Contents
- PCI DSS 4.0.1 Requirements for Merchants: What Changed and What You Must Do Now
- Key Takeaways
- PCI DSS Compliance Levels at a Glance
- What Changed from PCI DSS 3.2.1 to 4.0.1
- Requirement 6.4.3 — Payment Page Script Management
- Requirement 11.6.1 — Change and Tamper Detection
- Requirement 8 — Multi-Factor Authentication (MFA)
- Which SAQ Do IntelliPay Merchants Use?
- What IntelliPay Does For You
- Your Responsibilities as an IntelliPay Merchant
- 1. Complete Your Annual Self-Assessment Questionnaire (SAQ)
- 2. Verify IntelliPay’s Compliance Status
- 3. Verify Other Third-Party Providers (If Applicable)
- 4. Follow Basic Security Practices
- 5. Train Your Staff
- 6. Use IntelliPay’s Payment Solutions Correctly
- Common Pitfalls and Prevention Tips
- Your Simple Compliance Checklist
- Frequently Asked Questions
- Need Help?
- Disclaimer
PCI DSS 4.0.1 Requirements for Merchants: What Changed and What You Must Do Now
Updated March 2026
PCI DSS 4.0.1 is the current mandatory version of the Payment Card Industry Data Security Standard, effective March 31, 2025. It applies to every business that stores, processes, or transmits cardholder data — regardless of size or transaction volume. Version 4.0.1 introduced stronger multi-factor authentication requirements, new script management controls for payment pages (Requirements 6.4.3 and 11.6.1), and a risk-based compliance model that allows merchants to customize controls to their environment. Merchants using a PCI DSS Level 1-certified processor like IntelliPay have significantly reduced compliance scope because cardholder data never passes through merchant systems.
Key Takeaways
PCI DSS 4.0.1 is the only accepted version of the Payment Card Industry Data Security Standard as of March 31, 2025 — all prior versions, including 3.2.1, are retired and no longer valid for compliance validation.
Every business that stores, processes, or transmits cardholder data must comply with PCI DSS 4.0.1, regardless of size, industry, or annual transaction volume.
Requirement 6.4.3 mandates that merchants inventory, authorize, and integrity-check every script running on their payment pages — a direct response to Magecart-style skimming attacks that have compromised thousands of checkout pages.
Requirement 11.6.1 requires merchants to deploy tamper-detection mechanisms that alert them to unauthorized changes to payment page content as seen by the consumer’s browser.
Multi-factor authentication (MFA) is now required for all access to the Cardholder Data Environment — not just remote access — under Requirement 8 of PCI DSS 4.0.1.
Merchants using IntelliPay’s hosted payment pages are out of scope for Requirements 6.4.3 and 11.6.1 because all payment page scripts and content originate from IntelliPay’s PCI DSS Level 1-certified environment, not the merchant’s server.
Non-compliant merchants face fines of $5,000–$100,000 per month from card brands and bear full liability for breach-related fraud losses, forensic costs, and card replacement fees.
PCI DSS Compliance Levels at a Glance
Most small businesses are Level 4 merchants. IntelliPay is certified at Level 1 — the highest PCI DSS certification level — with a current Attestation of Compliance (AoC) available upon request.
What Changed from PCI DSS 3.2.1 to 4.0.1
Requirement 6.4.3 — Payment Page Script Management
All scripts loaded or executed on payment pages must be inventoried, authorized, and integrity-checked. Merchants must maintain a documented list of every script on their payment page, confirm each has a business justification, and verify scripts haven’t been tampered with. This requirement became mandatory March 31, 2025. Merchants using IntelliPay’s hosted payment pages have this requirement handled at the processor level — it does not apply to their own systems.
Requirement 11.6.1 — Change and Tamper Detection
Merchants must implement a mechanism to detect unauthorized changes to HTTP headers and payment page content as received by consumer browsers. This targets Magecart-style skimming attacks. Merchants on IntelliPay’s hosted checkout are not in scope for this requirement because the payment page originates from IntelliPay’s environment, not the merchant’s server.
