Executive Summary
The PCI Security Standards Council (PCI SSC) released PCI DSS v4.0.1 in December 2025, introducing targeted refinements to the v4.0 framework that took effect in March 2024. While v4.0.1 is not a major version change, it includes critical clarifications and new technical requirements that every organization handling payment card data must understand.
As Mongolia's first and only PCI DSS Qualified Security Assessor, Infosec Intelligence has analyzed every change in the updated standard. This guide covers the 12 most impactful updates and provides a practical preparation roadmap.
Deadline alert: All v4.0.1 future-dated requirements become mandatory on March 31, 2026. Organizations must be compliant by this date or face potential fines and increased assessment scope.
Key Changes in v4.0.1
The update introduces 12 notable changes across multiple requirements. Here are the most significant:
1. Targeted Risk Analysis Clarification (Req. 12.3.1)
The most discussed change. PCI SSC has clarified that targeted risk analyses must be performed for each PCI DSS requirement that provides flexibility in how frequently a control is performed. This means organizations can no longer rely on a single enterprise-wide risk assessment.
2. Enhanced Authentication Requirements (Req. 8.3.6)
Multi-factor authentication (MFA) is now required for all access into the cardholder data environment (CDE), not just remote access. This includes console access, application-level access, and service accounts where technically feasible.
Configuration Example# Example: Enforcing MFA on CDE access points # /etc/pam.d/sshd — CDE Jump Server auth required pam_google_authenticator.so auth required pam_unix.so # Verify MFA enforcement $ grep -c "pam_google_authenticator" /etc/pam.d/sshd 1 # MFA module active
3. Automated Log Review (Req. 10.4.1.1)
Manual log review is no longer acceptable for most environments. Organizations must implement automated mechanisms to perform audit log reviews. This effectively mandates SIEM or equivalent log management solutions.
QSA Insight: In our assessments across Mongolian financial institutions, we've found that 68% of organizations still rely primarily on manual log review processes. The transition to automated solutions should begin immediately.
New SAQ Requirements
Self-Assessment Questionnaires have been updated to align with v4.0.1 requirements. Key changes include:
- SAQ A: New requirement to confirm that the merchant's website is not susceptible to attacks that could impact e-commerce payment pages
- SAQ A-EP: Expanded to include requirements for script management on payment pages (Req. 6.4.3)
- SAQ D: Full alignment with v4.0.1, including all new future-dated requirements
Timeline & Deadlines
Understanding the compliance timeline is critical for planning:
Timeline┌─────────────────────────────────────────────────┐ │ PCI DSS v4.0.1 Compliance Timeline │ ├─────────────────────────────────────────────────┤ │ 2025-12-01 v4.0.1 published by PCI SSC │ │ 2026-01-15 Updated SAQs released │ │ 2026-03-31 ALL future-dated reqs mandatory ⚠️ │ │ 2026-06-30 First v4.0.1 ROC assessments due │ │ 2027-03-31 v4.0 no longer accepted │ └─────────────────────────────────────────────────┘
Technical Controls Deep-Dive
The most technically demanding new requirements center around Requirement 6.4.3 (script management) and Requirement 11.6.1 (change detection). Let's examine the implementation approach:
Script Integrity on Payment Pages (Req. 6.4.3)
All scripts loaded on payment pages must be explicitly authorized and their integrity verified. This requires implementing Content Security Policy (CSP) headers and Subresource Integrity (SRI) checks.
HTTP Headers# Content-Security-Policy for payment pages Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-abc123...' https://js.stripe.com; frame-src https://js.stripe.com; connect-src 'self' https://api.stripe.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'none'; base-uri 'self';
Impact on Mongolian Organizations
For Mongolian banks and payment processors, these changes carry specific implications. Mongolia's financial sector has grown rapidly, with digital payment volumes increasing 280% since 2022. This growth means more organizations fall under PCI DSS scope.
Based on our assessments across the sector, the three most challenging requirements for Mongolian organizations are:
- Automated log review (10.4.1.1) — Many banks still use legacy systems without SIEM integration
- MFA everywhere (8.3.6) — Console access to legacy mainframe systems often lacks MFA capability
- Script integrity (6.4.3) — E-commerce platforms rely heavily on third-party scripts without integrity controls
Preparation Checklist
To meet the March 2026 deadline, we recommend the following action plan:
- Conduct a gap assessment against v4.0.1 requirements immediately
- Deploy or upgrade SIEM solutions for automated log review
- Implement MFA for all CDE access points, including console access
- Inventory all scripts on payment pages and implement CSP/SRI
- Perform targeted risk analyses for each flexible requirement
- Schedule QSA readiness review no later than February 2026
- Train staff on updated procedures and documentation requirements
Need help preparing? Infosec Intelligence offers PCI DSS v4.0.1 readiness assessments. As Mongolia's only QSA, we can guide your organization through every requirement. Contact us to schedule a consultation.