Click to toggle navigation menu.

PCI DSS 4.0: What Businesses and MSPs Need to Know About Compliance and Cyber Insurance in 2026

< BACK

By Ryan Windt | Head of Growth Marketing | Updated April 2026

Executive Summary

PCI DSS v4.0 has been fully in effect since March 2025. Organizations that have not yet addressed the payment-page script controls, expanded MFA requirements, and Targeted Risk Analysis framework are now operating out of compliance, and that gap shows up directly in cyber insurance underwriting.

This guide covers what changed, what is required now, and how to build the carrier-ready evidence pack that speeds up quotes, reduces claim-time surprises, and demonstrates to underwriters that your controls are real.

If you are also working through what underwriters expect beyond PCI, the cyber insurance requirements and minimum controls checklist covers the full picture.

What Is PCI DSS 4.0 and Why Does It Matter for Cyber Insurance?

PCI DSS (Payment Card Industry Data Security Standard) is the security framework that governs how organizations handle cardholder data. Version 4.0 introduced significant updates to authentication requirements, payment-page security, and risk analysis methodology.

For cyber insurance purposes, PCI DSS compliance matters in two ways. First, underwriters treat PCI controls as evidence of a mature security posture, which affects both eligibility and pricing. Second, if you experience a payment card breach and your PCI controls were inadequate, that gap becomes part of the claims review.

The organizations most directly affected are retailers and e-commerce businesses, payment processors, financial services firms, and any MSP or technology company that touches cardholder data environments on behalf of clients.

For a broader look at how compliance requirements intersect with coverage, see our post on cyber insurance for financial services firms.

How PCI DSS 4.0 Rolled Out

PCI DSS v4.0 was released in 2022 with a phased transition. Many of the most significant requirements were initially marked “future-dated” to give organizations time to implement them. That window has closed.

Here is where things stand today:

  • 2022: PCI DSS v4.0 released, replacing v3.2.1 as the current standard.
  • March 2024: PCI DSS v3.2.1 officially retired. All assessments moved to v4.0.
  • March 2025: All future-dated requirements became mandatory. Organizations that had not implemented them were immediately out of compliance.
  • June 2024: v4.0.1 issued with clarifications and minor corrections. No change to compliance objectives.

As of April 2026, PCI DSS v4.0 is simply the standard. There is no grace period remaining and no legacy version to fall back on.

Why underwriters care: Carriers increasingly ask for documented proof that PCI controls are live, not just attested. Organizations that can produce that evidence move through underwriting faster and with fewer follow-up requests.

The Four Changes That Still Trip Organizations Up

1. Payment-Page and Client-Side Script Security

This is the area where the most organizations are still playing catch-up, and it is one of the first things underwriters ask about for any e-commerce business.

Requirement 6.4.3 requires a maintained inventory of every client-side script running on payment pages, with each script authorized and documented with a stated purpose and justification.

Requirement 11.6.1 requires active tamper and change detection on payment pages, with alerts generated when unauthorized modifications occur.

These two requirements exist because of Magecart-style attacks, where malicious scripts injected into a checkout page silently skim payment card data as customers enter it. The controls are designed to catch both the injection and any unauthorized change to the page environment.

One clarification worth noting: scripts used solely for 3-D Secure (3DS) processing generally fall within the trust boundary of your 3DS provider. All other client-side scripts require inventory, authorization, and monitoring.

What an underwriter will ask: Provide the script register for your payment pages and an example of an alert generated when a payment-page resource changed.

2. Expanded MFA Requirements (Requirement 8)

MFA has been a cyber insurance requirement for years, but PCI DSS v4.0 broadened its scope in ways that still catch organizations off guard.

MFA is now required for all access into the cardholder data environment, not just administrator accounts or remote access paths. This includes vendors, contractors, and any privileged access path into the CDE.

The minimum password length has also moved to 12 characters. If a legacy system cannot support 12 characters, the exception must be formally documented with a remediation timeline, and 8 characters enforced in the interim.

MFA is also one of the most scrutinized controls in cyber underwriting overall. Our MFA implementation guide for SMBs and MSPs covers what to deploy, how to document it, and exactly what carriers want to see on an application.

What an underwriter will ask: Screenshots or policy exports confirming MFA enforcement across all CDE access paths, including vendors and service accounts, plus password policy documentation showing the 12-character minimum.

3. Targeted Risk Analysis (TRA)

PCI v4.x replaced fixed, one-size-fits-all activity schedules with a formal risk-based methodology called TRA. Rather than requiring every organization to perform certain reviews or scans on the same frequency, TRA allows organizations to document the risk basis for the frequency they have chosen.

This is more work upfront but gives organizations defensible, tailored compliance documentation rather than checkbox schedules.

What an underwriter will ask: TRA write-ups showing the activity, chosen frequency, risk rationale, approver, and next review date.

4. Customized Approach

For organizations where the prescriptive requirements do not fit their environment, v4.0 formally introduced the Customized Approach: an alternative control set that must demonstrably achieve the same security objective.

It is flexible but documentation-heavy. You need to record the control objective, describe the alternative method, document testing and validation, and quantify residual risk.

