As of 31 March 2025, all PCI DSS v4.0 requirements are mandatory. The twelve “future-dated” requirements that were flagged as best practices in 2024 are now compliance requirements. Any organisation whose QSA assessment window falls after that date will be assessed against the full v4.0 requirement set — including requirements that many organisations treated as deferred work.

This post reviews the most significant future-dated requirements that are now in force, what they require in practice, and what your programme should be able to demonstrate.

The Future-Dated Requirements: What They Cover

Phishing-resistant multi-factor authentication (Requirement 8.4.1 context). For all personnel with administrative access to the CDE, phishing-resistant authentication methods are now required where technically feasible. Hardware security keys (FIDO2), smart card authentication, and similar phishing-resistant mechanisms satisfy this requirement. Standard TOTP or SMS-based MFA alone does not — these can be intercepted through phishing attacks. Organisations still relying solely on standard TOTP for privileged CDE access have a gap.

Updated password requirements (Requirement 8.3.6). Minimum password length is now 12 characters for systems where the technology supports it. Organisations that updated their password policy to say “12 characters” in 2024 but did not enforce the policy at the system level — because enforcement would break legacy applications or require user resets — will be tested on whether the requirement is actually implemented, not just documented.

Automated log reviews (Requirement 10.4.1.1). Automated mechanisms for reviewing logs are now required for all except sampled in-scope systems. Manual log review — a spreadsheet review process, periodic checks by a security analyst — does not satisfy this requirement. SIEM tools, log aggregation platforms with automated alerting, or managed security monitoring services all satisfy it. If your log review process remains primarily manual, this is an immediate gap.

E-commerce script management (Requirements 6.4.3 and 11.6.1). These requirements — which generate the most uncertainty for e-commerce merchants — are now mandatory. Every script that loads in a consumer’s payment page browser must be documented in an inventory, each must be authorised, and the integrity of each must be verified. A change and tamper-detection mechanism must be in place for payment page HTTP headers and content. Merchants who have been aware of these requirements since v4.0 published but have not implemented a management process will face findings at their next assessment.

Security awareness training expanded (Requirement 12.6.3.1). Security awareness training must now cover evolving phishing techniques at least every 12 months. Training that covers general phishing awareness but does not address current and emerging techniques — including AI-generated phishing content, spear phishing targeting payment staff, and voice phishing (vishing) — does not satisfy this requirement.

What Your Programme Should Demonstrate Right Now

If your next QSA assessment is in the next 12 months, the future-dated requirements are live for that assessment. Your programme should be able to demonstrate:

Evidence that phishing-resistant MFA is in place for privileged CDE access — configuration screenshots, access logs, or system reports showing the authentication mechanism in use. Evidence that password length requirements are enforced at the system level, not just documented in policy. Evidence that automated log review is operational — alerting rules, SIEM configuration, or managed monitoring service documentation. For e-commerce merchants, evidence of a script inventory and a change detection mechanism for payment pages. And evidence of updated security awareness training completed within the past 12 months that covers current phishing techniques.

Gaps in any of these areas are findings at your next assessment. If you discover gaps now, you have time to address them before the assessment window — but the window depends on when your assessment is scheduled.

At Bitsecura, we have been helping clients implement the future-dated requirements since v4.0 published in 2022. If you are approaching your next PCI DSS assessment and are uncertain whether your programme covers the full v4.0 requirement set — including the requirements that became mandatory in March 2025 — we can conduct a targeted readiness review. Reach out here.


Bitsecura provides PCI DSS compliance support, gap assessment, and QSA readiness services. Learn more about our PCI DSS services.