10 min read

PCI DSS 4.0.1 Compliance: What Every Business Must Do by 2025

PCI DSS 4.0.1 Compliance: What Every Business Must Do by 2025

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized set of policies and procedures developed to ensure the secure handling of cardholder information. It applies to all entities that process, store, or transmit credit, debit, or other cardholder data. Although not a legal requirement, PCI DSS represents a contractual obligation that businesses must follow to retain the ability to process card payments.

Although PCI DSS is not a government regulation, it is a contractual requirement for businesses that process, store, or transmit cardholder data. Complying with PCI DSS ensures organizations maintain secure systems and build customer trust.

PCI DSS v4.0.1 Update Summary

In 2024, PCI DSS version 4.0.1 was released as a refinement of version 4.0. This update includes minor corrections, clarified language, and improved instructions to support better implementation of controls. These adjustments help businesses prepare ahead of the March 31, 2025 enforcement deadline.

Compared to the previous standard (v3.2.1), PCI DSS 4.0 introduced major updates, including proactive security strategies, flexibility through customized approaches, and improved support for modern payment environments. Version 4.0.1 maintains these updates but focuses on improved clarity and usability rather than introducing new requirements.Difference Between PCI DSS v4 and v4.0.1:

PCI DSS v4 introduced major changes, whereas PCI DSS v4.0.1 introduced only minor revisions. The following is a comparative analysis:

Category PCI DSS 4.0 PCI DSS 4.0.1
Release Date March 2022 October 2023
Purpose Major update replacing 3.2.1, modernized for new threats Minor revision with corrections, clarifications
Structure Introduced new format and control layout Same structure as 4.0, no major layout changes
Customized Approach Introduced for flexibility in control implementation Clarified expectations for customized approach
Multi-Factor Authentication Strengthened MFA requirements across environments Clarified text to avoid confusion in MFA control wording
Password Requirements Changed complexity and expiration rules No major changes; minor wording corrections
New Requirements 60+ new requirements introduced (many future-dated) No new requirements, just clearer descriptions
Implementation Deadlines March 2025 for most new 4.0 requirements Deadline unchanged
Error Corrections N/A Fixed typos, inconsistencies, and incorrect references
Clarifications N/A Improved language for better understanding
Impact High – changes in scope, approach, and control details Low – meant to support smoother adoption of 4.0

Key points about v4.0.1:

  • No new requirements: The update focuses on clarifying existing standards.
  • Effective date: Organizations must comply with future-dated requirements by March 31, 2025.
  • Supporting documents: Updated templates for Reports on Compliance (ROC), Attestations of Compliance (AOC), and Self-Assessment Questionnaires (SAQs) are expected to be published in Q3 2024

PCI DSS Compliance Levels

The number of transactions a company processes determines its level of compliance. Merchants have four levels, while service providers have two.

  • Merchants: Organizations that accept credit cards for a product or service.
  • Service Providers: Organizations that process, transmit, or store card information on behalf of merchants.

An organization can fall into both categories.

What Counts as a “Transaction”?

Under PCI DSS, a transaction involves any event where cardholder data is used for authorization, payment, refund, or dispute resolution. Common types include:

  • Point-of-Sale (POS) Purchases & Refunds: In-person, card-present transactions.
  • E-Commerce Payments: Online, card-not-present sales.
  • Recurring Billing: Subscription or scheduled charges.
  • Credits & Chargebacks: Refunds, reversals, and disputes.
  • Data Storage/Transmission Events: Any time cardholder data is stored, processed, or transmitted internally or by third parties.

Level 1:

Businesses that process 6 million transactions annually for any of the major card brands that follow PCI DSS, such as JCB, MasterCard, Discover, American Express, and Visa, are typically classified as Level 1 merchants. However, PCI card brands may also place a merchant into Level 1 even if they do not reach the 6 million transaction threshold. This decision ultimately depends on the payment brand, particularly if they identify specific risk factors and determine that the company should be treated as a Level 1 merchant based on merit.

Major Requirement in Level 1

An organization classified as Level 1 under PCI DSS must undergo a formal assessment conducted by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). The result of this assessment is documented in a Report on Compliance (ROC), which serves as official validation that the organization meets all PCI DSS requirements.

Level 2:

Businesses that process between 1 and 6 million payment card transactions annually are typically classified as Level 2 merchants under PCI DSS. These are often mid-sized retailers. Instead of undergoing a full audit like Level 1 merchants, they are generally required to complete a Self-Assessment Questionnaire (SAQ).

The SAQ is a standardized self-evaluation tool used to assess whether a business is complying with the PCI DSS security requirements. It helps identify gaps in how the company handles cardholder data and guides them toward full compliance.

