Back to BlogCompliance

PCI DSS v4.0: What Merchants Need to Know

J

James Adeyemi

Security & Compliance Lead, Orchestrate

February 10, 2026 6 min read

PCI DSS v4.0 is now fully in effect, with the transition period having closed in March 2025. If you're still operating under v3.2.1 assumptions, you may already be out of compliance. Here's what's changed and what you need to do.

The biggest changes in v4.0

PCI DSS v4.0 introduced over 50 new or modified requirements. The most impactful for payment teams:

1. Multi-factor authentication is now mandatory everywhere

MFA is now required for all access to the cardholder data environment (CDE), not just administrative access. This means developer access, support tooling, and internal dashboards all need MFA.

2. Targeted risk analysis

Organisations can now use a "targeted risk analysis" approach to customise how they meet certain requirements. This adds flexibility but also requires more documentation of your risk decisions.

3. Web skimming protections

Requirement 6.4.3 now mandates that merchants manage and monitor all scripts on payment pages. You need an authorised script inventory, integrity checks, and justification for every script that runs on your checkout. This is a major new burden for in-house checkout pages.

4. E-commerce security

New requirements around detecting and responding to payment page attacks (Requirement 11.6.1) require automated monitoring of HTTP headers and page content for changes.

How Orchestrate helps

Orchestrate's hosted checkout is certified PCI DSS Level 1 — the highest certification level available. By using our hosted payment page or embedded components, cardholder data never touches your servers, dramatically reducing your compliance scope.

Specifically, we handle:

  • End-to-end encryption of all card data
  • Tokenisation so you never store raw PANs
  • Script integrity monitoring on all payment pages
  • Annual Level 1 QSA audit and SAQ-A eligibility for merchants using our hosted checkout

What you should do now

  1. Review your QSA's assessment against v4.0 requirements
  2. Audit all scripts on your payment pages
  3. Implement MFA across all CDE access
  4. If you're self-hosting payment forms, consider migrating to a hosted solution
Share: Share on X Share on LinkedIn

More from the blog

Insights

Understanding Payment Orchestration in 2026

February 18, 2026

Product

Reducing Chargebacks with Dynamic Descriptors

January 28, 2026