The 31 March 2025 deadline for PCI DSS v4.0.1's future-dated requirements has passed. Every UK merchant and service provider that handles cardholder data should now be operating under the full v4.0.1 ruleset — yet our consultants continue to find organisations still running v3.2.1 control narratives, partial SAQ submissions, and authenticated scans that haven't been refreshed since the transition.
This isn't a paperwork exercise. Acquiring banks are starting to ask for evidence of the 51 future-dated requirements, and the PCI Security Standards Council formally retired v3.2.1 on 31 March 2024. If your last Self-Assessment Questionnaire (SAQ) was signed off before then, you are out of date.
Here's what UK firms — from e-commerce SMEs to Level 1 service providers — need to have closed out, and what to do if you haven't.
What changed in PCI DSS v4.0.1
PCI DSS v4.0 was published in March 2022. The minor revision v4.0.1 followed in June 2024, clarifying ambiguities around scoping, multi-tenant service providers, and the customised approach. The standard itself runs to 12 core requirements built around six control objectives, but the operational shift is in how compliance is evidenced.
Two phases mattered:
- 31 March 2024: v3.2.1 retired. All assessments from this date forward must use v4.0 or v4.0.1.
- 31 March 2025: The 51 future-dated requirements became mandatory. These were "best practice" during the transition window and are now in full force.
The future-dated requirements aren't trivial. They include mandatory targeted risk analyses for any control using a defined frequency (Requirement 12.3.1), automated mechanisms for log reviews (10.4.1.1), client-side script integrity for payment pages (6.4.3 and 11.6.1), and multi-factor authentication for all access into the cardholder data environment — not just remote or administrative access (8.4.2).
These additions represent a fundamental shift from checkbox compliance toward continuous assurance. The PCI Council's intent is clear: a SAQ signed off annually without ongoing monitoring between assessments no longer meets the spirit of the standard.
Why this matters for UK merchants right now
The UK has no statutory PCI DSS regulator. Enforcement runs through your acquiring bank under your merchant agreement, and through the card schemes (Visa, Mastercard, American Express). A breach involving cardholder data also triggers UK GDPR and Data Protection Act 2018 obligations — the ICO will ask whether you were meeting "appropriate technical and organisational measures" under Article 32, and PCI DSS is the de facto benchmark.
The practical pressure points in 2025:
Acquirer evidence requests are getting harder. Several UK acquirers now request the Attestation of Compliance (AOC) reference v4.0.1 explicitly. Submitting a v3.2.1 AOC will get bounced. Our team has seen acquirers go further, requesting recent ASV scan evidence and compensating control documentation before renewing merchant service agreements.
Client-side script attacks (Magecart-style skimmers) are exactly what Requirements 6.4.3 and 11.6.1 target. If you operate any e-commerce checkout with third-party scripts, you must now inventory, justify, and monitor every script on the payment page. This is the single most common gap our team finds. The attack surface here is substantial: analytics tags, chatbot widgets, marketing pixels, and AB testing frameworks can all introduce skimming vectors if not properly controlled.
SAQ eligibility has tightened. The customised approach in v4.0.1 is powerful but only available to organisations completing a full Report on Compliance — not SAQ-eligible merchants. The customised approach rewards organisations that have genuinely embedded security controls into their operations, allowing them to define alternative control implementations that meet the intent of each requirement.
Knowing your SAQ validation type
Most UK merchants self-assess. Getting the right SAQ matters because each one carries a different control set. Selecting the wrong SAQ type is one of the most common compliance errors we encounter.
- SAQ A: E-commerce merchants who fully outsource cardholder data handling to a PCI-validated third party (e.g. redirect or iframe to Stripe, Worldpay). Under v4.0.1, even SAQ A merchants now have script management obligations — a change that caught many redirect-only merchants off guard.
- SAQ A-EP: E-commerce merchants whose website affects the security of the payment transaction but does not store, process, or transmit cardholder data on their own servers. The distinction between SAQ A and SAQ A-EP rests on whether the merchant's website could affect the security of the payment transaction — a determination that requires careful technical analysis.
- SAQ B / B-IP: Merchants using standalone or IP-connected payment terminals only. These cover physical retail environments where card data never touches the merchant's general IT systems.
- SAQ C / C-VT: Merchants with payment application systems or virtual terminals. The control set here expands significantly because the merchant's systems are more directly involved in payment processing.
- SAQ D: Everyone else — including all service providers eligible to self-assess, and merchants storing cardholder data. This is the most demanding SAQ, carrying the full control set.
Pick the wrong SAQ and you're either over-scoping (wasting effort) or under-scoping (non-compliant). The trap our consultants see most often: SAQ A merchants who added a JavaScript payment library to their checkout and didn't realise they'd moved themselves into SAQ A-EP territory, inheriting a substantially larger control set.
