What are the most expensive new PCI v4.0 requirements?

Three requirements drive the bulk of the v4.0 cost increase. First, Requirement 6.4.3 payment-page script management for e-commerce merchants: $2,000 to $5,000 per year in script monitoring tooling. Second, Requirement 8.3 expanded multi-factor authentication for all CDE access (not just remote): $0 to $10,000 depending on existing MFA deployment, plus 12-character minimum password length. Third, Requirement 11.3.2 authenticated internal vulnerability scanning: $1,000 to $5,000 per year in additional tooling and the consultant time to set up authenticated scanning credentials.

When did PCI DSS v4.0 become mandatory?

PCI DSS v4.0 was published in March 2022. PCI DSS v3.2.1 retired in March 2024. The 51 future-dated requirements that were optional during the transition period became mandatory in March 2025. As of 2026 every PCI assessment must apply the full v4.0 control set including the future-dated requirements. There is no transition relief remaining; v4.0 is the only standard in effect.

What is the PCI v4.0 customised approach?

The customised approach is one of the major structural changes in v4.0. It allows organisations to meet a PCI DSS objective through alternative controls (not the prescribed default controls) provided the alternatives are backed by targeted risk analysis showing the alternative achieves the same security outcome. The customised approach unlocks flexibility but adds cost: targeted risk analysis documentation runs $5,000 to $15,000 per documented control, and the QSA must approve the alternative implementation. For most merchants, the prescribed default controls remain cheaper to implement than custom alternatives plus risk analysis.

Does PCI v4.0 require more pen testing than v3.2.1?

Materially yes. The pen testing requirement structure carries forward (external annual, internal annual, segmentation validation every 6 months if segmentation used), but the scope expectations have tightened. Authenticated internal scanning is now mandatory (Req 11.3.2), which adds consultant time for credential provisioning and scan tuning. The expectation for application-layer pen testing has tightened for environments with payment-affecting web applications. Annual pen testing cost is up roughly 10 to 20 percent on like-for-like scope versus v3.2.1.

Are SAQ A merchants affected by PCI v4.0?

Minimally. SAQ A still has 22 controls and the v4.0 updates added marginal language clarifications rather than substantive control additions. The single material change for SAQ A merchants is the tightened qualification criteria around what constitutes 'fully outsourced' card data handling, which the PCI SSC clarified in updated SAQ A guidance in late 2025. Merchants on the SAQ A vs SAQ A-EP boundary should re-verify eligibility under the updated guidance; if reclassified to SAQ A-EP, the year-over-year cost increase from v3.2.1 to v4.0 jumps from near-zero to $10,000 to $15,000.

What is the cheapest way to absorb the v4.0 cost increase?

Three mitigation strategies in priority order. First, scope reduction through hosted checkout or tokenisation: moving from SAQ D or SAQ A-EP to SAQ A eliminates most of the v4.0 cost impact because SAQ A controls were minimally changed. Second, GRC platform adoption for combined PCI plus SOC 2 plus ISO 27001 obligations: the platform amortises evidence collection across frameworks, reducing the marginal effort of v4.0 evidence requirements. Third, multi-year QSA contracts locking in pre-2026 day rates: protects against ongoing day-rate inflation that compounds with v4.0 cost.

Version cost delta

PCI DSS v4.0 vs v3.2.1 cost delta: the math

PCI DSS v4.0 added 51 future-dated requirements that became mandatory in March 2025. 2026 is the first full year in which every PCI assessment applies the full v4.0 control set. The year-one cost uplift for merchants who were compliant under v3.2.1 runs $5,000 to $30,000 depending on tier, with the bulk concentrated in script management tooling, expanded MFA, and authenticated internal scanning.

Updated April 2026

Year-1 uplift

$5k - $30k

Per merchant tier, holding scope constant

Future-dated reqs

Mandatory effective March 2025

Biggest cost driver

Req 6.4.3 script management

The v4.0 calendar and what it means for 2026

PCI DSS v4.0 was published in March 2022. The PCI SSC gave a two-year transition during which both v3.2.1 and v4.0 were accepted for assessments. PCI DSS v3.2.1 retired in March 2024. 51 of the v4.0 requirements were marked as future-dated during the transition, becoming mandatory in March 2025. As of mid-2026, every PCI assessment must apply the full v4.0 control set including all future-dated requirements. There is no remaining transition relief.

For merchants whose last ROC or SAQ was completed under v3.2.1 (typically merchants on annual cycles where their last assessment was Q1 2024 or earlier), the 2025 or 2026 renewal is the first encounter with full v4.0 requirements. This page covers the cost decomposition of that uplift, organised around the four highest-cost v4.0 changes.

The 51 future-dated requirements vary widely in cost impact. Some are clarifications of existing v3.2.1 requirements that most merchants already meet (cost impact near zero). Others introduce genuinely new compliance obligations requiring new tooling and consultant time (cost impact $2,000 to $15,000+ per requirement). The four most-expensive new requirements account for roughly 70 to 80 percent of the total v4.0 uplift.

The four most-expensive new v4.0 requirements

Requirement	What changed	Annual cost impact
Req 6.4.3 (payment-page scripts)	Manage, inventory, authorise, and integrity-check all scripts on payment pages	$2,000 - $5,000
Req 8.3 (expanded MFA)	MFA required for ALL access to CDE, not just remote. Min password length 12 characters	$0 - $10,000
Req 11.3.2 (authenticated scanning)	Internal vulnerability scans must be authenticated (with credentials)	$1,000 - $5,000
Req 12 (customised approach + targeted risk analysis)	Risk-based control alternatives require formal documented targeted risk analysis	$2,000 - $10,000

Anchored to the official PCI DSS v4.0 document library and the PCI SSC v4.0 Summary of Changes document. The cost ranges assume merchants who did not meet the requirements under v3.2.1; merchants who already met the spirit of the requirement see lower or zero incremental cost.

