PCI 4.0 Requirement Update for April 2025: What You Need to Know

Staying ahead of security requirements is no easy task, but it’s essential to protecting your users and ensuring compliance. The Payment Card Industry Data Security Standard (PCI DSS) helps businesses safeguard sensitive payment information, preventing data breaches and fraud. Even if your site uses a hosted payment gateway, evolving threats mean the requirements continue to shift.

With PCI DSS 4.0, new security updates have already rolled out (as of April 1, 2024), and another wave of changes is coming on April 1, 2025. Here’s what you need to know to stay compliant—and how we can help make the transition smoother.

Key PCI 4.0 Requirements Effective April 1, 2025

The upcoming requirements focus on enhancing security for client-side scripts that impact the payment process. The two main areas of focus are:

1. Enhanced security for client-side scripts used in the payment process

2. Consistent monitoring of client-side scripts affecting the payment process

Client-Side Script Security Enhancements

The new PCI 4.0 rules apply to any areas of a website where a hosted payment modal is displayed. To prevent potential script tampering, PCI DSS now requires that all scripts used on these pages have additional security measures in place.

Key Changes:

• Scripts can no longer be loaded dynamically to ensure they remain untampered.

• Tools such as Google Tag Manager will no longer be acceptable for script deployment on payment pages with a payment modal.

• Tracking scripts can still be used but must be configured manually.

• All scripts must include additional security headers and hashes to verify their integrity.

These changes won’t affect the visual appearance of the website, but they will require additional effort to configure and maintain properly.

Monitoring of Client-Side Scripts

The new requirements state that any page that displays a payment modal must be consistently monitored for changes (every 10 minutes). Changes to this must be reviewed to ensure that no script tampering has occurred. Tools for client-side monitoring have been costly —often around $15,000 per year per website. However, with the new PCI 4.0 requirements, more cost-effective solutions are now available at under $1,000 per year per website.

Adage can help you deploy proper client-side script monitoring tools at a more manageable cost to ensure compliance and security.

Next Steps: Ensuring Compliance

To keep your website compliant with the latest PCI DSS 4.0 standards and maintain the highest level of security for user payment data, Adage recommends scheduling a meeting to discuss these new requirements in detail. During this discussion, we will:

• Review the specific PCI 4.0 requirements for client-side scripts and their impact.

• Assess potential effects on your website’s functionality and user experience.

• Develop strategies and best practices for implementing necessary changes.

• Answer any questions or concerns about these updates.

Additionally, we can establish an action plan to integrate these changes into your project timeline, ensuring minimal disruption to ongoing development.

 Ready to Get Ahead of PCI 4.0? Schedule a meeting with our team to ensure your site stays secure, compliant, and ready for these updates. The earlier we plan, the smoother the transition will be—helping you avoid last-minute headaches or compliance risks.