Industry Updates

PCI DSS v4.0.1: What Changed and the 2025 Deadline

PCI DSS v4.0.1 became the only active standard on 31 March 2025, with dozens of previously 'best practice' controls now mandatory. Here is what changed and what UK merchants must do.

Fraud Defence First
27 June 2026
7 min read

PCI DSS v4.0.1 is now the only active version of the standard. It replaced v3.2.1 entirely on 31 March 2024, and a large set of 'future-dated' controls became mandatory on 31 March 2025. If your last assessment was against the old version, this is the update you need to understand.

The key dates

  • 31 March 2024 — v4.0 (since clarified as v4.0.1) became the only active standard; v3.2.1 retired.
  • 31 March 2025 — dozens of previously 'best practice' requirements became mandatory for all assessments.

v4.0.1 itself, published in 2024, was a clarification release: it corrected errors and clarified intent in v4.0 without adding new controls. So 'v4.0' and 'v4.0.1' refer to essentially the same requirements.

What actually changed

The headline shift is philosophical: PCI DSS moved from a rigid, prescriptive checklist towards outcome-based security, with more emphasis on continuous risk management. In practical terms, the newly mandatory controls tightened areas such as:

  • Stronger authentication, including multi-factor authentication for more types of access.
  • More rigorous password length and management requirements.
  • Targeted risk analyses to justify how often certain security activities happen.
  • New protections for e-commerce pages against scripts and skimming (for relevant merchants).
  • Clearer roles and responsibilities for each requirement.

What it means for small UK merchants

If you are a smaller merchant validating with a simpler SAQ, many of the heaviest v4.0.1 changes will not apply to your scope — but some, such as authentication and password rules, may. The exact impact depends on which questionnaire you complete, which is why getting your SAQ type right matters more than ever. New to all this? Start with what PCI DSS compliance is.

Behind on the deadline? How to catch up

Missing the 31 March 2025 date does not mean you are stuck — it means you should validate against v4.0.1 as soon as possible to limit risk and stop any non-compliance charges. A managed compliance service will assess you against the current standard, close any gaps and file your validation, typically within a day. Read the full PCI DSS guide for everything in one place.

Get assessed against PCI DSS v4.0.1

Need Expert PCI Compliance Help?

Our PCI compliance specialists are here to guide your business through the certification process. Get personalised advice and ensure your business stays compliant.

Get Free ConsultationBook Assessment Call
Back to All Resources