PCI DSS v4.0 — the current version of the Payment Card Industry Data Security Standard — introduced significant new requirements that fully took effect in March 2025. If you haven’t reviewed your PCI compliance obligations under v4.0, now is the time: the new requirements aren’t optional, and non-compliance can result in fines, processor termination, and increased liability in the event of a data breach.
Key Changes in PCI DSS v4.0
1. Targeted Risk Analysis (TRA)
v4.0 introduced Targeted Risk Analysis as a new methodology for organizations to define their own testing frequency for certain controls based on their specific risk profile. Rather than prescribing a single schedule, v4.0 requires organizations to document and justify their risk-based approach. This is more flexible than v3.2.1 but requires documented risk assessments where previously a checklist sufficed.
2. E-Skimming Protection (Requirement 6.4.3 and 11.6.1)
v4.0 introduced explicit requirements for protecting payment pages from e-skimming attacks — the injection of malicious JavaScript into checkout pages that captures card data in transit. Requirement 6.4.3 requires merchants to manage all payment page scripts, and 11.6.1 requires detecting unauthorized changes to HTTP headers and payment page content. This is the PCI response to Magecart-style attacks that compromised major retailers.
3. Multi-Factor Authentication (MFA) for All Accounts
v4.0 expands MFA requirements to all accounts that can access the cardholder data environment — not just remote access accounts. If you have any admin access to your WooCommerce store’s payment configuration, that access must be protected by MFA.
4. Password Requirements Updated
Minimum password length increased from 7 to 12 characters. Passwords for admin accounts accessing cardholder data must be rotated annually or when compromise is suspected.
5. Phishing Prevention for Personnel
v4.0 requires formal anti-phishing processes including security awareness training that covers phishing specifically. Previously implied; now explicitly required.
How ConvesioPay Reduces Your PCI Scope
The most effective PCI compliance strategy for most WooCommerce merchants is scope reduction — minimizing how much of your infrastructure touches cardholder data. ConvesioPay’s hosted payment fields and redirect checkout options mean card data is captured and processed entirely within Adyen’s PCI-certified infrastructure. Your WooCommerce store never receives or stores the raw card number, dramatically simplifying your PCI compliance obligations. Many ConvesioPay merchants qualify for SAQ A (the simplest self-assessment questionnaire) rather than the more complex SAQ D.
Ready to get started? Learn more about ConvesioPay or view pricing.