Why is the Trump administration imposing new Section 232 and Section 301 tariffs?

Following the IEEPA court ruling, the Trump administration imposed Section 122 tariffs effective February 24, 2026, set to expire July 24, 2026. As indefinite alternatives, new Section 232 tariffs were deployed on April 2, 2026. The Section 301 investigation process is expected to conclude in summer 2026.

What are Section 232 tariffs?

Section 232 tariffs are import taxes authorized under the Trade Expansion Act of 1962, imposed on national security grounds. Rarely invoked before 2018, their use has been upheld by the Supreme Court.

What are Section 301 tariffs?

Section 301 tariffs are levied on imports from specific countries under the Trade Act of 1974 to address unfair trade practices. The process involves investigation, negotiation, and potential retaliation against targeted trading partners.

Which goods are targeted under the new Section 232 tariffs?

Under the new Section 232 tariffs, steel, aluminum, and copper face tariffs of up to 50%, and pharmaceuticals face tariffs of up to 100%. Multiple carve-outs exist depending on the product category.

Which countries are targeted under the new Section 301 tariffs?

Approximately 100 countries are targeted across two investigations: one covering excess manufacturing capacity, which targets 14 countries plus the EU, and one covering forced labor practices, which targets approximately 60 trading partners.

How should businesses prepare for new Section 232 and Section 301 tariffs?

Businesses should take three steps: (1) Assess supply chain exposure by identifying import origins, quantities, and annual values, and update quotation processes to reflect potential tariff costs; (2) Evaluate internal systems to determine the ability to track tariff rate changes and cost impacts, and plan communication strategies for price adjustments; and (3) Seek ongoing guidance from internal departments and strategic advisors with experience in tariff policy and the manufacturing sector.

PCI DSS 4.0 assessments: What matters now

Brandon Breslin

Feb 17, 2026

5 min read

Key takeaways

PCI DSS 4.0 is no longer a transition — it is the operating model organizations are now expected to maintain.
The biggest challenges are not technical requirements, but ongoing ownership of scope, risk and control validation.
Organizations that treat PCI as an annual exercise continue to struggle under the continuous compliance expectations of 4.0.

The transition to PCI DSS 4.0 is over — but for many organizations, the real challenge is just beginning.

What looked like a version upgrade in 2025 has fundamentally changed how PCI compliance works. Organizations are now expected to operate in a continuous, risk-based model where scope, documentation and control validation are owned internally — not just reviewed during an annual assessment.

That shift is where most organizations are struggling today.

PCI DSS 4.0 didn’t change the rules — it changed the model

Most organizations approached PCI DSS 4.0 as a checklist upgrade. In reality, it introduced a different operating model.

Under prior versions, compliance was largely:

Prescriptive
Assessor-driven
Point-in-time

Under PCI DSS 4.0, it is:

Risk-based
Organization-owned
Continuous

That shift shows up in everything — from how scope is defined to how controls are validated.

The biggest gap: Treating PCI as an annual event

One of the most common issues we see today is organizations still operating as if PCI is something you “prepare for.”

That approach breaks under PCI DSS 4.0.

Controls now require:

Ongoing validation
Continuous monitoring
Documented decision-making
Repeatable processes

If those aren’t in place year-round, the assessment becomes reactive — and that’s where issues surface.

In healthcare environments, payment processing is often distributed across multiple locations, such as front desks, billing systems and third-party platforms.

An organization may complete an annual PCI assessment successfully, but over the following months:

New locations are added
Systems are updated
Workflows change

If those changes aren’t reflected in scope and documentation, the environment at the next assessment no longer matches what was originally validated. That gap between “what was assessed” and “what exists today” is where compliance breaks down.

Scope is no longer something your assessor defines

Another major shift is ownership of scope.

Historically, many organizations leaned on their assessor to validate or even help define what was in scope.

That is no longer the expectation.

Organizations are now responsible for:

Identifying all systems that store, process or transmit cardholder data
Documenting connected systems and supporting infrastructure
Maintaining accurate data flow diagrams and network diagrams
Updating scope documentation regularly

When scope is incomplete, everything downstream — controls, testing and reporting — is affected.

