What Comes After March? Preparing for Your First Full PCI DSS v4.0.1 Assessment

For months, businesses have been focused on the March 31, 2025 deadline to meet the new PCI DSS v4.0.1 requirements. This date marks the official end of the previous version, PCI DSS 3.2.1, and the start of a new, updated framework that brings more emphasis on ongoing security. But meeting the deadline isn’t the end—it’s just the beginning.

Now, companies need to shift their focus to something just as important: staying compliant under the new version. That means being ready for your first full PCI DSS v4.0.1 assessment, which could happen as soon as this quarter.

So what’s different now? The updated standard puts more focus on whether your processes are actually working—not just whether they’re written down. During an assessment, you’ll need to show that your team is following the steps laid out in your policies, that you’re regularly checking for risks, and that your systems are being reviewed and updated on a routine basis. Things like log reviews, access controls, and system updates need to happen on a schedule, and you’ll need to keep records to prove it.

Another important shift is that many security tasks are expected to happen continuously, not once a year. For example, reviewing logs for suspicious activity or checking that your team is ready to respond to a security incident shouldn’t be one-off events. The goal of PCI DSS v4.0.1 is to help companies build habits that keep cardholder data safe all year long—not just at audit time.

Segmentation testing—used to keep your cardholder environment isolated from other parts of your network—also needs more attention now. A quick scan or checklist won’t be enough. If you’re relying on this kind of setup to reduce your PCI scope, you’ll need to test it properly and keep documentation to back it up.

It’s also important to make sure your policies and procedures actually match what’s happening in real life. If your documentation says you review access every quarter, but no one has done it in six months, that could be flagged during your next assessment. Consistency matters under this new version of the standard.

Finally, don’t forget about your quarterly external vulnerability scans. These are still required after March 31 and should be completed through an Approved Scanning Vendor (ASV). In addition to passing results, assessors will want to see how you responded to any issues and whether you completed rescans when needed.

In short, the new version of PCI DSS isn’t just about checking boxes—it’s about building a security program that runs smoothly all year long. If you’ve made it through the March deadline, that’s a major accomplishment. But now it’s time to look ahead and make sure your team is prepared to keep that momentum going through your first full assessment—and beyond.

PCI DSS v4.0.1 Post-March Readiness Checklist

Here’s what to lock down before your first full assessment under v4.0.1:

• Proof of regular log reviews (daily, weekly, or as defined in your policy)
• Documented change control reviews showing a security impact analysis was performed (Requirement 6.4.3)
• Quarterly access reviews that actually happened—include screenshots, exports, and notes
• Segmentation test results (if reducing scope), with evidence of testing, remediation, and retesting
• Monitoring setup for payment page scripts (Requirement 11.6.1) and alerting for unauthorized changes
• Evidence of tested incident response plan—not just that it exists, but that it’s been exercised (Requirement 12.10.5)
• ASV scan reports with remediation notes and proof of rescans (even if vulnerabilities were minor)
• Policies that match your environment (including updated references to PCI DSS v4.0.1)
• Recurring task schedules for patching, vulnerability scans, risk reviews, and training

If you can check these boxes, you’re not just compliant—you’re in great shape to show it.