Skip to main content
Cybin EnterprisesCYBIN ENTERPRISESHigh-Risk Payment Solutions
HomeIndustriesHardwareAboutFAQBlogContact
Get Started
Cybin EnterprisesCYBIN ENTERPRISESHigh-Risk Payment Solutions

High-risk payment processing solutions for businesses across every industry. Free consultation, processor-fit review, US, Canada & international coverage.

Browse All 755+ Industries

Quick Links

  • Home
  • About Us
  • Industries
  • Hardware

Resources

  • Blog
  • FAQ
  • What We Are
  • Contact

Solutions by Industry

CBD & CannabisFirearms & FFLFirearms AccessoriesNutraceuticalsTelemedicineGaming / iGamingCrypto ExchangesSubscription BoxesTravel & TicketingAdult ContentMLM / Direct SalesCredit RepairDebt CollectionCannabis (State-Legal)
View all 755+ industries

Featured Guides

  • High-Risk Merchant Account 2026 Guide
  • MATCH List Explained
  • Chargeback Ratios & VAMP
  • Rolling Reserves

Legal

  • Privacy Policy
  • Terms of Service

© 2026 Cybin Enterprises. All rights reserved.

Last updated: May 26, 2026

755+ Industries ServedSecure IntakeLinkedIn
HomeBlogPCI DSS 4.0.1 Compliance: What High-Risk Merchants Need to Know in 2026
Back to Blog
Compliance

PCI DSS 4.0.1 Compliance: What High-Risk Merchants Need to Know in 2026

PCI DSS 4.0.1 future-dated requirements went mandatory on March 31, 2025. Here is the 2026 checklist for high-risk merchants — SAQs, scope reduction, and the new MFA and script-integrity rules.

April 2026
10 min read
Cybin Enterprises

PCI DSS 4.0.1 is now the only enforced standard. Version 3.2.1 retired December 31, 2024, and the future-dated 4.0.1 requirements went fully mandatory on March 31, 2025. If you are a high-risk merchant and you have not updated your Self-Assessment Questionnaire in the last 12 months, you are out of compliance.

This article is the practical 2026 checklist for what actually changed and what high-risk merchants need to do. Our processing partners are PCI-DSS Level 1 compliant, and we help placed merchants navigate their own merchant-level attestation every year.

What PCI DSS Covers for You as a Merchant

PCI DSS applies to every entity that stores, processes, or transmits cardholder data. Your compliance obligation depends on your annual transaction count (Level 1 through 4) and your acceptance channel (e-commerce, in-person, phone).

  • Level 1: 6M+ annual transactions — full ROC (Report on Compliance) by a QSA
  • Level 2: 1M-6M annual transactions — SAQ, sometimes ROC required
  • Level 3: 20k-1M e-commerce transactions — SAQ with quarterly ASV scans
  • Level 4: under 20k e-commerce / 1M total — SAQ only, acquirer discretion on scans

Most high-risk merchants are Level 3 or Level 4 and complete SAQ A, A-EP, or D depending on their integration.

Which SAQ Do You Need?

  • SAQ A — fully outsourced e-commerce (iframe or full redirect to a PCI-compliant processor like Authorize.Net or NMI)
  • SAQ A-EP — your site includes JavaScript that interacts with the payment page (common with hosted checkout integrations using Stripe Elements or similar)
  • SAQ B — standalone terminal, no electronic storage
  • SAQ B-IP — IP-connected terminal (most modern terminals)
  • SAQ C — payment application on internet-connected POS
  • SAQ D — the full questionnaire, required when no other SAQ fits or when you store cardholder data

The 2026 practical rule: pick your SAQ based on what JavaScript is on your checkout page, not what you think your architecture looks like. If your page loads any script that touches a payment field, you are SAQ A-EP minimum.

The Biggest Changes in 4.0.1 for Merchants

Version 4.0.1 introduced 64 new requirements, 51 of which became mandatory March 31, 2025. The ones that matter most for high-risk merchants:

  • Req 6.4.3 — Payment page scripts must be inventoried, authorized, and integrity-checked (addresses Magecart-style attacks)
  • Req 8.3.6 — Passwords must be 12+ characters (was 7), combined complexity OR cryptographic strength equivalent
  • Req 8.4.2 — MFA required for all access into the cardholder data environment, not just administrative access
  • Req 11.6.1 — Change-and-tamper detection on payment pages (works with 6.4.3)
  • Req 12.3.1 — Formal targeted risk analysis required for any 'customized approach' control
  • Req 12.10.7 — Incident response procedures for cardholder data detected outside expected storage

Req 6.4.3 and 11.6.1 — The Script Integrity Rules

These two requirements are the 2025-2026 compliance headache. They target Magecart-style skimmer attacks where a third-party script is modified to exfiltrate cardholder data.

What you need to do as a merchant accepting card-not-present payments:

  • Inventory every script loaded on pages that include payment fields or redirect to payment
  • Justify business need for each script
  • Implement integrity checking (Subresource Integrity hashes, or a monitoring vendor like Feroot, Jscrambler, or Human)
  • Alert on unauthorized script changes

Merchants fully using iframe/redirect to Authorize.Net Accept Hosted, Stripe Checkout, or NMI Collect.js meet this requirement because the payment fields are hosted by the PCI-compliant processor. Merchants using in-line fields (Stripe Elements on your own page) are responsible for the script integrity controls themselves.

