By Framework · PCI DSS
Every PCI DSS 4.0.1 requirement is now in scope
The grace period is over. As of March 31, 2025, the future-dated requirements of PCI DSS version 4 are mandatory, and every assessment in 2026 is judged against version 4.0.1 in full. Anyone who stores, processes, or transmits cardholder data now has to prove it, not promise it.
The landscape
Version 4 raised the bar, and the deadline has passed
PCI DSS version 4.0.1 is the standard every 2026 assessment is measured against, and its once-future-dated requirements are now live. Multi-factor authentication is required for all access into the cardholder data environment, not just for administrators. Targeted risk analyses, tighter scripting and anti-phishing controls, and continuous rather than annual thinking are now the expectation, backed by the card brands and acquiring banks.
PCI is enforced through contracts, not a government regulator, which makes it relentless in its own way. Fail an assessment or suffer a breach, and the consequences arrive as fines, higher processing fees, and the loss of the ability to take card payments at all.
Why it is hard
Scope is the whole game
PCI applies to every system that touches cardholder data and everything connected to it, so the cardholder data environment sprawls across applications, networks, service providers, and payment vendors unless it is deliberately contained. A single control, say access management or logging, has to hold across all of it, and often answers to SOC 2 and ISO 27001 at the same time.
Managed in spreadsheets, that becomes uncertain scope, duplicated evidence, and a self-assessment questionnaire or report on compliance assembled in a panic at deadline instead of maintained all year.
How SimpleRisk fits
One control library, every obligation
SimpleRisk treats PCI the way it should be treated: as one connected set of controls, mapped once and proven to a QSA, an acquiring bank, or your own security team.
- Map once, satisfy many. Through the Secure Controls Framework, one control maps across PCI DSS, SOC 2, ISO 27001, NIST, and 250-plus frameworks, so you implement once and satisfy many at the same time.
- Close the version 4 gaps. Map the now-mandatory requirements to the controls you already have, and see exactly what is left to remediate before the assessment.
- Keep the environment in view. Track the systems, service providers, and payment vendors in scope, so the cardholder data environment does not quietly expand.
- Prove it on demand. Define tests, run audits, and produce exactly the evidence a self-assessment questionnaire or a report on compliance requires.
Walk into your PCI assessment already able to prove it
Start a free trial or book a demo, and see how SimpleRisk maps your controls to every requirement version 4.0.1 puts in scope.
Start a free trial