With the release of PCI DSS version 4.0, there are now 9 different types of SAQs, each tailored to specific ways a business might handle payment information. For example, some SAQs apply to businesses that do not store cardholder data, while others are for those that use e-commerce platforms or third-party payment processors.

Level 3:

Businesses that process between 20,000 and 1 million e-commerce transactions annually are typically classified as Level 3 merchants under PCI DSS. This level often includes small to mid-sized online retailers.

Similar to Level 2 merchants, they are required to complete a Self-Assessment Questionnaire (SAQ) each year to verify their compliance with PCI DSS requirements. The specific SAQ they must use depends on how they process, store, or transmit cardholder data.

Level 4:

Merchants that process fewer than 20,000 e-commerce transactions annually are generally classified as Level 4 under PCI DSS. According to Visa's criteria, even some merchants processing up to 1 million total Visa transactions per year may also fall into Level 4, depending on their risk profile and how they accept payments.

Level 4 merchants are required to complete a Self-Assessment Questionnaire (SAQ) to evaluate whether they meet PCI DSS compliance requirements. This self-evaluation helps ensure that even smaller businesses are taking the necessary steps to protect cardholder data.

Important Note:


While the PCI DSS merchant levels provide general guidelines based on transaction volume, the actual level assigned to a merchant can vary. Payment brands (like Visa or MasterCard), acquiring banks, and service providers may assign a higher level based on factors such as risk, past breaches, or how transactions are processed (e.g., in-store vs. e-commerce). Merchants should always check with their acquiring bank or payment processor to confirm their specific compliance requirements.

What is a PCI Qualified Security Assessor (QSA)?

A Qualified Security Assessor (QSA) is an individual certified by the Payment Card Industry Security Standards Council (PCI SSC) to perform PCI DSS compliance assessments and consulting services. While the term "QSA" can refer to both individuals and companies, the PCI SSC often distinguishes companies as QSACs (Qualified Security Assessor Companies) to avoid confusion.

Focusing on the individual role, according to the PCI SSC, a Qualified Security Assessor is someone who meets the following key requirements:

Must have a background in information security

Has completed the official QSA training program provided by the PCI Security Standards Council (PCI SSC) and passed the QSA exam.

Be employed by a PCI SSC-approved Qualified Security Assessor Company (QSAC).

Be authorized to conduct PCI DSS assessments focused on the protection of cardholder data.

What does a PCI Qualified Security Assessor do?

A PCI QSA evaluates organizations that handle credit card data to ensure they meet the security standards defined by the Payment Card Industry Data Security Standard (PCI DSS). This includes assessing how businesses store, process, and transmit cardholder data, and verifying whether their security controls align with PCI DSS requirements.

QSA companies, known as QSACs (Qualified Security Assessor Companies), are independent security firms certified by the PCI Security Standards Council (PCI SSC) to perform these assessments and validate an organization’s compliance.

What is PCI Qualified Security Assessors Looking for During an Audit?

As mentioned earlier, only Level 1 merchants under PCI DSS are required to undergo a formal assessment conducted by a Qualified Security Assessor (QSA). Merchants classified as Level 2, 3, or 4 typically meet their compliance obligations by completing an annual Self-Assessment Questionnaire (SAQ) instead of a full audit.

For Level 1 merchants, the annual QSA-led assessment functions as an internal audit that evaluates the effectiveness of the company’s information security controls. This involves a thorough review and testing of all security measures surrounding the Cardholder Data Environment (CDE) to ensure full compliance with PCI DSS requirements.As part of the PCI DSS assessment, a QSA typically evaluates the following key areas within the Cardholder Data Environment (CDE):

Network segmentation– Ensuring that the CDE is properly isolated from other parts of the network to reduce scope and risk.

Point-of-sale (POS) systems – Verifying the security of devices and software used to capture card payments.

Data encryption– Confirming that cardholder data is encrypted during transmission and storage.

Access controls – Reviewing who has access to the CDE and whether access is limited to only those who need it.

Payment processing applications – Assessing the security of software that handles card transactions.

Data storage practices – Identifying where and how cardholder data is stored and ensuring it complies with PCI DSS guidelines.

The number of PCI DSS requirements is 12 and 281 directives, so your initial audit may take a long time to complete: maybe 2 years. It's not compulsory that every requirement applies to every company. It is possible that your company may not need to comply with 281 requirements, which reduces the time to complete the audit.

PCI DSS Audit Objectives and Process?

A PCI DSS audit is led by a Qualified Security Assessor (QSA) and examines how your company handles customer payment information in accordance with the requirements defined in the PCI DSS.

There are three primary goals of PCI DSS audit:

  1. Identify any security gaps and verify whether the company follows the latest PCI DSS requirements.
  2. Document issues and recommend corrective actions.
  3. Ensure all identified problems are properly addressed.

