PCI DSS 4.0
What PCI DSS 4.0 is
PCI DSS (Payment Card Industry Data Security Standard) is the security standard that any business accepting card payments must comply with. Version 4.0 became mandatory on 31 March 2025, replacing PCI DSS 3.2.1. The standard is enforced by Visa and Mastercard through your acquiring bank — non-compliance can result in fines and the loss of your ability to accept card payments.
What changed in version 4.0
The operative changes that affect most small business operators (Level 4 merchants processing fewer than 1 million transactions/year):
- Multi-factor authentication (MFA) mandatory on all admin access to your payment systems (Requirement 8.4.x). This affects your POS admin panel — if your POS still allows password-only login, it is non-compliant.
- Passwords must be 12+ characters where supported, phishing-resistant where technically feasible (Requirement 8.3).
- Quarterly external vulnerability scans (ASV scans) required for certain merchant categories.
- Targeted risk analysis — merchants must now document why each security control is appropriate for their environment.
What it costs a typical Level 4 merchant
Based on Beacon Payments and Ignyte 2026 compliance briefings:
- Self-Assessment Questionnaire (SAQ): free to complete, but preparation time estimated at 4–8 hours for SAQ-A (simplest, for fully outsourced payment environments) to 20–40 hours for SAQ-D (merchants who store cardholder data)
- Annual ASV external scan: £300–£600/yr through approved vendors
- Compliance programme overhead: £640–£4,000/yr all-in depending on business complexity
Which POS vendors handle PCI compliance for you
Most modern cloud-based POS (Square, Toast, Shopify POS, Lightspeed) are PCI Level 1 service providers, which means they handle the payment data security requirements on your behalf. Your compliance obligation reduces to SAQ-A (the simplest form) if you use their hosted payment pages and do not store cardholder data yourself.
Clover, sold through third-party resellers, varies — confirm your compliance scope with your reseller in writing.
Related pages
- PCI DSS 4.0 for merchants — full guide
- Square POS review — compliance scope under Square’s hosted environment
- EMV chip-and-PIN explained