Crezaro
Get started Sign in
Blog
Compliance 8 min read

Understanding PCI DSS 4.0: What It Means for Your Business

PCI DSS 4.0 introduces significant changes to how businesses handle cardholder data. Here is what the new requirements mean, what you need to do, and how Crezaro handles the heavy lifting.

S
Samuel Olaoye Mar 10, 2026
8 min read

What changed in PCI DSS 4.0

The Payment Card Industry Data Security Standard version 4.0 represents the most significant update to the standard since its inception. Released as mandatory from March 2025, it replaces version 3.2.1 and introduces a fundamentally different approach to cardholder data security.

The core philosophy shift is from prescriptive controls to outcome-based security. PCI DSS 4.0 allows organizations to implement "customized approaches" that achieve the same security objectives through different methods. This is a welcome change for organizations with mature security programs, but it also increases the burden of documentation and validation.

Key requirements that affect merchants

If you accept card payments, several new requirements apply directly to your business:

  • Multi-factor authentication (MFA): MFA is now required for all access to the cardholder data environment, not just remote access. This applies to administrators, developers, and anyone who can access payment systems.
  • Enhanced password requirements: Minimum password length increases from 7 to 12 characters. Passwords must be changed every 90 days for accounts with interactive access to cardholder data.
  • Script integrity monitoring: Any JavaScript loaded on payment pages must be inventoried and monitored for unauthorized changes. This directly addresses Magecart-style attacks.
  • Targeted risk analysis: Organizations must perform formal risk analyses for any requirement where they define the frequency of an activity (such as log reviews or vulnerability scans).
  • Automated detection mechanisms: Automated technical controls must detect and alert on web-page tampering, including modifications to payment form content.

How Crezaro reduces your PCI scope

The simplest way to reduce your PCI compliance burden is to never handle cardholder data directly. When you use Crezaro's hosted checkout or our Drop-in UI components, card numbers never touch your servers. This means you qualify for SAQ A, the simplest level of PCI self-assessment, which has roughly 30 requirements instead of the 300+ in the full SAQ D.

Here is how it works technically:

  1. Your server creates a payment intent via our API
  2. The customer is redirected to our PCI-compliant checkout page (or our JavaScript SDK renders a secure iframe)
  3. Card data is entered directly into our systems
  4. We process the payment and send you a webhook with the result

At no point does raw card data pass through your infrastructure. Our checkout pages are served from our PCI Level 1 certified environment, and our JavaScript SDK creates isolated iframes that prevent your page from accessing the card fields.

Using Crezaro's hosted checkout reduces your PCI DSS scope from SAQ D (300+ requirements) to SAQ A (roughly 30 requirements). That is not just a compliance advantage; it is hundreds of hours saved annually.

What you still need to do

Even with Crezaro handling card data, you have responsibilities under PCI DSS 4.0:

  • Secure your website. Use TLS 1.2 or higher on all pages, not just the checkout page. Monitor scripts loaded on pages that redirect to or contain payment forms.
  • Protect API keys. Your Crezaro secret key is as sensitive as cardholder data. Store it in environment variables, rotate it periodically, and restrict access to the team members who need it.
  • Complete your SAQ annually. Even SAQ A requires an annual self-assessment. Crezaro provides documentation and guidance to help you complete it.
  • Review access controls. Ensure that access to your Crezaro dashboard and API keys is restricted to authorized personnel with individual credentials.

Timeline and next steps

All organizations processing card payments must be fully compliant with PCI DSS 4.0 as of March 2025. The "future-dated" requirements (Appendix A3) become mandatory in March 2026. If you have not started your transition, the time to act is now.

Crezaro's compliance team is available to help merchants understand their obligations and complete their self-assessments. Reach out to compliance@crezaro.com or visit our documentation for detailed integration guides that minimize your PCI scope.

S

Written by

Samuel Olaoye

Founder & CEO at Crezaro

Share X LinkedIn

Building the payment infrastructure Africa deserves. Passionate about fintech, developer experience, and financial inclusion across the continent.

Topics Payments Security Compliance
Newsletter

The Crezaro
Newsletter

Enjoyed this post? Get more like it every Tuesday — payments, engineering, and infrastructure for builders.

A
B
C
+2,000 readers
Builders, operators & engineers
  • Signal, not noise
    Curated insights worth your time
  • Engineering depth
    Decisions explained, not just announced
  • Every Tuesday
    Consistent — unsubscribe in one click

Every Tuesday · No spam · Unsubscribe anytime