Home/Blog/PCI-DSS v4.0 Changes MSPs Need to Know
Compliance March 3, 2026 · 7 min read

PCI-DSS v4.0 Changes MSPs Need to Know

The key changes in PCI-DSS v4.0 and how they affect MSPs serving retail, hospitality, and e-commerce clients.

PCI-DSS v4.0 represents the most significant update to payment card security standards in over a decade. For MSPs serving retail, hospitality, e-commerce, or any client that processes card payments, understanding these changes is critical.

Key Changes

Customized Approach: PCI-DSS v4.0 introduces a "customized approach" alongside the traditional "defined approach." Instead of prescriptive controls, organizations can define their own controls that meet the security objective. This gives MSPs more flexibility but also more responsibility to document and validate custom implementations.

Enhanced Authentication: MFA is now required for all access to the cardholder data environment (CDE), not just remote access. This affects every user, every system, every connection to the CDE. Password requirements have been updated: minimum 12 characters (up from 7), and passwords must be changed if there's suspicion of compromise (rather than arbitrary 90-day rotation).

Expanded Scope for Vulnerability Management: Internal vulnerability scans are now required to be performed with authenticated scanning (using credentials to get deeper visibility). High-risk vulnerabilities identified by internal scans must be remediated or risk-mitigated. External scans must be performed after any significant change.

Security Awareness: Training requirements are more specific: annual training must include awareness of phishing and social engineering attacks. Training content must be reviewed and updated annually. Organizations must verify that personnel have received and understood the training.

Automated Log Review: Audit logs must be reviewed using automated mechanisms, not just manual review. This effectively requires SIEM or similar log analysis tools. Logs must be protected from modification and retained for at least 12 months with 3 months immediately available.

Timeline

Many v4.0 requirements were best practices until March 31, 2025, and are now mandatory. MSPs should audit their retail and hospitality clients against the full v4.0 requirements now. If you're not already providing automated log review, authenticated vulnerability scanning, and universal MFA, these are urgent gaps to close.

pci-dsscomplianceretailmsp
RELATED ARTICLES

Keep Reading

Compliance March 20, 2026 · 7 min read

SOC 2 for MSPs: Do You Need It?

When and why MSPs should pursue SOC 2 compliance, what the audit involves, and how to prepare.

soc 2compliancemspaudit
Compliance January 27, 2026 · 6 min read

SIEM Log Retention Requirements by Compliance Framework

How long you need to retain logs for HIPAA, PCI-DSS, SOC 2, NIST, and CMMC — and how to implement cost-effective log retention policies.

siemcompliancelog retentionhipaapci
Compliance January 9, 2026 · 8 min read

The Complete HIPAA Compliance Checklist for MSPs

Everything MSPs need to know about HIPAA compliance — technical safeguards, administrative requirements, and how to help healthcare clients stay compliant.

hipaacompliancehealthcaremsp

Ready to See Cyber Alamo in Action?

Launch the platform or schedule a walkthrough with our team.

Launch Platform Schedule a Demo