Practical steps to close out now
If you haven't formally completed v4.0.1 validation, work this sequence:
- Re-scope. Map every system, network segment, and third party that stores, processes, or transmits cardholder data, or that could affect the security of those that do. Document the data flow. Most scope creep happens here — particularly when development teams deploy new services without a PCI impact assessment.
- Confirm your SAQ type against the eligibility criteria in the SAQ Instructions and Guidelines document. Don't reuse last year's choice without checking. Changes to your checkout flow, hosting arrangement, or third-party integrations may have changed your classification.
- Run the targeted risk analyses required under 12.3.1 for every control where you define the frequency yourself (e.g. how often you review firewall rules, scan for malware, rotate keys). These risk analyses must be documented, specific to each control, and signed off by management.
- Inventory payment page scripts. Document every script, why it's there, and how its integrity is assured. Implement Subresource Integrity (SRI) or a tamper-detection mechanism. This is a continuous obligation — every time a developer adds a new tag to the checkout page, the inventory must be updated.
- Extend MFA to all non-console access into the CDE, not just administrators. This includes contractors, vendors, and any support personnel who can access the cardholder data environment.
- Refresh your ASV scans with an approved scanning vendor — quarterly, passing, and against the current external attack surface. Remember that each quarterly scan must pass; a failed scan cannot be retroactively resolved with a clean follow-up.
Common mistakes we see
Treating PCI DSS as an annual paperwork sprint. The standard is built around continuous controls; the AOC is a snapshot of an ongoing programme. If you can't show evidence between assessments, you'll fail the next one. Our consultants recommend implementing continuous compliance monitoring rather than annual evidence gathering.
Assuming a hosted checkout removes all obligations. It reduces scope dramatically, but SAQ A still applies and v4.0.1 added script controls that catch out small e-commerce operators using Shopify, WooCommerce, or Magento with third-party plug-ins. The attack surface introduced by analytics, personalisation, and chat widgets on payment pages is significant.
Confusing PCI DSS with Cyber Essentials. They overlap but don't substitute. Cyber Essentials is a UK baseline for basic cyber hygiene; PCI DSS is a contractual requirement under your merchant agreement with specific technical controls for payment card environments. Holding Cyber Essentials certification does not satisfy PCI DSS requirements.
Frequently asked questions about PCI DSS v4.0.1 compliance
What happens if a business misses the 31 March 2025 deadline?
The deadline has passed, but if you have not yet achieved v4.0.1 compliance, your acquiring bank may impose penalties, increase transaction fees, or suspend your merchant facility. The severity of the response depends on your processing volume and the specific terms of your merchant agreement. Our team advises immediate engagement with your acquirer and a documented remediation plan.
Do we need a Qualified Security Assessor (QSA) for v4.0.1?
Only Level 1 merchants (over 6 million transactions annually) and service providers are required to use a QSA for their annual assessment. SAQ-eligible merchants can self-assess using the appropriate SAQ template — but the v4.0.1 requirements are significantly more detailed, and our consultants frequently see self-assessments that miss key controls, particularly around script integrity and targeted risk analyses.
Can an organisation comply with PCI DSS v4.0.1 using the customised approach?
Yes, but only if you are completing a full Report on Compliance through a QSA, not an SAQ. The customised approach allows organisations to define alternative controls that meet each requirement's intent, rewarding well-designed programmes that go beyond checkbox compliance. It requires documenting a detailed control narrative and supporting rationale for each requirement.
How does PCI DSS relate to UK GDPR obligations?
A breach of cardholder data is also a personal data breach under UK GDPR and the Data Protection Act 2018. The ICO will consider whether your PCI DSS compliance demonstrates "appropriate technical and organisational measures" under Article 32. Demonstrable PCI DSS compliance strengthens your position in any ICO investigation following a payment card incident.
How Pyralink helps
Pyralink Innovation Ltd advises UK merchants and service providers on PCI DSS v4.0.1 compliance. Led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), our team specialises in bridging the gap between payment card security standards and broader information security programmes, including ISO 27001 alignment.
Our consultants conduct gap assessments, scope reviews, SAQ validation, and targeted risk analyses. We integrate PCI DSS controls into your existing compliance framework rather than running them as a standalone workstream. Through our CloudAuditX platform, we provide continuous visibility of cloud configurations that support your cardholder data environment, reducing the manual evidence-gathering burden between assessments.
For organisations managing PCI DSS alongside ISO 27001, SOC 2, or UK GDPR obligations, our fractional vCISO service (from £497/month) provides ongoing governance that keeps your compliance posture current between annual cycles.