UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
Compliance · Payments · PCI-DSS

PCI-DSS 4.0 UK survival guide 2026

Servnet Editorial · Compliance Practice9 min read

PCI-DSS 4.0 fully replaced 3.2.1 in March 2024, with the most-onerous new controls becoming mandatory in March 2025. UK retailers, hospitality groups, and payment-handling businesses have spent 2025 catching up. This is the practical survival guide for organisations still working through the requirements.

PCI DSS 4.0 — 12 requirement families
PCI DSS 4.0 — control map1Install + maintain network securityCORE2Apply secure configurationsCORE3Protect stored account dataCORE4Strong cryptography in transitCORE5Malicious software protectionCORE6Secure systems + softwareCORE7Restrict access by need to knowCORE8Identify users + authenticate accessCORE9Restrict physical accessCORE10Log + monitor access to dataCORE11Test security of systemsCORE12Support info-sec with policyCORE

What changed in 4.0 vs 3.2.1

64 new or modified requirements vs 3.2.1. Most-material in 12 areas.

Customised approach option — alongside defined approach, organisations can demonstrate compliance via risk-based alternatives subject to QSA review.

Targeted risk analysis — required for many requirements (frequency of activity, choice of control, etc.).

Continuous scope review — annual scope confirmation no longer sufficient.

The 8 most-painful new controls

  • 12.5.2 Continuous scope review
  • 6.4.3 Inventory of payment page scripts + integrity monitoring
  • 11.6.1 Tamper detection on payment pages
  • 8.4.2 MFA on all access into CDE
  • 8.6.1-3 Stricter password / authentication requirements for application accounts
  • 11.3.1.1 Internal vulnerability scans must scan authenticated
  • 11.3.2.1 External vulnerability scans must use ASV
  • 12.6.2 Security awareness training tailored to job role

Practical UK retailer implementation

Scope reduction first. Tokenisation + P2PE devices push most of the store estate out of CDE scope. See our Retail + Hospitality IT practice.

Segmentation — store POS VLAN strictly separated from corporate. Firewall ACLs documented + tested quarterly.

Payment page script monitoring — SRI hashes + integrity tools (Akamai Page Integrity Manager, Reflectiz, others). New requirement that catches most retailers.

MFA — all admin access into CDE, all access from outside CDE, all SaaS admin consoles.

Which PCI DSS path applies to us?
How many card txns per year?
> 6M
Level 1 — QSA + ROC + annual
1M - 6M
Level 2 — QSA / SAQ-A-EP
< 1M
Level 3 / 4 — SAQ

What Servnet does

Servnet supports UK retailers through PCI-DSS 4.0 readiness — segmentation design, tokenisation deployment, payment-page integrity tooling, MFA rollout, evidence preparation for QSA assessment.

See also our Retail + Hospitality industry practice.

Key takeaways
  • PCI-DSS 4.0 fully replaced 3.2.1 in March 2024; new controls mandatory March 2025.
  • Scope reduction (tokenisation + P2PE) is the most-impactful early move.
  • Payment page script integrity monitoring is a new requirement that catches most retailers.
  • MFA on all admin access into CDE is mandatory.
  • Targeted risk analysis required for many requirements — not just tick-box.
Frequently asked

FAQs — PCI-DSS 4.0 UK survival guide 2026

Scope

How do we reduce PCI scope?

Tokenisation at the POS (so cardholder data never lands in your store network) + P2PE encryption (so encrypted-only data traverses store network) push most retail estate out of CDE. Most retailers reduce scope by 60-80% via these approaches.

Do we need a QSA?

Level 1 merchants (6M+ Visa / Mastercard transactions / year) — yes, ROC required. Level 2-4 merchants — typically self-assessment questionnaire (SAQ). Servnet supports both paths.

Related

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →