We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Cybersecurity blog

PCI DSS 4.0: What Changed and What Indian Businesses Must Do Now

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

PCI DSS 4.0: What Changed and What Indian Businesses Must Do Now

Most Indian merchants who called us in a panic through 2024 and early 2025 had the same story. They had passed their PCI DSS assessment every year for a decade, the compliance certificate sat framed on the wall, and then their acquiring bank sent a one-line email asking for their v4.0 attestation. That was the moment they discovered that the standard they had quietly ignored as a paperwork exercise had grown teeth.

PCI DSS 4.0 is not a cosmetic version bump. It is the biggest structural rewrite of the Payment Card Industry Data Security Standard since it was born in 2004, and the grace period is over. Version 3.2.1 was formally retired on 31 March 2024, and the future-dated requirements, the ones everyone kept deferring, became mandatory on 31 March 2025. If your last Report on Compliance or Self-Assessment Questionnaire predates that, you are not compliant. You just have not been audited against the new baseline yet.

What PCI DSS actually is, in one honest paragraph

PCI DSS is the security standard that any organisation storing, processing or transmitting cardholder data must meet. It is set by the PCI Security Standards Council, not by RBI, but in India it reaches you through your acquiring bank and the card networks (Visa, Mastercard, RuPay via NPCI, American Express). Your merchant agreement contractually binds you to it. So while there is no Indian statute called PCI, the enforcement is very real: non-compliance can mean fines passed through your acquirer, higher transaction fees, or in the worst case, termination of your ability to accept card payments. For a fintech or a payment aggregator regulated by RBI, PCI DSS also sits underneath the RBI Payment Aggregator and Payment Gateway guidelines, which explicitly require PCI DSS certification.

The four shifts that actually matter

There are dozens of individual changes across the 12 requirements. But if you strip away the noise, 4.0 moves in four directions at once. Understand these and the specific clauses stop feeling random.

1. From point-in-time to business-as-usual

The old game was to get clean for the two weeks the assessor was on site, then relax. 4.0 kills that. A large number of requirements now demand a documented, targeted risk analysis (requirement 12.3.1) that justifies how often you perform a given control, and evidence that you actually performed it at that cadence all year. The assessor no longer just checks that a control exists. They check that it ran, on schedule, with logs to prove it.

2. The customised approach

For the first time, you can meet a requirement using a control the standard did not prescribe, as long as you can prove it meets the stated Customised Approach Objective. This sounds liberating. In practice it is only for mature organisations with strong security teams, because you must document the control, perform your own risk analysis, and the QSA has to design bespoke testing procedures for it. Ninety percent of Indian merchants should stick with the Defined Approach and treat the customised approach as an escape hatch for one or two genuinely non-standard controls, not a lifestyle.

3. Authentication grows up

This is where most Indian shops will fail their first 4.0 assessment. Multi-factor authentication is now required for all access into the cardholder data environment, not just remote or administrative access (requirement 8.4.2). Passwords, where still used, jump to a minimum of 12 characters (8.3.6). And by the deadline, MFA implementations must resist replay and cannot be bypassed by any user including administrators (8.5.1).

4. The e-commerce and phishing reckoning

Two requirements, 6.4.3 and 11.6.1, exist because of Magecart-style attacks where malicious JavaScript skims card data from the payment page in the customer's own browser. If you run a checkout page in India that loads any third-party script, a chat widget, an analytics tag, a payment SDK, these two clauses now apply directly to you. Most Indian e-commerce teams have never heard of them.

The clauses you will be judged on

Here is the shortlist we walk every Indian client through first, because these are the ones that most commonly turn a routine reassessment into a scramble.