What an underwriter will ask: Full design and testing documentation. Carriers scrutinize Customized Approach implementations more closely than standard compliance paths.

Build a Carrier-Ready Evidence Pack

The goal is a short, organized packet that works for both your PCI assessor and your cyber insurer. Aim for 5 to 8 pages of screenshots, policy exports, and diagrams, plus a one-page index.

If you are approaching a renewal, the cyber insurance renewal checklist walks through the broader evidence package carriers expect at that stage.

Authentication and passwords

  • MFA enforcement screenshots covering all CDE access paths: users, admins, vendors, and any privileged or third-party paths.
  • Password policy export confirming the 12-character minimum and documenting any exceptions with remediation timelines.

Payment-page controls

  • Script inventory for all payment pages with owner, purpose, and last review date per Requirement 6.4.3.
  • Tamper and change detection alert example mapped to Requirement 11.6.1.

Targeted Risk Analyses

  • Completed TRA templates with frequency rationale, approver, next review date, and outcome for each applicable control.

Scope and segmentation

  • A simple CDE diagram showing zones, data flows, and key security controls at each boundary.
  • A short narrative of your network security controls approach using v4.x terminology.

Change summary (optional but recommended)

  • A quarterly one-pager documenting major security changes that affect PCI scope. Carriers increasingly value this as evidence of ongoing control management, not just point-in-time compliance.

The Direct Connection to Cyber Insurance Claims

PCI compliance is not just about avoiding fines. It directly affects how a claim is evaluated after a breach involving payment card data.

When a claim is filed, carriers review the security controls that were in place at the time of the incident. If your MFA had gaps, your payment-page scripts were unmonitored, or your password policy did not meet the v4.0 standard, those facts enter the claims review. Depending on your policy language, they can affect whether a claim is paid, how much is paid, and whether the policy is renewed.

For a full walkthrough of what the claims process looks like, read our guide on how to file a cyber insurance claim. For a clear picture of the scenarios where coverage may not respond even when you have a policy in place, cyber insurance exclusions is worth reading before your next renewal.

PCI DSS 4.0 and MSPs: What Your Clients Need From You

If you are an MSP that manages environments for clients who process payment card data, your clients’ PCI compliance posture is partly your responsibility. Carriers know this, and it shows up in MSP underwriting.

MSPs that can demonstrate they enforce PCI-aligned controls across client environments, document MFA for all privileged access, and maintain change detection on client payment infrastructure are materially easier to underwrite than those that cannot.

For more on how MSP-specific risk and client-environment exposure interact with cyber insurance, see cyber insurance for MSPs and our post on embedding cyber insurance into MSP services.

Frequently Asked Questions

Is PCI DSS 4.0 fully mandatory in 2026? Yes. All requirements, including those that were originally future-dated, have been mandatory since March 2025. There is no legacy version available and no remaining transition period.

What are the most common gaps organizations still have? Payment-page script inventory and tamper detection under Requirements 6.4.3 and 11.6.1 remain the most common gaps, followed by incomplete MFA coverage for vendor and third-party access paths.

Do we need 12-character passwords everywhere? Yes, across all systems in scope for PCI DSS. If a legacy system cannot support 12 characters, document the exception formally with an 8-character interim standard and a remediation timeline.

What is a TRA and how do we complete one? A Targeted Risk Analysis is a formal, documented method for choosing and justifying the frequency of certain security activities based on your specific risk environment. The PCI Security Standards Council provides templates and guidance.

Does PCI compliance automatically qualify us for cyber insurance? No, but it is a strong positive signal. Underwriters look at PCI compliance as part of a broader security posture assessment that also includes backups, incident response planning, endpoint protection, and access controls. See the cyber insurance requirements checklist for the full picture.

Do 3DS scripts need to be in the script inventory? Scripts used solely for 3DS processing are generally treated within the trust boundary of your 3DS provider. All other client-side scripts on payment pages require inventory, authorization, and ongoing monitoring.

What happens to our cyber insurance if we have a breach and we were not PCI compliant? It depends on your policy language, but non-compliance with PCI DSS is a factor that can affect how a claim is evaluated. Review your policy exclusions carefully and speak with your underwriter before an incident occurs. Our post on cyber insurance exclusions explains the common scenarios where coverage does not respond.

Compliance Checklist: Are You Carrier-Ready?

  • MFA enforced for all CDE access (users, admins, vendors, third parties) with supporting documentation
  • 12-character password minimum in place, with any legacy exceptions formally documented and tied to remediation timelines
  • Payment-page script inventory and authorizations completed per Requirement 6.4.3
  • Tamper and change detection alerts active on payment pages per Requirement 11.6.1
  • TRA templates completed where applicable, with sign-offs and next review dates on file
  • CDE diagram and segmentation narrative prepared and current
  • Customized Approach implementations fully documented with testing and validation records
  • Quarterly security change log maintained

Work With SeedPod Cyber

SeedPod Cyber writes cyber liability and Technology E&O policies for businesses, MSPs, and financial services firms that need coverage aligned with their actual risk and compliance posture. If you are working through PCI DSS 4.0 requirements and want to understand how they interact with your cyber coverage, we can help.

Visit seedpodcyber.com/contact-us to start the conversation.

Security Controls & Compliance
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.