PCI DSS v4.0.1 in 2026: The Merchant Compliance Checklist

PCI DSS v4.0.1 represents the latest evolution in payment card industry security standards, and by 2026, all merchants and service providers must be fully compliant. The transition from earlier versions brings significant changes in authentication, encryption, and risk management practices. This comprehensive checklist guides you through each critical requirement, helping your organization achieve and maintain compliance.

Understanding PCI DSS v4.0.1 Requirements

PCI DSS v4.0.1 expands on previous versions with enhanced security controls designed to address modern threats. The standard organizes requirements into four groups: foundational, customizable, and management responsibilities. For merchants processing card data, understanding these 12 core requirement areas is essential to building a robust security posture.

Unlike earlier versions, v4.0.1 introduces customizable requirements that allow organizations to implement controls based on risk analysis. This flexibility means your compliance approach should be tailored to your specific business environment, payment processing volumes, and threat landscape.

Core PCI DSS v4 Checklist for Merchants

Requirement 1: Firewall Configuration and Access Control

• Document and implement a formal firewall policy
• Configure firewalls to restrict traffic between untrusted and cardholder data networks
• Define and document network architecture diagrams showing data flow
• Establish rules that deny all traffic by default, except explicitly permitted
• Review and approve firewall rule sets at least every six months

Requirement 2: Default Security Parameters

• Eliminate hardcoded passwords from applications and systems
• Change all default passwords on network devices and systems
• Disable unnecessary services, ports, and protocols
• Remove or disable unnecessary accounts
• Document all changes made to default configurations

Requirement 3: Cardholder Data Protection

• Retain cardholder data only as long as operationally necessary
• Securely delete data according to documented retention policies
• Render card security codes unreadable anywhere they are stored
• Mask Primary Account Numbers (PAN) in displays and logs
• Limit data in transit using encryption or tokenization

Requirement 4: Encryption and Secure Transmission

• Implement TLS 1.2 or higher for all data in transit
• Use strong cryptography for all cardholder data protection
• Disable insecure protocols (SSL, early TLS versions, Telnet, FTP)
• Maintain current encryption keys and certificate management practices
• Document all encryption methods and key management procedures

Requirement 5: Malware Protection

• Deploy antivirus or anti-malware software on all systems
• Maintain current malware definitions and protection engines
• Enable automatic scanning and real-time protection
• Monitor protection logs and alert on suspicious activity
• Ensure protection cannot be disabled by users

Requirement 6: Secure Development and Vulnerability Management

• Establish a secure development life cycle (SDLC) process
• Conduct code reviews and security testing before production release
• Implement patch management procedures and apply patches within 30 days
• Perform regular vulnerability scans and penetration testing
• Maintain a risk-based vulnerability management program

Requirement 7: Access Control and Least Privilege

• Limit access to cardholder data to those with business need
• Grant access based on the principle of least privilege
• Implement role-based access control (RBAC)
• Document all access requirements and approvals
• Review access rights quarterly and update as needed

Requirement 8: User Authentication and Identity Management

• Assign unique user IDs to every person with system access
• Implement multi-factor authentication (MFA) for all administrative access
• Enforce strong password policies (minimum 12 characters with complexity)
• Implement account lockout after six invalid attempts
• Change default passwords and deactivate unused accounts within 90 days

Requirement 9: Physical and Environmental Security

• Restrict physical access to cardholder data environment facilities
• Implement visitor identification and escort procedures
• Maintain surveillance cameras in sensitive areas
• Use secure storage for physical records and media
• Safely dispose of media containing cardholder data

Requirement 10: Logging and Monitoring

• Implement centralized logging for all systems processing cardholder data
• Log all access to cardholder data with user identification
• Maintain audit trails for at least one year (three months readily available)
• Implement real-time alerting for suspicious activity
• Review logs regularly for unauthorized access or modifications

Requirement 11: Security Testing and Assessment

• Conduct quarterly internal vulnerability scans
• Perform annual external vulnerability assessments by qualified assessor
• Conduct penetration testing annually
• Remediate vulnerabilities based on risk prioritization
• Maintain documentation of all testing activities and results

Requirement 12: Security Policies and Governance

• Maintain documented information security policies
• Establish an incident response plan with procedures
• Implement third-party management and monitoring procedures
• Provide annual security awareness training to all personnel
• Maintain a risk assessment process reviewed annually

Timeline and Deadlines for 2026

Organizations should understand critical compliance deadlines. PCI DSS v3.2.1 enforcement has ended, and v4.0.1 is now the active standard. By mid-2026, all merchants must demonstrate full compliance with v4.0.1 requirements. This timeline applies whether you're pursuing a formal assessment (ROC) or self-assessment (SAQ).

Begin your transition now by conducting a gap analysis against v4.0.1 requirements. Prioritize high-risk areas and allocate resources to remediation activities. Organizations failing to achieve compliance face increased penalties, card brand restrictions, and reputational damage.

Implementation Best Practices

Start with a Gap Assessment: Document your current state against each v4.0.1 requirement. Identify gaps, risks, and resource needs before beginning remediation.

Prioritize Foundational Requirements: Focus first on Requirements 1-4, which form the technical foundation. These control network security, data protection, and encryption—critical controls for preventing data breaches.

Invest in Multi-Factor Authentication: MFA is essential under Requirement 8. Implement this across administrative accounts and sensitive systems immediately, as it significantly reduces compromise risk.

Strengthen Your Security Program: v4.0.1 emphasizes governance and risk management. Establish a formal information security program with policies, training, and incident response procedures.

Engage Qualified Assessors Early: Whether you need a formal QSA assessment (ROC) or self-assessment (SAQ), working with qualified professionals helps ensure comprehensive compliance and reduces assessment delays.

Frequently Asked Questions

What is the difference between PCI DSS v4.0.1 and earlier versions?

PCI DSS v4.0.1 introduces customizable requirements that allow risk-based control selection, strengthens authentication requirements with mandatory MFA, extends encryption requirements, and emphasizes security program governance. Key additions include stronger password standards, expanded logging requirements, and enhanced third-party risk management. Organizations must transition from previous versions to achieve full compliance with the current standard.

Who needs to comply with PCI DSS v4.0.1?

Any organization that processes, stores, or transmits payment card data must comply, including merchants of all sizes, payment processors, financial institutions, and service providers. The standard applies regardless of business size or processing volume. Even small merchants processing a few transactions monthly must implement appropriate controls based on their risk profile and business model.

How do I know if I need a formal assessment (ROC) or self-assessment (SAQ)?

Your assessment type depends on merchant level, which is determined by payment processing volume, breach history, and card brand requirements. Most small merchants qualify for SAQ, while larger merchants typically require formal QSA assessments. Your acquiring bank or payment processor can determine your merchant level and assessment requirements.

Get Your Compliance Strategy in Place Today

PCI DSS v4.0.1 compliance is not optional—it's essential for protecting cardholder data, maintaining customer trust, and avoiding penalties. Praxis-Q helps merchants, service providers, and financial institutions achieve compliance through readiness assessments, implementation guidance, and security testing. Our team works with your organization to understand your environment, prioritize remediation activities, and build a sustainable compliance program.

Don't wait until 2026 deadlines approach. Start your compliance journey now with expert guidance. Learn how Praxis-Q can support your PCI DSS compliance efforts and ensure your organization meets v4.0.1 requirements on schedule.