PCI DSS 4.0 assessments: What matters now

The transition to PCI DSS 4.0 is over — but for many organizations, the real challenge is just beginning.

What looked like a version upgrade in 2025 has fundamentally changed how PCI compliance works. Organizations are now expected to operate in a continuous, risk-based model where scope, documentation and control validation are owned internally — not just reviewed during an annual assessment.

That shift is where most organizations are struggling today.

PCI DSS 4.0 didn’t change the rules — it changed the model

Most organizations approached PCI DSS 4.0 as a checklist upgrade. In reality, it introduced a different operating model.

Under prior versions, compliance was largely:

• Prescriptive
• Assessor-driven
• Point-in-time

Under PCI DSS 4.0, it is:

• Risk-based
• Organization-owned
• Continuous

That shift shows up in everything — from how scope is defined to how controls are validated.

The biggest gap: Treating PCI as an annual event

One of the most common issues we see today is organizations still operating as if PCI is something you “prepare for.”

That approach breaks under PCI DSS 4.0.

Controls now require:

• Ongoing validation
• Continuous monitoring
• Documented decision-making
• Repeatable processes

If those aren’t in place year-round, the assessment becomes reactive — and that’s where issues surface.

In healthcare environments, payment processing is often distributed across multiple locations, such as front desks, billing systems and third-party platforms.

An organization may complete an annual PCI assessment successfully, but over the following months:

• New locations are added
• Systems are updated
• Workflows change

If those changes aren’t reflected in scope and documentation, the environment at the next assessment no longer matches what was originally validated. That gap between “what was assessed” and “what exists today” is where compliance breaks down.

Scope is no longer something your assessor defines

Another major shift is ownership of scope.

Historically, many organizations leaned on their assessor to validate or even help define what was in scope.

That is no longer the expectation.

Organizations are now responsible for:

• Identifying all systems that store, process or transmit cardholder data
• Documenting connected systems and supporting infrastructure
• Maintaining accurate data flow diagrams and network diagrams
• Updating scope documentation regularly

When scope is incomplete, everything downstream — controls, testing and reporting — is affected.

In a manufacturing environment, we often see PCI scope defined around core payment systems but not fully extended into supporting infrastructure. For example, an organization may process payments through an ERP platform while overlooking connected systems such as production scheduling tools or shared network segments.

When those systems are connected to the cardholder data environment, they become part of scope — even if they don’t directly process payments. If they’re not documented, they’re not tested. And if they’re not tested, they become a gap during assessment.

Risk is now part of compliance — not separate from it

PCI DSS 4.0 introduces a much stronger connection between risk management and compliance.

This shows up most clearly in targeted risk analysis.

Instead of following fixed requirements for frequency or control execution, organizations must:

• Evaluate the risk associated with specific controls
• Determine appropriate frequency or approach
• Document and justify those decisions

This adds flexibility — but it also removes the ability to rely on default answers.

Organizations now need to defend how and why they operate the way they do.

A financial services organization may decide to perform certain control activities — like access reviews or log monitoring — on a frequency that differs from traditional expectations.

Under PCI DSS 4.0, that flexibility is allowed. But it requires a documented targeted risk analysis that explains why that frequency is appropriate based on risk.

What we see in practice is organizations making the decision, but not documenting the rationale. During assessment, the control itself may be functioning, but without that documented justification, it becomes a compliance issue.

The customized approach: Flexibility that adds complexity

The customized approach is one of the most talked-about features of PCI DSS 4.0 — and one of the most misunderstood.

It allows organizations to design controls that meet security objectives rather than follow defined testing procedures.

In practice, that means:

• More detailed documentation
• Targeted risk analysis for each control
• Additional validation requirements
• Coordination with a QSA before assessment

For most organizations, this is not a shortcut. It’s a more advanced path that requires maturity in both risk management and documentation.

For example, a technology company may attempt to use the customized approach to support a more modern authentication or infrastructure model.

The intent is usually sound. But what often happens is the organization underestimates the level of documentation and validation required. Without detailed control design, risk analysis and testing evidence, the customized approach creates more friction than the defined approach would have.

Where organizations are struggling today

Across assessments, the same patterns continue to show up:

• Treating PCI DSS 4.0 as a completed transition rather than an ongoing model
• Underestimating the effort required to maintain documentation
• Failing to build internal ownership of controls
• Relying too heavily on tools instead of process
• Not aligning security and compliance teams

These aren’t technical gaps — they’re operational ones.

What actually drives success under PCI DSS 4.0

Organizations that are successful under PCI DSS 4.0 operate differently.

They:

• Treat compliance as a continuous program, not a project
• Establish clear ownership of controls across teams
• Invest in documentation and process maturity
• Integrate risk management into compliance activities
• Engage assessors early and consistently

This isn’t about doing more work; it’s about structuring the work differently.

The real shift: From passing audits to sustaining compliance

PCI DSS 4.0 ultimately changes the goal.

It’s no longer about passing an assessment. It’s about sustaining compliance continuously

That requires:

• Discipline in execution
• Clarity in ownership
• Consistency in documentation

Organizations that recognize this early tend to avoid the friction others are now experiencing.

How Wipfli can help

Wipfli helps organizations operate effectively under PCI DSS 4.0 by focusing on sustainable compliance, not just assessment readiness.

Our services include:

• PCI DSS readiness and gap assessments
• Scope definition and documentation support
• Risk and control evaluation
• Assessment and validation support
• Ongoing compliance program development

To learn more about how to strengthen your PCI DSS 4.0 program, explore our PCI compliance services.