Executive summary
As of March 31, 2025, most of PCI DSS v4.0’s “future-dated” items are now required. The big shifts: tighter payment-page script controls, broader MFA, stronger password standards, and the formal use of Targeted Risk Analyses (TRA) for setting certain control frequencies. If you package these updates into a concise, carrier-ready evidence pack, you’ll speed up underwriting, cut follow-ups, and reduce surprises at claim time.
1) Timeline & what “future-dated” actually meant
- 2022: PCI DSS v4.0 released with a transition window and many items marked “future-dated.”
- March 31, 2024: v3.2.1 retired.
- March 31, 2025: The bulk of those future-dated requirements became mandatory.
- June 2024: v4.0.1 issued—clarifications and clean-ups, not a shift in objectives.
Why insurers care: Underwriters increasingly ask for proof that these controls are live (or formally accepted as risk with a remediation path). Having that proof in hand accelerates quotes and binds.
2) The headline 2025 changes you can’t ignore
A) Payment-page, client-side script security
What changed:
- Req 6.4.3: Keep an inventory of client-side scripts on payment pages, authorize them, and document purpose/justification.
- Req 11.6.1: Deploy tamper/change detection on payment pages and alert on unauthorized modifications.
Why it exists: This closes the door on Magecart-style attacks that skim or inject data in the shopper’s browser.
A nuance worth noting: Scripts used purely for 3-D Secure (3DS) typically fall under the trust boundary with your 3DS provider; other scripts still require inventory, authorization, and monitoring.
What an underwriter may ask: “Show the script register and an example alert when a payment-page resource changes.”
B) Authentication & passwords (Requirement 8)
- MFA scope expanded: MFA should cover all access into the CDE—not just admin or remote entry points. Include vendors and privileged paths.
- Passwords: Minimum 12 characters. If a legacy system can’t support 12, document the exception (with a remediation plan) and enforce 8 while you migrate.
Underwriting angle: Expect to provide screenshots or policy exports proving your MFA enforcement and password floor, including how you handle vendors and service accounts.
C) Targeted Risk Analysis (TRA)
PCI v4.x introduces TRA to justify how often certain activities occur (e.g., reviews, scans) based on documented risk—replacing fixed, one-size-fits-all schedules where allowed. The Council provides guidance and templates.
Underwriting angle: Be ready to share TRA write-ups showing the frequency, rationale, approver, and review cadence.
D) “Customized Approach”
When prescriptive steps don’t fit, v4.0 allows a Customized Approach—alternative controls that still meet the objective. It’s flexible, but you’ll need solid documentation and validation.
Underwriting angle: If you use this path, carriers will dig deeper into design, testing, and results.
3) Build a carrier-ready evidence pack (lightweight and fast)
Create a short packet that works for both PCI assessment and cyber underwriting—ideally 5–8 pages of screenshots/exports plus a 1-page index.
Include:
- Authentication & Passwords
- MFA enforcement screenshots showing all paths into the CDE (users, admins, vendors).
- Password policy export showing the 12-character minimum and any documented exceptions with timelines.
- E-commerce client-side controls
- Script inventory/register for payment pages with owner, purpose, and last review.
- Tamper/change-detection alert example (mapped to Req 11.6.1).
- Targeted Risk Analyses (TRA)
- The TRA template(s) used, with frequency rationale, approver, next review date, and outcome.
- Scope & segmentation
- A simple CDE diagram (zones, data flows, key security controls) and a brief narrative of your “network security controls” approach under v4.x terminology.
- Change summary (optional)
- A quarterly one-pager calling out major security changes that affect PCI scope.
4) Closing the common 2025 gaps—step by step
- Harden the payment page
- Inventory & authorize every script executing on payment pages (Req 6.4.3).
- Implement tamper/change detection with alerts (Req 11.6.1).
- Extend MFA everywhere it counts
- Confirm MFA for every entry path into the CDE (users/admins/vendors, jump boxes, SSO edges, APIs).
- Capture enrollment and failure-mode screenshots.
- Lift passwords to 12+
- Enforce 12 characters across the board; isolate true legacy exceptions at 8 with a remediation timeline.
- Adopt TRA where permitted
- Use the Council’s template; document risk basis, chosen frequency, and sign-offs.
- Use Customized Approach when necessary
- Record the control objective, alternative method, validation/testing, and residual risk.
5) FAQ
What flipped on March 31, 2025?
The transition ended for most future-dated items in v4.0, making them mandatory—notably the e-commerce script controls and expanded authentication requirements.
Do we really need 12-character passwords?
Yes—12 is the new standard. If a system can’t handle it, document the exception and remediation plan; enforce 8 until you migrate.
Is MFA now required for everyone or just admins?
v4.0 expands MFA to all access into the CDE. Make sure vendor and privileged paths are covered.
What is a TRA in practice?
A formal, Council-guided method to set risk-based frequencies for certain activities, with rationale and approvals.
Do 3DS scripts fall under the script-inventory requirement?
Scripts used solely for 3DS are generally treated within the trust boundary of your 3DS provider; other client-side scripts still need inventory/authorization and monitoring.
6) Quick checklist: “Are we carrier-ready?”
- MFA enforced for all CDE access (users, admins, vendors), with evidence
- 12-character password minimum (exceptions documented with timelines)
- Payment-page script inventory & approvals (Req 6.4.3)
- Tamper/change-detection alerts on payment pages (Req 11.6.1)
- TRA templates completed where applicable, with sign-offs
- CDE diagram + short segmentation narrative
- Optional: quarterly security change log
8) Contact SeedPod Cyber
Have questions or want a quick readiness review? Contact SeedPod Cyber.
In one short session, we’ll (1) spot gaps against PCI 4.0, (2) share carrier-ready evidence templates, and (3) outline a fast path to quotes and bind.
Sources & further reading
Guidance for PCI DSS Scoping and Network Segmentation (PDF):
https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf
PCI DSS v4.0.1 – Standard (PDF):
https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
Summary of Changes: PCI DSS v3.2.1 → v4.0 (PDF):
https://listings.pcisecuritystandards.org/documents/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r1.pdf
Countdown to PCI DSS v4.0 (transition dates & deadlines):
https://blog.pcisecuritystandards.org/countdown-to-pci-dss-v4.0
“Now is the Time to Adopt the Future-Dated Requirements” (51 of 64 effective March 31, 2025):
https://blog.pcisecuritystandards.org/now-is-the-time-for-organizations-to-adopt-the-future-dated-requirements-of-pci-dss-v4-x
FAQ — How Requirement 6.4.3 applies to 3DS scripts:
https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/how-does-pci-dss-requirement-6-4-3-apply-to-3ds-scripts-called-from-a-merchant-check-out-page-as-part-of-3ds-processing/
New Information Supplement (guidance for 6.4.3 & 11.6.1) — announcement:
https://blog.pcisecuritystandards.org/new-information-supplement-payment-page-security-and-preventing-e-skimming
Podcast — Guidance for e-commerce requirements effective after March 31, 2025 (6.4.3 & 11.6.1):
https://blog.pcisecuritystandards.org/coffee-with-the-council-podcast-guidance-for-pci-dss-e-commerce-requirements-effective-after-31-march-2025
Targeted Risk Analysis (TRA) — guidance announcement:
https://blog.pcisecuritystandards.org/just-published-pci-dss-v4-x-targeted-risk-analysis-guidance
Risk Assessment Guidelines (PDF):
https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf
Scoping & Segmentation — new information supplement announcement:
https://blog.pcisecuritystandards.org/new-information-supplement-pci-dss-scoping-and-segmentation-guidance-for-modern-network-architectures