RequirementWhat it demandsWhy Indian teams miss it
8.4.2 / 8.5.1MFA for all access into the CDE, phishing-resistant and non-bypassableOn-premise servers and internal admin panels were historically single-factor
6.4.3Manage and authorise every script loaded on the payment page; verify integrityNo inventory exists of the tags marketing added over the years
11.6.1Detect unauthorised changes to payment page HTTP headers and contentNo tamper-detection tooling deployed on the checkout
12.3.1Targeted risk analysis to justify the frequency of flexible controlsFrequencies were never documented, just assumed to be annual
5.3.3 / 5.4.1Anti-malware on removable media; anti-phishing mechanismsPhishing controls treated as awareness training only, not technical
A3 / 12.5.2Scope confirmed and documented at least annuallyScope drifts as cloud and SaaS creep in, never re-baselined

What actually happens in the audit room

Let us make this concrete. A mid-sized payment aggregator in Bengaluru, RBI-licensed, processing on their own infrastructure, called us for a v4.0 gap assessment after ten years of clean 3.2.1 reports. Confident team. Good engineers.

We started with scope. The CTO said the cardholder data environment was three servers in a rack. We asked to see the network diagram and the data-flow diagram, the actual artefacts required under requirement 1.2.4 and 12.5.1. The data-flow diagram was two years old. When we traced a live transaction, card data was transiting a logging pipeline into an Elasticsearch cluster nobody had listed, and a copy of masked-but-recoverable data was landing in an S3 bucket for a reconciliation job. Scope had quietly tripled. That single finding meant three more systems now needed quarterly ASV scans, hardening, and access review.

Then we opened the checkout page in a browser and ran the developer console. Fourteen third-party scripts. A tag manager, two analytics vendors, a session-replay tool, a live-chat widget, and an old A/B testing snippet the growth team had forgotten. Under 6.4.3 every one of those needed a business justification, an authorisation record, and an integrity check. They had zero. That is a Magecart skimmer's dream, and it was one finding, unremediated, that would have failed the whole Report on Compliance.

The MFA gap was the last one. Remote VPN access had MFA. But once you were on the internal network, the admin console for the payment switch took a username and a password. Under 8.4.2, that is now a failure. Retrofitting MFA onto a legacy internal application took them eleven weeks and a small integration project.

None of this was exotic. It is the ordinary reality of a system that grew for a decade while the compliance paperwork stood still. The point of 4.0 is to force that gap into the open before an attacker finds it first.

The Indian regulatory overlay you cannot ignore

PCI DSS does not live alone in India. It sits inside a stack of obligations that a foreign-authored standard does not mention, and your QSA should be mapping the overlaps so you are not doing the same work three times.

FrameworkOverlap with PCI DSS 4.0What it adds
RBI PA/PG guidelinesMandates PCI DSS certification for aggregators and gatewaysData localisation: full transaction data must be stored only in India
CERT-In 2022 directionsIncident logging and reportingReport cyber incidents within 6 hours; retain logs 180 days in India
DPDP Act 2023Cardholder name is personal dataConsent, breach notification to the Data Protection Board, data-principal rights
RBI data storage circularNo storage of full card data by most entitiesTokenisation (CoF) mandate; only card networks and issuers store PANs

The RBI card-on-file tokenisation mandate is the one that quietly helps you. Since it forces most merchants to stop storing the actual card number and use a network token instead, it can dramatically shrink your PCI scope. If you have implemented CoF tokenisation properly, many storage-related requirements simply fall away because you no longer hold the Primary Account Number. We regularly use this to move clients toward the far lighter SAQ A eligibility. Scope reduction is the single highest-leverage move in PCI, and Indian tokenisation rules hand it to you.

What v4.0 costs, honestly

Clients always want a number. It depends entirely on your merchant level and whether you store card data, but here are realistic Indian ranges for the assessment itself, separate from remediation engineering, which is usually the larger spend.

ScenarioTypical assessment pathIndicative cost (INR)
Small e-commerce, no card storage, SAQ ASelf-assessment, ASV scans40,000 to 1,50,000 per year
Mid-size merchant, some storage, SAQ DGuided SAQ plus quarterly ASV1,50,000 to 6,00,000 per year
Level 1 fintech or aggregator (RoC)Full QSA Report on Compliance8,00,000 to 25,00,000 plus
6.4.3 / 11.6.1 toolingClient-side script monitoring subscription3,00,000 to 12,00,000 per year

The trap is treating the assessment fee as the total cost. On a first 4.0 engagement, remediation, retrofitting MFA, deploying client-side monitoring, rebuilding a data-flow diagram, tightening logging, routinely costs several times the audit fee. Budget for the gap, not just the certificate.