The QSA reviews your systems to determine if you meet the 12 core PCI DSS requirements, either directly or through approved alternatives (known as compensating controls). Once the audit is complete, the QSA prepares a Report on Compliance (ROC) to confirm your organization’s compliance status.

6 Steps of PCI Audit:

There are six steps involved in a PCI audit, in case if your company qualifies for a QSA audit.

1. Define Your Scope

When identifying the scope of your PCI assessment, consider all processes, people, and technologies that interact with or affect the security of cardholder data.

It is crucial to clearly define what is included in your company’s PCI scope. This involves examining all locations, data flows, and systems that store, process, or transmit cardholder data, or could affect its security if compromised.

The PCI scope should be re-evaluated annually to ensure accuracy. Detailed documentation of how the scope was determined will help the assessor verify that scoping has been done correctly.

2. Look For a Qualified Security Assessor (QSA)

QSAs are the only assessors authorized to conduct PCI audits. (We’ll explain later how to choose a QSA for your audit.)

Many organizations outsource their PCI audits to an external QSA. If your company has internal auditors, ensure they are certified as Internal Security Assessors (ISAs) by the PCI Security Standards Council (PCI SSC). ISAs are trained and authorized to conduct PCI audits internally on an annual basis.

3. Manage a Gap Analysis

If you are pursuing PCI DSS compliance for the first time, it’s strongly recommended to conduct a gap analysis. This pre-audit assessment helps ease your compliance journey.

A gap analysis allows merchants and service providers to identify their current compliance posture before committing to a full PCI audit. Like an official audit, it is typically conducted by an ISA, QSA, or other qualified professional. The resulting report highlights findings and enables you to proactively address security gaps potentially making the audit faster and more efficient.

4. Complete a QSA-led Assessment

After the gap analysis, the next step is for your QSA to conduct a thorough assessment. This assessment includes:

  • Evaluating documentation provided by a company
  • Verifying that required security controls are in place
  • Interviewing with the relevant team members
  • Checking physical security controls

5. Address Security Issues

Once the assessment has been completed, QSA will provide a documented list of findings and permit you to resolve any missing controls or vulnerabilities to receive the Report on Compliance (ROC).

When your QSA addresses and checks all the non-conformance they will send a final ROC for you to check. Once it is approved, your ROC will signify to clients and stakeholders that you are PCI compliant.

6. Monitor PCI Security Standards Continuously

Receiving an approved ROC is not the end of your PCI compliance journey. Organizations that undergo QSA-led audits must repeat them annually.

Between audits, your business is responsible for continuously monitoring and maintaining PCI DSS compliance. If your operations change, for example, adopting a new technology or launching a new payment method, you’ll need to reassess and potentially adjust your PCI scope accordingly.

Because continuous compliance can be demanding, consider using the following tools and strategies:

  • Perform regular ASV (Approved Scanning Vendor) scanning

  • Use automated evidence collection tools

  • Continuously monitor internal security controls and systems

  • Complete and retain merchant risk assessments

How Do You Find a QSA for Your Audit?

Finding the right Qualified Security Assessor (QSA) is a key step in preparing for your PCI DSS audit. The PCI Security Standards Council (PCI SSC) website offers a searchable, up-to-date list of approved QSA companies (QSACs) and their certified assessors.

You can filter the list by region, market focus, supported languages, and industry experience. Since each company’s environment is different, it's important to choose a QSA with relevant experience in your specific industry.

Once you’ve narrowed down your options, review the profiles of individual assessors to ensure they have the right expertise. Don’t hesitate to contact the companies directly to ask about the QSA’s background, certifications, or relevant industry experience.

To help refine your search further:

  • Ask for testimonials or client referrals.
  • Look for companies with a high renewal rate (ideally 50% or higher).
  • Choose a QSA partner that aligns with your business goals and can clearly explain the audit process.

What If You Fail a PCI Audit?

A PCI audit is not a simple pass-or-fail test. Instead, it should be viewed as an opportunity to evaluate the effectiveness of your organization’s existing security controls and strengthen them where necessary. If your QSA (Qualified Security Assessor) identifies vulnerabilities in how your organization handles cardholder data, you may be marked as non-compliant in those specific areas. However, this is not the end of the road, your QSA will provide guidance to help you make the necessary changes and ultimately achieve PCI compliance.

Identifying issues during the audit phase is a good thing. Addressing them early can help prevent more serious non-compliance issues down the line, which could lead to significant reputational damage and financial penalties.

Looking for a Trusted QSA Partner?

RedSecLabs is a trusted provider of PCI DSS consulting and audit services, helping businesses of all sizes achieve and maintain compliance. Their team of experts supports clients through every step of the process from gap analysis to certification.