PCI DSS v4.0.1: What UK Businesses Must Do Now
- July 7, 2026
- Posted by: Gradeon
- Category: Compliance

PCI DSS v4.0.1 is now fully enforced. All 64 new requirements, including the 51 that were previously future-dated, became mandatory on 31 March 2025. UK businesses still operating under legacy v3.2.1 controls are non-compliant, and those that completed an SAQ or ROC before addressing the v4.0.1 changes may have gaps they are unaware of.
This guide explains what changed, which requirements UK businesses are most commonly failing, and what to prioritise if you have not yet completed your v4.0.1 gap analysis.
What Is PCI DSS v4.0.1 and Why Does It Matter?
PCI DSS v4.0.1 is the current version of the Payment Card Industry Data Security Standard, the global framework governing how businesses store, process, and transmit cardholder data. Version 4.0 was released in March 2022, version 4.0.1 followed in June 2024 with clarifications and minor corrections, and both share the same 31 March 2025 full enforcement date.
The update introduced 64 new requirements on top of the existing 12 core requirements. These 64 additions reflect how the threat landscape has changed since v3.2.1 was written, particularly around web-based attacks, phishing, and the exploitation of authentication weaknesses.
What Are the Most Significant Changes in PCI DSS v4.0.1?
Stronger authentication requirements
Requirement 8 now mandates multi-factor authentication for all access to the cardholder data environment, not just remote access. Previously, MFA was required only for remote connections. In v4.0.1, it applies to all non-console administrative access and all user access to systems in scope.
For UK businesses with on-premises infrastructure, this change alone requires a significant reconfiguration of access controls across every system in the CDE.
Targeted risk analysis
Several requirements in v4.0.1 allow organisations to customise their approach through a Targeted Risk Analysis. Rather than following a prescriptive frequency, businesses can define their own review and testing schedules provided they can demonstrate the analysis behind those decisions.
This sounds like flexibility but it adds a documentation burden. Auditors will scrutinise the quality of your TRA rather than simply confirming you completed a task on schedule. Undocumented or superficial risk analyses will fail.
E-commerce and phishing protections
Requirement 6.4.3 mandates that all payment page scripts loaded and executed in the consumer’s browser are authorised, integrity-protected, and inventoried. This is a direct response to Magecart-style web skimming attacks that have affected thousands of UK eCommerce merchants.
Requirement 12.6.3.1 requires phishing awareness training to be reviewed at least every 12 months and updated when new phishing techniques emerge. Generic annual training no longer satisfies the requirement.
Continuous monitoring
Requirement 10 now emphasises automated log review. Manual log review processes that were acceptable under v3.2.1 are increasingly difficult to justify under v4.0.1 without documented automation or a formal explanation of compensating controls.
Penetration testing methodology
Requirement 11.4.1 now specifies that penetration testing must follow an industry-accepted methodology. This means your pen test provider must document the methodology used — PTES, OWASP, NIST — and your report must confirm this. Informal or undocumented testing no longer satisfies the requirement.
Which PCI DSS v4.0.1 Requirements Are UK Businesses Most Commonly Failing?
Based on industry assessments conducted across UK merchants and service providers since the March 2025 enforcement date, these are the requirements generating the most findings:
| Requirement | Common Failure |
| 6.4.3 | No script inventory or integrity controls on payment pages |
| 8.4.2 | MFA not implemented for all CDE access, only remote access |
| 11.6.1 | No change detection mechanism on payment page HTTP headers |
| 12.3.2 | Targeted Risk Analysis not completed or poorly documented |
| 12.6.3 | Phishing training not updated to reflect current techniques |
| 10.7.1 | Automated log review not in place, manual review only |
Does PCI DSS v4.0.1 Affect Small UK Merchants?
Yes, though the specific requirements depend on your merchant level and SAQ type.
Level 4 merchants completing SAQ A, which covers businesses using fully outsourced hosted payment pages, face fewer v4.0.1 additions than those on SAQ D. However, even SAQ A has been updated to include requirements around ensuring the security of the redirected payment page and confirming your payment provider is PCI DSS compliant.
Why PCI DSS 4.0.1 is raising the bar for UK retailers and many are still not ready is directly relevant to businesses that completed SAQ A in 2024 and assumed nothing had changed. The SAQ A revision introduced new questions specifically about third-party payment page security that were not present in earlier versions.
What Should UK Businesses Prioritise Right Now?
If you have not yet conducted a v4.0.1 gap analysis, this is the starting point. The gap analysis tells you exactly which of the 64 new requirements you already meet and which need remediation before your next assessment.
Immediate priorities for most UK merchants:
- Confirm MFA is enabled for all CDE access, not just remote users
- Audit all scripts on your payment pages and build an authorised script inventory
- Review your penetration testing report to confirm it documents a named methodology
- Check your phishing training was updated within the last 12 months to reflect current techniques
- Confirm your log review process includes automation or has a documented compensating control
Understanding what PCI DSS v4.0.1 compliance costs UK businesses when starting from scratch gives you the budget context for this work before engaging a QSA or consultant. Remediation costs vary significantly depending on how far your current environment sits from the new requirements.
Do You Need a QSA for PCI DSS v4.0.1 Compliance?
Not necessarily, but the answer depends on your merchant level.
Level 1 merchants require a QSA-led Report on Compliance annually regardless of which version they are complying with. For Level 3 and Level 4 merchants, the SAQ route remains available, but the complexity of v4.0.1 requirements, particularly around TRAs and script management, means many businesses benefit from professional guidance even when a QSA is not mandatory.
Understanding whether you need a QSA to validate your PCI DSS v4.0.1 compliance programme before your next assessment is the decision that determines whether you approach v4.0.1 as a self-managed project or an externally guided one.
Frequently Asked Questions
Is PCI DSS v4.0.1 mandatory for UK businesses in 2026?
Yes. All 64 new requirements became mandatory on 31 March 2025. UK businesses still operating under v3.2.1 controls are non-compliant as of that date.
What is the difference between PCI DSS v4.0 and v4.0.1?
Version 4.0.1 introduced minor clarifications and corrections to v4.0 but shares the same requirements and enforcement date. Both versions are treated identically for compliance purposes.
Does PCI DSS v4.0.1 require MFA for all users?
Yes for all access to the cardholder data environment, including non-console administrative access. MFA is no longer limited to remote access only.
What is a Targeted Risk Analysis under PCI DSS v4.0.1?
A documented business risk assessment justifying a customised approach to specific requirements. It must be formally documented and reviewed annually to satisfy auditors.
How long does a PCI DSS v4.0.1 gap analysis take?
For most UK SMEs, a gap analysis takes one to three weeks depending on the complexity of the cardholder data environment and the number of systems in scope.
What happens if a UK business fails a PCI DSS v4.0.1 assessment?
Non-compliance findings must be remediated and retested before an Attestation of Compliance can be issued. Prolonged non-compliance can result in acquiring bank fines and potential suspension of card acceptance.
Source: PCI Security Standards Council, PCI DSS v4.0.1, June 2024. Verizon Payment Security Report 2025.