Requirement 8 — Multi-Factor Authentication (MFA)
MFA is now required for all access into the Cardholder Data Environment (CDE) — not just remote access. This includes internal users accessing systems that store, process, or transmit card data. Phishing-resistant MFA methods (hardware tokens, passkeys) are recommended over SMS-based codes.
Which SAQ Do IntelliPay Merchants Use?
IntelliPay merchants who use hosted payment pages or iFrame checkout typically qualify for SAQ A — the simplest self-assessment form, covering merchants who have fully outsourced all card data handling to a PCI DSS-compliant third party. SAQ A requires confirming that your payment pages are delivered directly from IntelliPay’s certified environment, and that your own systems do not store, process, or transmit any cardholder data.
Merchants who use IntelliPay’s API integration with a custom payment form may qualify for SAQ A-EP, which adds requirements for payment page script security (Requirement 6.4.3). Merchants with in-person terminals only may qualify for SAQ B or SAQ B-IP depending on terminal type.
If you are unsure which SAQ applies to your IntelliPay integration, contact IntelliPay’s compliance team for a scope assessment at no charge.
What IntelliPay Does For You
As a PCI DSS Level 1 certified provider, IntelliPay handles:
✓ End-to-end encryption and tokenization
✓ Secure data storage and transmission
✓ Quarterly vulnerability scans (ASV)
✓ 24/7 system monitoring
✓ File-integrity monitoring
✓ Incident response and detection
✓ Infrastructure security controls
✓ Payment page security (Requirements 6.4.3 and 11.6.1)
This means cardholder data never touches your systems.
Your Responsibilities as an IntelliPay Merchant
1. Complete Your Annual Self-Assessment Questionnaire (SAQ)
What it is: A checklist confirming you’re using IntelliPay’s secure payment solution correctly.
Which SAQ you’ll use:
SAQ A — If you redirect customers to IntelliPay’s payment page. Download SAQ A (v4.0.1)
SAQ A-EP — If you embed IntelliPay’s payment form on your website. Download SAQ A-EP (v4.0.1)
When: Once per year
How: IntelliPay can help you identify the correct SAQ and complete it. Learn more about SAQ form types
2. Verify IntelliPay’s Compliance Status
Request IntelliPay’s current Attestation of Compliance (AoC) annually to confirm their Level 1 certification is active.
3. Verify Other Third-Party Providers (If Applicable)
If you use additional payment-related services beyond IntelliPay (examples: shopping carts, POS systems, hosting providers that touch payment data), request their AoCs annually.
4. Follow Basic Security Practices
Never:
Write down credit card numbers on paper, emails, or spreadsheets
Store cardholder data on your computers or systems
Share payment processing passwords
Always:
Use strong, unique passwords for IntelliPay access
Enable multi-factor authentication (MFA) if available
Keep only paper receipts with truncated card numbers (last 4 digits only)
5. Train Your Staff
Annual training should cover:
Never write down or store card numbers
Recognizing phishing emails
Password security best practices
How to properly use IntelliPay’s payment system
Document your training (dates, attendees, topics covered).
6. Use IntelliPay’s Payment Solutions Correctly
For online payments:
Use IntelliPay’s hosted payment pages or embedded forms
Don’t create your own payment forms that capture card data
Ensure your website redirects properly to IntelliPay’s secure environment
For phone/mail orders:
Enter card data directly into IntelliPay’s virtual terminal
Never store card information temporarily in notes or documents
For in-person payments:
Use IntelliPay-approved terminals only
Ensure terminals are physically secured
Common Pitfalls and Prevention Tips
Your Simple Compliance Checklist
Once per year:
Complete your annual SAQ
Request IntelliPay’s current AoC
Request AoCs from any other payment-related vendors
Conduct staff security training
Review and update security policies
Ongoing:
Use only IntelliPay’s approved payment methods
Never store cardholder data
Keep passwords secure and use MFA
Secure paper receipts (shred when disposing)
Frequently Asked Questions
Q: Is PCI DSS 4.0.1 legally required?
A: While PCI DSS is not a U.S. federal law, compliance is contractually mandated by all major card networks — Visa, Mastercard, American Express, and Discover — through merchant agreements. Non-compliance can result in fines of $5,000–$100,000 per month, higher processing rates, forced forensic audits, and termination of card acceptance privileges. Learn more at the PCI Security Standards Council.
