PCI DSS 4.0 is the Payment Card Industry Data Security Standard's major version released in March 2022, with a minor revision (4.0.1) issued in June 2024. It restructured the standard into 12 numbered requirements with 64 sub-requirements, introduced the Targeted Risk Analysis (TRA) methodology, added the Customized Approach as an alternative compliance path, and phased in 32 future-dated controls that became mandatory March 31, 2025. PCI DSS 3.2.1 retired March 31, 2024.

Are the 32 future-dated requirements covered?

Yes. Every one of the 32 future-dated sub-requirements is flagged inline with implementation guidance and an evidence prompt. The full list spans §3.4.2 (PAN concealment), §5.4.1 (anti-phishing), §6.4.3 (payment-page scripts), §8.3.6 + §8.4.2 (universal MFA + non-console MFA), §10.4.1.1 (automated audit-log review), §11.3.1.1 (authenticated internal scans), §11.4.7 (multi-tenant segmentation pen-testing), §11.6.1 (HTTP tamper detection), §12.10.4.1 (incident-response training tested), all in force since March 31, 2025 with no grace period.

Does this checklist help with CDE scoping?

Yes. A dedicated CDE scoping worksheet covers cardholder-data flow mapping, the §1.2.1 firewall ruleset evidence, the §1.2.4 segmentation diagram requirements, the §11.4.5 segmentation pen-test cadence (annually for merchants, semi-annually for service providers), and the connected-system inventory. Most merchants over-PCI-treat their network because they lack the segmentation map, the worksheet is designed to surface that quickly.

SAQ vs ROC, which does this support?

Both. The checklist's controls list is the same regardless of validation type, what changes is who attests to it. Level 1 merchants (>6M transactions/year for Visa) and most service providers need a full ROC by a QSA. Levels 2-4 typically use a Self-Assessment Questionnaire: SAQ A, A-EP, B, B-IP, C, C-VT, D-Merchant, D-Service-Provider, or P2PE-HW. A SAQ decision tree is included so you can confirm which questionnaire applies to your acceptance channels.

Cross-mapping to ISO 27001 + SOC 2?

Yes. Every PCI DSS 4.0 control on the checklist is cross-mapped to ISO 27001:2022 Annex A controls and to AICPA SOC 2 Common Criteria (CC1-CC9) so a single control assessment reduces audit duplication. Organizations running PCI alongside ISO 27001 or SOC 2 Type 2 typically reuse 60-70% of the underlying evidence, the cross-mapping table makes that explicit.

Free Download · PCI DSS 4.0

The complete PCI DSS 4.0 compliance checklist.

Walk into your next PCI assessment with the same checklist your QSA reads from. All 12 PCI DSS 4.0.1 requirements, every one of the 32 future-dated controls now in force since March 2025, the new Targeted Risk Analysis methodology, the Customized Approach option, and a CDE scoping + segmentation worksheet. Built by RiskWatch's compliance team for Level 1 merchants, service providers, and SaaS platforms storing or transmitting cardholder data.

Download the free checklist See the PCI DSS platform

Free PDF + Excel evidence tracker · No credit card · No sales call

12 reqs

PCI DSS 4.0.1

32 future-dated

Active Mar 2025

TRA + CA

DSS 4.0 methodology

Inside the checklist

12 / 12

QSA-ready coverage

All requirements

DSS 4.0.1 · TRA · CDE · ROC-readyFree

Trusted by Level 1 merchants, service providers, and SaaS platforms managing PCI DSS 4.0, CDE scoping, TRA, and ROC + SAQ validation across every payment channel.

What's Inside the Checklist

12 requirements, 6 control objectives, 32 future-dated items.

PCI DSS 4.0 organizes the 12 numbered requirements under six control objectives. The checklist follows that structure exactly so every line maps 1:1 to what your QSA assesses. Sub-items below are a representative slice, the download contains the full set with evidence prompts.

Build & Maintain a Secure Network

Reqs 1–2

Network security controls and secure configuration baselines for every system component touching the cardholder data environment.

§1.2.1 Network security control rulesets reviewed every 6 months with formal approval
§1.2.4 CDE inventory + network segmentation diagram current and accurate
§2.2.1 Configuration standards defined for every system component type
§2.3.1 Wireless vendor defaults changed before installation in any CDE-adjacent network

Protect Cardholder Data

Reqs 3–4

PAN protection at rest and in transit. Cryptographic key management, retention limits, and the new disk-level vs application-level encryption distinctions.

§3.3.1 PAN masked when displayed; full PAN access limited to legitimate business need
§3.5.1 PAN rendered unreadable using approved methods (truncation, hashing, or strong cryptography)
§3.6.1 Cryptographic key custodians documented with formal acknowledgement
§4.2.1 PAN in transit over open public networks protected with strong cryptography and current cipher suites

Maintain a Vulnerability Management Program

Reqs 5–6

Anti-malware, secure software development, payment-page script management, and the new HTTP request validation control for e-commerce environments.

§5.4.1 Anti-phishing technical controls deployed (future-dated → now in force)
§6.3.3 All system components patched within 30 days of vendor release for critical vulnerabilities
§6.4.3 Payment page scripts inventoried, integrity-assured, and authorized (future-dated → now in force)
§6.5.1 Bespoke and custom software reviewed for vulnerabilities before release

Implement Strong Access Control

Reqs 7–9

Role-based access, identity + authentication including MFA for all CDE access, and physical security controls for any environment housing CHD.

§7.2.5 Application + system accounts reviewed for need-to-know and least privilege
§8.3.6 MFA required for ALL access into the CDE, not just admin (future-dated → now in force)
§8.4.2 MFA explicitly required for non-console administrative access (future-dated → now in force)
§9.4.1 Media containing CHD physically secured and inventoried

Regularly Monitor & Test Networks

Reqs 10–11

Audit logging, automated review, segmentation pen-testing, ASV scans, and the new authenticated-internal-vulnerability-scan and IDS-tampering-detection requirements.

§10.4.1.1 Daily review of audit logs from security-function systems via automated tools (future-dated → now in force)
§11.3.1.1 Internal vulnerability scans performed via authenticated scanning (future-dated → now in force)
§11.4.5 Segmentation controls validated via pen-test annually (semi-annually for service providers)
§11.6.1 Change-and-tamper detection on payment-page HTTP headers + content (future-dated → now in force)

Maintain an Information Security Policy

Req 12

Information security policy, organizational risk analysis, third-party service-provider management, incident response, and the new Targeted Risk Analysis program.

§12.3.1 Targeted Risk Analysis performed per control allowing customer-defined frequency
§12.5.2 PCI DSS scope documented and confirmed at least every 12 months
§12.8.5 Service-provider PCI responsibilities documented in written agreements
§12.10.4.1 Incident response personnel trained and training tested annually (future-dated → now in force)

The 32 future-dated requirements (now in force since March 2025).

PCI DSS 4.0 phased in 32 forward-looking sub-requirements with a 'best practice until' date of March 31, 2025. As of that date, every assessment must validate them. The checklist marks each one inline with implementation guidance and evidence prompts. Highlights:

§3.4.2 PAN concealment for personnel with display-level masking enforced systemically
§5.4.1 Anti-phishing technical mechanisms required across in-scope environments
§6.4.3 Payment page script inventory + change management + integrity assurance
§8.3.6 + 8.4.2 MFA universal for CDE access and non-console administrative access
§10.4.1.1 Automated daily audit-log review for security-function systems
§11.3.1.1 Authenticated internal vulnerability scanning
§11.4.7 Multi-tenant service providers support customer external segmentation pen-testing
§11.6.1 Payment page HTTP request + header tamper detection
§12.10.4.1 Annual incident-response training tested for effectiveness

Why Use This Checklist

Built around the standard's actual structure, not a marketing summary.

Sourced from

PCI DSS 4.0.1 (June 2024) is the current version. The Council issued 4.0.1 as a minor revision, no new requirements, just clarifications and corrections, but it locks in every shift introduced in 4.0: 12 numbered requirements expanded to 64 sub-requirements, the 32 future-dated controls phased in by March 31, 2025, and the formal Targeted Risk Analysis (TRA) methodology. The checklist tracks the current 4.0.1 control set with each future-dated item flagged so you can confirm coverage before your next assessment.

DSS 4.0 added flexibility, and documentation overhead. The Targeted Risk Analysis lets you justify customer-defined frequencies for 18 controls (anti-malware, vulnerability scans, access reviews) instead of accepting a one-size cadence. The Customized Approach lets you meet a control's objective via alternative means with a formal TRA. Both are powerful for legacy infrastructure but require explicit, structured documentation. The checklist includes a TRA template and a Customized Approach worksheet so you don't reverse-engineer the documentation requirements weeks before your QSA visit.

