Inside a PCI DSS 4.0.1 Audit: What Assessors Expect

The question sounds procedural. It is the moment that decides how the next two weeks will go, because everything an assessor can test, and everything they cannot, follows from where the cardholder data environment begins and ends.

For three years, version 4.0 came with a cushion. Fifty-one of its sixty-four new requirements were labelled best practice, optional until a stated date, and many teams validated in 2024 while treating them as a future problem. That cushion is gone. As of 31 March 2025, all fifty-one are mandatory, which makes an assessment in 2026 the first many organisations will face with nothing held in reserve. A control that is planned, scheduled, or partially deployed is not a control that is in place, and an assessor records it as a gap.

The standard, read as an assessor reads it

Strip away the detail and the standard is twelve requirements organised into six goals: build and maintain a secure network, protect account data, run a vulnerability management programme, enforce strong access control, monitor and test networks, and maintain an information security policy. An assessor reads them as a chain. Network controls and secure configuration come first (Requirements 1 and 2). Stored and transmitted account data must be protected (3 and 4). Anti-malware and secure software follow (5 and 6). Access is restricted to those with a business need to know, users are authenticated, and physical access is controlled (7, 8, 9). Activity is logged and systems are tested (10, 11). Requirement 12 ties it together with policy and the targeted risk analyses that now drive how often many of the other controls have to run.

Step one of any assessment is confirming that scope, not testing controls. The assessor establishes which systems, people, and processes store, process, or transmit cardholder data, plus everything connected to or able to affect that environment. If segmentation is used to keep systems out of scope, it has to be proven by penetration testing, not asserted. Teams that draw the boundary too narrowly discover mid-assessment that an out-of-scope system was in scope all along, and the timeline resets.

Two approaches, two evidence burdens

For most requirements, an organisation chooses one of two routes to demonstrate compliance. The Defined Approach is the familiar one: implement the control as written, and the assessor follows the standard's stated testing procedures. Where a legitimate, documented technical or business constraint makes a requirement impossible to meet as stated, the Defined Approach allows a compensating control, recorded on a worksheet and validated every year.

The Customized Approach is newer and far heavier on evidence. Instead of following the prescribed control, the entity designs its own to meet the requirement's stated objective, then documents a controls matrix and a targeted risk analysis for each one. There are no pre-written tests; the assessor derives bespoke testing procedures for every customized control. Two points trip teams up here. Compensating controls are not available under the Customized Approach, because the entity already designed the control it judged sufficient. And organisations that validate through a Self-Assessment Questionnaire cannot use the Customized Approach at all.

Whatever the route, an assessor reaches a verdict through three methods: examining evidence such as configurations, policies, logs and records; observing processes and controls in operation; and interviewing the people who run them. For large environments they sample, so the records have to hold up across the whole population, not just the examples you hand over. Each requirement closes on one of two findings: in place, or not in place. There is no partial credit for intent, and a control scheduled for next quarter counts as not in place.

The output depends on who is assessing. A Qualified Security Assessor or an Internal Security Assessor documents results in a Report on Compliance; smaller merchants may self-assess through a Self-Assessment Questionnaire. Both feed an Attestation of Compliance, the short summary your acquirer or the payment brands actually collect. Customized Approach results can only be recorded in a ROC, which is why that route effectively requires a QSA or ISA.

Where the consequences land

The PCI Security Standards Council does not issue fines. The consequences sit with the payment brands and acquirers who mandate compliance, and the practical cost of a stalled assessment is paid in time. A not-in-place finding does not simply lower a score. It holds back the Attestation of Compliance until the gap is remediated and the assessor reassesses, which can push a validation date past a contractual deadline with an acquiring bank. For organisations in Malaysia and Singapore that already answer to Bank Negara, the Securities Commission, or MAS technology-risk expectations, a lapsed card-data attestation is the kind of finding that surfaces in the next regulatory conversation. The board-level point is plain: the assessment measures whether your evidence keeps pace with your operations all year, not whether you can assemble it in the week the assessor arrives.

What to do before the assessor arrives

Five moves separate a clean assessment from a stalled one.

1. Re-confirm scope before the assessor does. Produce a current data-flow diagram and a cardholder-data inventory, and validate any segmentation with a recent penetration test.

2. Decide Defined or Customized for each requirement now, not during fieldwork. If you are going Customized, the controls matrix and targeted risk analysis must already exist and carry senior-management sign-off before testing begins.

3. Assemble evidence in the assessor's three modes. For every in-scope requirement, know which document will be examined, which process will be observed, and who will be interviewed.

4. Treat the fifty-one future-dated requirements as live controls. Run them, generate the records, and confirm the dates those records started.

5. Pre-stage a compensating-control worksheet for any Defined requirement you genuinely cannot meet as written, before the assessor flags it for you.

Which returns us to that first-morning question. When the assessor asks you to prove your scope is complete, they are really asking whether your security runs as a continuous practice or an annual performance. The organisations that pass cleanly are not the ones with the most controls. They are the ones whose evidence was already being generated long before anyone booked the assessment. The decision in front of you is whether this year's audit is something you prepare for, or something you can already prove.

Sources

1. PCI Security Standards Council, Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0.1 (June 2024). https://www.pcisecuritystandards.org/document_library/

2. PCI Security Standards Council Blog, Now is the Time for Organizations to Adopt the Future-Dated Requirements of PCI DSS v4.x.https://blog.pcisecuritystandards.org/now-is-the-time-for-organizations-to-adopt-the-future-dated-requirements-of-pci-dss-v4-x

3. PCI Security Standards Council Blog, Coffee with the Council Podcast: Guidance for PCI DSS E-commerce Requirements Effective After 31 March 2025.https://blog.pcisecuritystandards.org/coffee-with-the-council-podcast-guidance-for-pci-dss-e-commerce-requirements-effective-after-31-march-2025

Disclaimer

This article is provided for general information and does not constitute legal, regulatory, or compliance advice. PCI DSS validation requirements, reporting obligations, and consequences for non-compliance are determined by the payment brands and acquiring banks that manage individual compliance programmes, and may vary by entity, region, and merchant or service-provider level. Organisations should confirm their specific obligations with their acquirer, their assessor, and the current PCI SSC documentation before acting.