Q: What is the difference between PCI DSS 4.0 and 4.0.1?
A: PCI DSS 4.0.1, published in June 2024, is a minor revision that corrected errors, clarified ambiguous language, and resolved inconsistencies in version 4.0. It did not introduce new requirements. The mandatory compliance date remained March 31, 2025. Merchants should ensure their SAQs and internal documentation reference version 4.0.1 specifically, as that is the version assessors and card brands now reference.
Q: What are the PCI DSS requirements for merchants who accept online payments?
A: Online merchants face the most significant new requirements under 4.0.1. Requirement 6.4.3 mandates management and integrity verification of all scripts on payment pages. Requirement 11.6.1 requires tamper-detection for payment page content as seen by the consumer’s browser. Requirement 8 mandates MFA for all CDE access. Merchants using IntelliPay’s hosted checkout pages are not in scope for Requirements 6.4.3 or 11.6.1 because payment pages originate from IntelliPay’s certified environment.
Q: Does using IntelliPay reduce my PCI DSS compliance requirements?
A: Yes, significantly. IntelliPay is PCI DSS Level 1 certified — the highest certification tier. Merchants using IntelliPay’s hosted payment pages or tokenized checkout have cardholder data handled entirely within IntelliPay’s certified environment. Those merchants typically qualify for SAQ A — the shortest and simplest compliance form — and are out of scope for Requirements 6.4.3 and 11.6.1.
Q: What happens if I missed the March 2025 compliance deadline?
A: Merchants still operating under PCI DSS 3.2.1 controls after March 31, 2025 are considered non-compliant. This may trigger monthly fines from your acquiring bank, reclassification as a high-risk merchant with higher processing rates, and increased liability in the event of a data breach. Contact IntelliPay’s compliance team to assess your current status and get back into compliance quickly.
Q: How often do I need to validate compliance?
A: Complete your SAQ annually. IntelliPay handles ongoing monitoring and quarterly scans.
Q: Do I need my own ASV scans?
A: No. IntelliPay’s Level 1 certification covers required vulnerability scanning.
Q: What if I add a new payment channel (online, phone, in-person)?
A: Contact IntelliPay first. We’ll ensure you’re using compliant solutions and may need to update your SAQ type.
Q: Do I need to hire a security consultant?
A: No. As an IntelliPay merchant using our hosted solutions, you can complete your SAQ independently or with our guidance.
Need Help?
IntelliPay’s compliance team is here to assist with:
Determining your correct SAQ type
Answering compliance questions
Providing our current AoC
Reviewing your payment setup
Contact IntelliPay or visit IntelliPay.com
By partnering with IntelliPay, a PCI DSS Level 1 compliant service provider, you’ve simplified compliance while maintaining enterprise-grade security. We handle the technical complexity so you can focus on your business.
Disclaimer
Security & Compliance Disclaimer: The information provided in this guide is for educational purposes only and does not constitute official legal or security advice. PCI DSS (Payment Card Industry Data Security Standard) compliance is a mandatory requirement set by the major card brands (Visa, Mastercard, etc.) and is not a guarantee of absolute security.
Shared Responsibility Model: While IntelliPay maintains a PCI DSS Level 1 Certified infrastructure to protect cardholder data during transmission and storage, compliance is a “shared responsibility.” Merchants are legally and contractually obligated to perform their own annual Self-Assessment Questionnaire (SAQ), maintain internal security policies, and ensure that any third-party scripts or plugins used on their websites do not compromise the integrity of the payment environment.
Version 4.0.1 Notice: As of March 31, 2025, all older versions of PCI DSS have been retired. Failure to implement the now-mandatory requirements for Multi-Factor Authentication (MFA) and Payment Page Script Management (Req. 6.4.3/11.6.1) may result in monthly non-compliance fines ranging from $5,000 to $100,000, increased transaction fees, or the termination of merchant processing accounts. IntelliPay recommends an annual review of your compliance posture with a Qualified Security Assessor (QSA). Updated: March 30, 2026.
