Quick Answer

PCI DSS 4.0.1 is the current active version of the Payment Card Industry Data Security Standard. It was released June 11, 2024 and replaced PCI DSS 4.0.1 entirely on December 31, 2024. It is a clarification update — no new requirements were added or removed.

If you complied with PCI DSS 4.0.1, you comply with PCI DSS 4.0.1. The March 31, 2025 compliance deadline applied to both versions equally. Requirements 6.4.3 and 11.6.1 — the client-side security requirements that apply to your checkout and payment pages — are unchanged and remain fully mandatory.

If you've been searching "PCI DSS 4.0.1" and wondering whether it changes anything you need to worry about — the short answer is no. The requirements that matter for your checkout page are identical. But since PCI DSS 4.0.1 is now a retired standard, it's worth understanding exactly what happened and why 4.0.1 is the version every compliance conversation should reference going forward.

The Version Timeline — What Replaced What

PCI DSS has gone through several versions. Here's where 4.0.1 fits in the current picture:

March 31, 2024
PCI DSS 3.2.1 retired Retired

The previous long-running standard was officially retired. Organizations had two years after 4.0's release to transition.

June 11, 2024
PCI DSS 4.0.1 released Retired 12/31/24

A limited clarification revision published by the PCI Security Standards Council. No new requirements. Ran alongside 4.0 until year-end.

December 31, 2024
PCI DSS 4.0.1 retired Retired

PCI DSS 4.0.1 officially retired. PCI DSS 4.0.1 became the sole active version of the standard from this date forward.

!
March 31, 2025
Full compliance deadline

All 64 new requirements introduced in PCI DSS 4.0.1 — including Requirements 6.4.3 and 11.6.1 — became fully mandatory for all in-scope organizations.

Now
PCI DSS 4.0.1 — the only active standard Active

PCI DSS 4.0.1 is the current and only active version. All compliance assessments, QSA reviews, and security programs reference 4.0.1.

What Actually Changed in 4.0.1

PCI DSS 4.0.1 was explicitly described by the PCI Security Standards Council as a "limited revision." Here's what was actually updated:

Area PCI DSS 4.0.1 PCI DSS 4.0.1
Patch timeline (Req 6.3.3) Critical AND high-risk vulnerabilities within 30 days Critical vulnerabilities only within 30 days — reverted to 3.2.1 language
SAD storage (Req 3.3.1) Ambiguous for issuers with documented business need Clarified: does not apply to issuers with a legitimate and documented business need
PAN cryptographic hashing (Req 3.5.1) Scope of application unclear Clarified: applies to both primary and non-primary storage (databases and audit logs)
Formatting & typos Various formatting inconsistencies Corrected throughout
Requirement 6.4.3 Unchanged Unchanged
Requirement 11.6.1 Unchanged Unchanged
Total requirements 64 new requirements 64 new requirements — none added or removed

The practical impact for most e-commerce merchants: nothing changed. The patching timeline adjustment affects infrastructure and security teams managing vulnerability management programs — not checkout page compliance. Requirements 6.4.3 and 11.6.1 are word-for-word identical in both versions.

What Stayed the Same — The Requirements That Apply to Your Checkout

The two requirements that directly govern client-side security on payment pages are completely unchanged in PCI DSS 4.0.1:

Requirement 6.4.3
Payment page script authorization and integrity

Every script loaded and executed on a payment page must be authorized, its integrity protected, and an inventory maintained with documented business justification. Mandatory since March 31, 2025. Unchanged in 4.0.1.

Mandatory · Unchanged
Requirement 11.6.1
Tamper-detection for payment page headers and scripts

A mechanism must detect unauthorized changes to HTTP security headers and scripts on payment pages and generate alerts. A Content Security Policy is the primary implementation mechanism. Mandatory since March 31, 2025. Unchanged in 4.0.1.

Mandatory · Unchanged

These are the requirements that most e-commerce merchants are currently failing. They apply to your checkout page, your cart page, your login page, your account page — any page where payment card data is entered or where scripts that could interact with that data are loaded.

"PCI DSS 4.0.1 retired. PCI DSS 4.0.1 active. Requirements 6.4.3 and 11.6.1 — exactly the same. The version number changed. Your compliance obligations didn't."

Why the Version Number Matters Even If Nothing Changed

If the requirements are the same, why does it matter that 4.0.1 is now the active standard?

For compliance documentation: Any assessment, report, or evidence package you produce should reference PCI DSS 4.0.1 — not 4.0. A QSA reviewing your compliance documentation will note the version. Using a retired version number in formal compliance materials is an unnecessary flag.

For security vendors and tools: Any scanning tool, compliance platform, or report that still says "PCI DSS 4.0.1" without acknowledging 4.0.1 is working from an outdated reference. That doesn't invalidate the findings — but it's worth knowing whether the tool you're using is current.

For search and awareness: The industry has shifted to "4.0.1" in all current compliance discussions. If you're researching compliance requirements, comparing tools, or evaluating vendors, 4.0.1 is the correct search term for current information.

PCI DSS 4.0.1 Checkout Page Compliance Checklist

Whether you call it 4.0 or 4.0.1, the client-side requirements for your checkout page are identical. Here's what compliance looks like in practice:

  • Script inventory maintained — Every third-party script on your payment pages is documented with vendor name, script URL, and business justification. This is the foundational requirement of 6.4.3.
  • SRI controls in place — Static scripts have Subresource Integrity hashes. Dynamic scripts are controlled via Content Security Policy hash or nonce enforcement. No script executes without an integrity mechanism.
  • Content Security Policy deployed — A CSP with a script-src directive is present on all payment pages. This is the primary tamper-detection mechanism for 11.6.1.
  • HSTS configured — Strict-Transport-Security header present with a minimum max-age of one year. Prevents protocol downgrade attacks on return visits.
  • Cookie security flags set — Session cookies on payment pages have Secure and HttpOnly flags. SameSite configured appropriately.
  • Change detection active — A mechanism exists to detect and alert on unauthorized changes to payment page scripts and HTTP headers — not just at assessment time, but continuously.
  • Critical vulnerabilities patched within 30 days — Under 4.0.1 clarification, the 30-day patching window applies to critical vulnerabilities. High-risk vulnerabilities follow your risk-based timeline.

Check Your PCI DSS 4.0.1 Posture Now

The fastest way to see where your site stands against the current PCI DSS 4.0.1 requirements is a client-side scan. The free scan at ClientSideIntel checks your public pages for the browser-layer indicators tied to Requirements 6.4.3 and 11.6.1 — third-party scripts, missing security headers, TLS configuration, and overall risk rating.

If your free scan returns a HIGH or CRITICAL result, or if you want documented evidence of your checkout, cart, login, and payment page posture for a QSA review, the Deep Scan produces a full PDF report covering every finding, every script, every vendor — delivered to your inbox automatically.

Check your PCI DSS 4.0.1 posture — free.

Instant client-side scan against the current active standard. No login, no account, no cost. Results in seconds.

Run free PCI DSS 4.0.1 scan →
PDF delivered by email · Checkout and payment pages · No subscription