Req 6.4.3 payment-page script management in detail

Req 6.4.3 is the single most-discussed v4.0 change because it created a new tooling category and a new line item in nearly every e-commerce merchant's compliance budget. The requirement: any merchant whose payment page can load third-party scripts (including via tags managed in Google Tag Manager, marketing scripts, analytics, chat widgets, A/B testing tools) must inventory every script loaded on the payment page, authorise each script via documented business need, and verify the integrity of each script (typically via subresource integrity hashes or via continuous integrity monitoring).

The requirement targets Magecart-style payment-page skimming attacks, where attackers compromise a third-party script (a marketing tag, a chat widget, a tracking pixel) and inject code that exfiltrates cardholder data as customers type it into the payment form. The 2018 British Airways breach (108,000 cards exfiltrated, GBP 20 million GDPR fine) was a textbook Magecart attack. Req 6.4.3 makes detection of such attacks structurally mandatory.

Compliance options. Option one: pure manual evidence with subresource integrity hashes on every script tag, periodic manual review of the script inventory, manual change-approval workflow. Labour-intensive but no tool cost. Option two: a payment-page script monitoring tool. Pure-play products include c/side ($2,400 to $6,000 per year), Jscrambler ($3,000 to $10,000), Source Defense ($5,000 to $15,000 per year for enterprise). CDN-integrated alternatives include Cloudflare Page Shield (included with Cloudflare Pro/Business/Enterprise plans, marginal cost roughly $0 to $2,000 depending on existing Cloudflare tier), Akamai Script Manager (included with Akamai Bot Manager subscription). For most merchants the tool path is operationally cleaner than manual evidence.

Per-merchant-tier v4.0 cost uplift

Merchant tier	v3.2.1 baseline	v4.0 cost (2026)	Uplift
Level 4 SAQ A (hosted checkout)	$300 - $1,000	$300 - $1,000	~$0
SAQ A-EP (custom checkout)	$6k - $12k	$11k - $20k	+$5k - $10k
SAQ B-IP / SAQ C retail	$1k - $5k	$1.5k - $6.5k	+$500 - $1.5k
SAQ D-Merchant	$10k - $30k	$15k - $45k	+$5k - $15k
Level 1 ROC commercial	$60k - $130k	$75k - $160k	+$15k - $30k
SAQ D-SP service provider	$20k - $50k	$30k - $75k	+$10k - $25k

The uplift assumes a merchant who was compliant under v3.2.1 with minimal additional security investment beyond the baseline. Merchants with mature security programs that already met the spirit of the v4.0 requirements see lower uplift. The cost impact does not include the general professional services inflation (separately roughly +5 to +8 percent YoY) that affects both v3.2.1 and v4.0 baselines.

v4.0 cost mitigation strategies

Three approaches consistently reduce the v4.0 cost uplift. First, scope reduction through hosted checkout migration. Moving from SAQ A-EP to SAQ A through Stripe Checkout, PayPal hosted, or Adyen Drop-in eliminates the Req 6.4.3 obligation entirely (because the payment page is hosted outside the merchant's environment) and minimises the other v4.0 cost impacts. The migration cost runs $5,000 to $25,000 one-off; the year-over-year SAQ cost saving plus elimination of v4.0 tooling typically pays back within the first year.

Second, GRC platform adoption for multi-framework engagements. The compliance automation platforms (Vanta, Drata, Secureframe, Sprinto, Thoropass) have invested heavily in v4.0 evidence templates and the platforms now meaningfully reduce the consultant or QSA hours required for v4.0 evidence collection. For Level 2 and Level 1 merchants with combined PCI plus SOC 2 plus ISO 27001 obligations, the GRC platform amortises the v4.0 cost across frameworks.

Third, leveraging existing security investments for v4.0 requirements. Many of the v4.0 future-dated requirements can be met by extending existing security tools and processes rather than buying new ones. Examples: extending an existing Okta or Microsoft Entra deployment to cover all CDE access (Req 8.3), using an existing Cloudflare or Akamai CDN for script monitoring (Req 6.4.3), using an existing Tenable or Qualys deployment for authenticated internal scanning (Req 11.3.2). The audit conversation with the QSA is whether these existing tools meet the v4.0 evidence requirements, and in most cases they do with modest configuration changes.

Get the official v4.0 Summary of Changes

The PCI SSC publishes the PCI DSS v4.0 Summary of Changes document detailing every change versus v3.2.1, including future-dated requirements and effective dates.

PCI SSC document library →

Frequently asked

Year-one uplift runs $5,000 to $30,000 depending on merchant tier and pre-v4.0 security maturity, holding scope constant. For Level 4 SAQ A merchants on hosted checkout, the uplift is near zero. For SAQ A-EP e-commerce merchants the uplift is $5,000 to $10,000 (mostly Req 6.4.3 script monitoring tooling). For SAQ D-Merchant and Level 1 ROC merchants the uplift is $10,000 to $30,000 covering expanded MFA, authenticated internal scanning, customised approach risk analysis, and incremental control implementation. Subsequent years see ongoing-cost increase of $3,000 to $15,000 per year.

2026 outlook

Full 2026 cost outlook including v4.0 effects.

Level 1 PCI cost

Where the v4.0 uplift is largest in absolute dollars.

SAQ A cost

The migration target that eliminates most v4.0 impact.

PCI DSS requirements

All 12 requirements with v4.0 changes flagged.

Reduce PCI costs

Scope reduction and tokenisation strategies.

ASV + pen test

Authenticated internal scanning is the new mandatory.