Your fix-it checklist before the next assessment

If you do nothing else, work through this list in order. It maps directly to where 4.0 assessments break in India.

  • Re-baseline scope now: produce a current network diagram and a data-flow diagram, then trace one real transaction end to end and find where card data actually goes.
  • Inventory every script on your payment page using the browser console, then justify, authorise and integrity-check each one for requirement 6.4.3.
  • Deploy client-side tamper detection on the checkout to satisfy 11.6.1, and set the review frequency in writing.
  • Extend MFA to all access into the cardholder data environment, including internal admin panels, and confirm it cannot be bypassed (8.4.2, 8.5.1).
  • Raise password minimums to 12 characters wherever passwords remain (8.3.6).
  • Write the targeted risk analyses under 12.3.1 that justify how often each flexible control runs, and keep the evidence that it ran.
  • Check your card-on-file tokenisation: if you can stop storing PANs, pursue the lighter SAQ path and shrink scope.
  • Map PCI evidence to CERT-In 6-hour reporting, DPDP breach duties and RBI localisation so one control set serves all three.
  • Confirm anti-phishing is a technical control, not just a training slide (5.4.1).
  • Book the gap assessment at least three to four months before your attestation is due, because MFA and script-control remediation take weeks, not days.

The bottom line

The merchants who panicked in 2024 were not careless. They were caught by a standard that finally stopped rewarding the point-in-time performance and started asking whether security actually happens the other 51 weeks of the year. That is the real change in 4.0, and every specific clause is just an expression of it. Treat compliance as something that runs continuously, and the audit becomes a formality. Treat it as an annual costume you put on for the assessor, and 4.0 will find you out.

If you want a straight read on where you stand, CyberSigma's PCI QSAs are also CERT-In empanelled auditors who do this hands-on, in the room, tracing the real transaction rather than reading your last certificate. A scoping conversation is usually enough to tell you how big the gap really is.

FAQs

Is PCI DSS legally mandatory in India?

There is no Indian statute called PCI DSS, but it is contractually mandatory through your acquiring bank and the card networks, and RBI's Payment Aggregator and Payment Gateway guidelines explicitly require PCI DSS certification for regulated entities. In practice, for anyone accepting card payments, it is binding.

We passed PCI DSS 3.2.1 last year. Are we still compliant?

No. Version 3.2.1 was retired on 31 March 2024, and all future-dated 4.0 requirements became mandatory on 31 March 2025. Any attestation issued against 3.2.1 no longer counts. You need a fresh assessment against 4.0.

Does the RBI tokenisation mandate reduce our PCI scope?

Yes, and this is one of the biggest advantages available to Indian merchants. If card-on-file tokenisation means you no longer store the actual Primary Account Number, many storage-related requirements fall away and you may qualify for a much lighter self-assessment questionnaire such as SAQ A.

What is the requirement everyone forgets about?

Requirements 6.4.3 and 11.6.1, covering payment-page scripts. If your checkout loads any third-party JavaScript, an analytics tag, a chat widget, a payment SDK, you must inventory, authorise and integrity-monitor each one to defend against browser-based skimming. Most Indian e-commerce teams have no such inventory.

How long before our deadline should we start?

At least three to four months. The two controls that take longest to remediate, extending MFA into the cardholder data environment and deploying client-side script monitoring, are engineering projects measured in weeks, not paperwork you finish the night before the assessor arrives.

Can we use the new customised approach to save effort?

Rarely, and not to save effort. The customised approach lets a mature security team meet an objective with a non-standard control, but it requires you to document the control, run your own risk analysis, and have the QSA design bespoke testing. For most Indian merchants the Defined Approach is simpler and cheaper. Reserve the customised approach for one or two genuinely non-standard controls.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
PCI DSS Scope Checker
See if you’re in scope and your likely SAQ type or level — free, in under a minute.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205