What PCI DSS v4.0 Actually Changed for Small Merchants

If you process credit cards and have been putting off a closer look at PCI DSS v4.0, the deadline has passed. Version 3.2.1 was retired on March 31, 2024, and v4.0 is the current standard. The grace period for several new requirements ended March 31, 2025. What was marked as a future-dated requirement is now an active compliance obligation.

For large enterprises with dedicated compliance teams, the transition was managed. For small and mid-size merchants who rely on a QSA once a year and a self-assessment questionnaire to stay current, the changes in v4.0 introduced requirements that caught a lot of organizations off guard.

Here is what actually changed and what it means for your business.

SAQ A Merchants Now Need ASV Scans

This is the change that surprised the most small merchants. SAQ A is the simplest self-assessment questionnaire, designed for e-commerce merchants who have fully outsourced their payment processing to a PCI-compliant third party. The assumption was always that if you redirect customers to a hosted payment page and never touch cardholder data yourself, your compliance footprint was minimal.

PCI DSS v4.0 changed that. Requirement 11.3.2 now applies to SAQ A merchants whose website hosts the page that redirects to payment processing. If your site has any code that touches the payment flow — even just the redirect — you are now required to complete quarterly external vulnerability scans by an Approved Scanning Vendor.

This was not required under v3.2.1 for SAQ A merchants. It is required now. If you have not added ASV scanning to your compliance program and you fall into this category, you have a gap.

Multi-Factor Authentication Is Now Mandatory Everywhere

Under v3.2.1, multi-factor authentication was required for remote access into the cardholder data environment. Under v4.0, Requirement 8.4.2 extends that mandate to all access into the CDE, including access by users on the internal network.

For organizations that have been using MFA selectively — on VPN and remote desktop, but not on internal admin consoles or payment system access — this is a meaningful change. Every account that can access systems in scope for PCI now needs MFA. No exceptions based on whether the access is coming from inside the building.

Targeted Risk Analysis Is Now a Documented Requirement

Several requirements in v4.0 allow organizations to define their own implementation approach, but only if they complete and document a targeted risk analysis. This is a formal assessment that justifies why a particular control frequency or implementation method is appropriate for their environment.

For organizations used to checking boxes on an SAQ, this is a shift in approach. The standard now asks you to demonstrate that you have thought about the risk, not just that you have implemented a control. That documentation needs to exist and needs to be defensible if a QSA reviews it.

Phishing and Social Engineering Training Is Now Explicit

Requirement 12.6.3.1 now explicitly requires that security awareness training covers phishing and social engineering threats. This was implicit in earlier versions but is now called out specifically, including a requirement that training be reviewed at least once every twelve months and updated to reflect current threats.

For organizations running annual compliance training videos that have not been updated since 2021, this is a flag. The training has to be current, has to cover phishing specifically, and the organization has to be able to document that it was delivered and reviewed on schedule.

What Small Merchants Should Do Right Now

Start with your SAQ type. If you are not certain which SAQ applies to your environment, confirm it with your acquiring bank or a QSA. The requirements that apply to you depend entirely on how your payment environment is structured, and getting that wrong means either over-scoping your compliance program or missing requirements that apply to you.

If you are an SAQ A merchant with a website that touches the payment redirect, get ASV scanning in place. Quarterly scans are required and the clock is already running.

Review your MFA implementation against the new scope. If there are any pathways into your cardholder data environment that do not require MFA, close them.

Document your risk analyses. If you are using any of the customized approach options in v4.0, make sure the supporting documentation exists and is current.

And update your security awareness training. Annual checkbox training is not sufficient if it does not specifically address phishing and social engineering, and it needs to be reviewed and updated every year.

PCI DSS v4.0 is not more complicated than its predecessor in most areas. But the areas where it did add requirements are exactly the areas where small merchants have historically had gaps. Now those gaps are compliance findings rather than best practice recommendations.