are PCI DSS Requirements 6.4.3 and 11.6.1?

These focus on client-side protections.
6.4.3 requires authorization and inventory of JavaScript on payment pages.
11.6.1 mandates detection of script changes and unauthorized modifications.

Do developers need to worry about PCI DSS 4.0?

Yes. Developers who manage front-end payment code or integrate third-party scripts must follow new controls to secure the client-side environment. 

Related resouces

What is Web Application Visibility and Why Is It Important?
What is Clickjacking?
What is Dynamic Application Security Testing (DAST)?

Schedule a Demo

Security for Everyone that Visits Your Website

Find out if your website or web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.


Recommended reading