Introduction
PCI DSS version 4.0 is now the standard, and its most impactful changes go live in March 2025. For businesses that handle cardholder data, whether directly or indirectly, these deadlines carry significant operational and security implications.
This blog outlines the major changes, what’s already required, and what becomes mandatory in 2025.
Key Timeline
- March 31, 2024: Core v4.0 requirements became mandatory.
- March 31, 2025: Future-dated requirements become enforceable.
Critical Future-Dated Requirements (Effective March 2025)
11.6.1 – Script Integrity Monitoring
You must monitor and detect unauthorized changes to JavaScript on payment pages.
6.4.3 – Change Management for Production Code
Security controls must be in place to track and validate all production changes.
8.3.6 – Multi-Factor Authentication for All Access
Administrative access to all environments must use MFA, not just remote logins.
12.3.2 – Targeted Risk Analysis
Organizations must justify the frequency and method of control implementations with formal risk analysis.
What You Should Be Doing Now
- Conduct a gap analysis against v4.0.
- Implement a real-time script integrity solution like Breachfin.
- Update your CI/CD processes to align with 6.4.3.
- Ensure your MFA solution covers all access paths.
- Train relevant teams on v4.0 updates.
Why It Matters
The March 2025 deadline is a shift toward proactive, real-time protection—especially in client-side environments. Being audit-ready isn’t just about logs and paperwork anymore; it’s about proving you have controls that work continuously.
How Breachfin Helps
- Satisfies 11.6.1 with real-time script scanning and alerting.
- Monitors and logs production changes for 6.4.3.
- Integrates with SIEM tools for traceable evidence.
The clock is ticking. Get ahead of these mandates before compliance becomes a crisis.