In a manufacturing environment, we often see PCI scope defined around core payment systems but not fully extended into supporting infrastructure. For example, an organization may process payments through an ERP platform while overlooking connected systems such as production scheduling tools or shared network segments.

When those systems are connected to the cardholder data environment, they become part of scope — even if they don’t directly process payments. If they’re not documented, they’re not tested. And if they’re not tested, they become a gap during assessment.

Risk is now part of compliance — not separate from it

PCI DSS 4.0 introduces a much stronger connection between risk management and compliance.

This shows up most clearly in targeted risk analysis.

Instead of following fixed requirements for frequency or control execution, organizations must:

Evaluate the risk associated with specific controls
Determine appropriate frequency or approach
Document and justify those decisions

This adds flexibility — but it also removes the ability to rely on default answers.

Organizations now need to defend how and why they operate the way they do.

A financial services organization may decide to perform certain control activities — like access reviews or log monitoring — on a frequency that differs from traditional expectations.

Under PCI DSS 4.0, that flexibility is allowed. But it requires a documented targeted risk analysis that explains why that frequency is appropriate based on risk.

What we see in practice is organizations making the decision, but not documenting the rationale. During assessment, the control itself may be functioning, but without that documented justification, it becomes a compliance issue.

The customized approach: Flexibility that adds complexity

The customized approach is one of the most talked-about features of PCI DSS 4.0 — and one of the most misunderstood.

It allows organizations to design controls that meet security objectives rather than follow defined testing procedures.

In practice, that means:

More detailed documentation
Targeted risk analysis for each control
Additional validation requirements
Coordination with a QSA before assessment

For most organizations, this is not a shortcut. It’s a more advanced path that requires maturity in both risk management and documentation.

For example, a technology company may attempt to use the customized approach to support a more modern authentication or infrastructure model.

The intent is usually sound. But what often happens is the organization underestimates the level of documentation and validation required. Without detailed control design, risk analysis and testing evidence, the customized approach creates more friction than the defined approach would have.

Where organizations are struggling today

Across assessments, the same patterns continue to show up:

Treating PCI DSS 4.0 as a completed transition rather than an ongoing model
Underestimating the effort required to maintain documentation
Failing to build internal ownership of controls
Relying too heavily on tools instead of process
Not aligning security and compliance teams

These aren’t technical gaps — they’re operational ones.

What actually drives success under PCI DSS 4.0

Organizations that are successful under PCI DSS 4.0 operate differently.

They:

Treat compliance as a continuous program, not a project
Establish clear ownership of controls across teams
Invest in documentation and process maturity
Integrate risk management into compliance activities
Engage assessors early and consistently

This isn’t about doing more work; it’s about structuring the work differently.

The real shift: From passing audits to sustaining compliance

PCI DSS 4.0 ultimately changes the goal.

It’s no longer about passing an assessment. It’s about sustaining compliance continuously

That requires:

Discipline in execution
Clarity in ownership
Consistency in documentation

Organizations that recognize this early tend to avoid the friction others are now experiencing.

How Wipfli can help

Wipfli helps organizations operate effectively under PCI DSS 4.0 by focusing on sustainable compliance, not just assessment readiness.

Our services include:

PCI DSS readiness and gap assessments
Scope definition and documentation support
Risk and control evaluation
Assessment and validation support
Ongoing compliance program development

To learn more about how to strengthen your PCI DSS 4.0 program, explore our PCI compliance services.

PCI DSS 4.0 assessments: What matters now

PCI DSS 4.0 didn’t change the rules — it changed the model

The biggest gap: Treating PCI as an annual event

Scope is no longer something your assessor defines

Risk is now part of compliance — not separate from it

The customized approach: Flexibility that adds complexity

Where organizations are struggling today

What actually drives success under PCI DSS 4.0

The real shift: From passing audits to sustaining compliance

How Wipfli can help

Author(s)

TOP PICKS

Article Download

Please Register

Contact Information