Cardholder Data Environment scoping is the highest-leverage move you make. Smaller CDE = fewer §3 requirements on fewer systems = lower assessment cost and faster remediation. The checklist ships with a CDE scoping worksheet covering cardholder-data flow mapping, the §1.2.1 + §1.2.4 segmentation evidence checklist, the §11.4.5 segmentation pen-test cycle, and the connected-system inventory template. Most merchants over-PCI-treat their network because they don't have the segmentation map. Start there.

Who It's For

Built for three audiences who own PCI evidence end-to-end.

PCI Compliance Managers

Level 1 merchants + service providers

Owning the QSA relationship, the ROC validation cycle, the SAQ submissions, and the acquirer reporting. The checklist gives you a structured pre-flight review so the QSA opens with three findings instead of fourteen.

All 12 reqs + 32 future-dated controls flagged
TRA + Customized Approach templates included
CDE scoping worksheet for §1.2.1 / §1.2.4 / §11.4.5

CISO / Director of Information Security

Owns CDE protection and DSS 4.0 technical controls

Mapping MFA universality (§8.3.6 + §8.4.2), payment-page script management (§6.4.3 + §11.6.1), automated audit-log review (§10.4.1.1), and authenticated internal scanning (§11.3.1.1) onto your existing security stack, without re-architecting around a single sub-requirement.

Every §6, §8, §10, §11 control inline
Cross-mapping to ISO 27001:2022 Annex A
Cross-mapping to SOC 2 CC6 + CC7

SaaS / Tech CTO

Storing or transmitting cardholder data

Tokenized payment flows, Stripe / Adyen / Braintree integrations, hosted payment pages, and SAQ A-EP / D-Service-Provider obligations. The checklist includes a script-inventory worksheet, an iframe / redirect / hosted-page architecture decision tree, and the SAQ-vs-ROC selector.

SAQ decision tree for A through D + P2PE
§6.4.3 payment-page script inventory template
§11.6.1 HTTP tamper-detection guidance

FAQ

Common questions, answered up front.

What's actually in the checklist, the 32 future-dated controls, CDE scoping coverage, SAQ vs ROC, and how it cross-maps to ISO 27001 and SOC 2.

Run It On One Platform

DSS 4.0 + CDE + TRA + ROC

PCI DSS Compliance Software

The full RiskWatch PCI platform, survey-based assessments, CDE auto-discovery, TRA workflow, Customized Approach documentation, ASV scan tracking, ROC + SAQ evidence vault.

See the platform

ISMS + Annex A 2022 controls

ISO 27001 Compliance Software

ISO 27001:2022 ISMS with the 93-control Annex A, Statement of Applicability, internal audit cycle, and management review tracking, cross-mapped to PCI DSS 4.0.

See the platform

Trust Services Criteria + Type 2

SOC 2 Compliance Software

SOC 2 Type 1 + Type 2 evidence collection across CC1-CC9 and the optional Trust Services Categories, cross-mapped to PCI DSS 4.0 for SaaS platforms running both.

See the platform

Run PCI + ISO + SOC 2 on one platform

Run PCI DSS + ISO 27001 + SOC 2 on one platform?

If you're past the checklist stage and ready to operationalize, RiskWatch runs continuous PCI DSS 4.0.1 + ISO 27001:2022 + SOC 2 Type 2 scoring against a single shared evidence vault. 30-minute walkthrough, no slideware, no consulting upsell.

Book a 30-minute walkthrough See the PCI platform

Or call US: +1 941-500-4525

The complete PCI DSS 4.0 compliance checklist.

12 requirements, 6 control objectives, 32 future-dated items.

Build & Maintain a Secure Network

Protect Cardholder Data

Maintain a Vulnerability Management Program

Implement Strong Access Control

Regularly Monitor & Test Networks

Maintain an Information Security Policy

The 32 future-dated requirements (now in force since March 2025).

Built around the standard's actual structure, not a marketing summary.

Built for three audiences who own PCI evidence end-to-end.

PCI Compliance Managers

CISO / Director of Information Security

SaaS / Tech CTO

Common questions, answered up front.

What is PCI DSS 4.0?

Are the 32 future-dated requirements covered?

Does this checklist help with CDE scoping?

SAQ vs ROC, which does this support?

Cross-mapping to ISO 27001 + SOC 2?

PCI is rarely the only framework. Run it alongside ISO + SOC 2.

PCI DSS Compliance Software

ISO 27001 Compliance Software

SOC 2 Compliance Software

Run PCI DSS + ISO 27001 + SOC 2 on one platform?