Req 8.4.2 — MFA Everywhere

Old rule: MFA for admin access to the cardholder data environment. New rule: MFA for all access, including user access. If your checkout portal, admin dashboard, or payment integration has any user login that touches card data, MFA is mandatory.

Practical implementation: TOTP (Google Authenticator, Authy), hardware keys (YubiKey), or biometric. SMS MFA is explicitly no longer considered strong enough for PCI purposes.

The Compliance Workflow for High-Risk Merchants

  • Annual: Complete the appropriate SAQ and submit attestation to your acquirer
  • Quarterly: Run an ASV (Approved Scanning Vendor) vulnerability scan if SAQ A-EP, C, or D (Trustwave, Security Metrics, Control Scan all common)
  • Ongoing: Monitor script integrity on payment pages (Req 6.4.3/11.6.1)
  • Incident: Document and report any card-data breach within your acquirer's notification window (typically 24-72 hours)

Scope Reduction: The Single Best Compliance Strategy

The cheapest way to comply is to have as little scope as possible. Three patterns reduce scope dramatically:

  • Full redirect to hosted payment page — your site hands off to the processor entirely, and card data never touches your servers (SAQ A)
  • Tokenization — use a processor-hosted iframe so card data is tokenized before it reaches your code (SAQ A or A-EP)
  • Network segmentation — if you must process card data in-house, isolate the environment so the rest of your network is out of scope

Common Misconceptions

  • 'My processor is PCI compliant so I am compliant' — false. Your processor's compliance only covers their systems. You are responsible for your own merchant attestation.
  • 'I only accept payments over the phone so PCI does not apply' — false. SAQ C-VT or C covers phone-order scenarios. MOTO merchants are in scope.
  • 'SAQ A means no work' — false. SAQ A still has 22 requirements and requires annual completion.
  • 'I can skip PCI if I use Stripe' — false. Stripe hands you the PCI SAQ responsibility. Use of a compliant processor reduces scope; it does not eliminate it.

What Noncompliance Actually Costs

  • Acquirer fines: $5,000-$100,000 per month until remediation
  • Breach costs: $50-$150 per exposed card in forensic, legal, and notification costs
  • Card network fines: Visa and Mastercard assess $5,000-$50,000 per breach event
  • Account termination and MATCH listing (Code 12) for sustained noncompliance

How Cybin Enterprises Helps

Our processing partners are PCI-DSS Level 1 compliant, which means your integration into their hosted pages and tokenization APIs minimizes your own compliance scope. We provide referrals to ASVs and QSAs for merchants who need annual scans and attestation. We also help structure integrations (iframe, redirect, Collect.js) that land you in SAQ A or SAQ A-EP instead of SAQ D. Nationwide service across 755+ industries since 2018.

Related Reading

  • How to Open a High-Risk Merchant Account in 2026
  • Chargeback Ratios Explained: Thresholds, Fees, and Prevention
  • Rolling Reserves Explained: How to Negotiate Them Down

Frequently Asked Questions

Am I PCI compliant if I use Stripe or Square?

No. Stripe and Square handle their portion of the card data environment but you still have to attest annually with the SAQ that matches your integration. Using these processors reduces scope (often to SAQ A) but does not eliminate your compliance obligation.

How much does PCI compliance cost annually?

SAQ A merchants spend $50-$200 per year on attestation-only services. SAQ A-EP or C with quarterly ASV scans runs $500-$2,000. Level 2+ with a QSA-led ROC can cost $15,000-$50,000 or more.

Do I need PCI if I use a payment link?

If the payment link redirects the customer entirely to a hosted payment page (Stripe Checkout link, for example), you typically qualify for SAQ A. You still complete the SAQ annually — just with fewer requirements.

What is the difference between PCI DSS 4.0 and 4.0.1?

4.0.1 is a maintenance update released June 2024. It clarifies requirements and fixes errata from 4.0 but adds no new controls. If you comply with 4.0.1 you comply with the full 4.0 family. Version 3.2.1 is retired.

Are paper receipts with card numbers a compliance issue?

Yes. If your receipts show more than the last 4 digits of the PAN, you are out of compliance. Truncate all printed receipts to mask the PAN (show only last 4) and do not print the full expiration date.

About Cybin Enterprises

Cybin Enterprises is a payment services intermediary specializing in high-risk merchant accounts. Our team brings decades of experience in payment processing, compliance, and risk management.

Expertise: High-risk underwriting, payment compliance, chargeback management, multi-processor routing

Last updated: April 2026•10 min read
Share this article:

Related Articles

High-Risk Industries

Crypto Exchange & Web3 Merchant Accounts: 2026 Guide

How crypto exchanges, on/off-ramps, OTC desks, and NFT marketplaces secure fiat card processing in 2026 — MCC 6051, MSB/money-transmitter licensing, AML & Travel Rule, domestic vs offshore acquiring, chargebacks, reserves, and approval requirements.

9 min read
High-Risk Industries

iGaming & Online Gaming Merchant Accounts: 2026 Guide

How online gaming, iGaming, sportsbook, and DFS operators secure stable card processing in 2026 — MCC 7995, scheme registration, domestic vs offshore acquiring, geofencing, reserves, and approval requirements.

9 min read

Ready to Get Started?

Whether you're dealing with account termination or launching a new high-risk business, we can help you secure stable payment processing.

Start Your ApplicationContact Us

Further Reading

Compliance

Subscription Billing Compliance Guide

Subscription and recurring billing models face heightened scrutiny from card networks. Learn how to structure your billing disclosures, cancellation policies, and dunning flows to stay compliant and reduce chargebacks.

Risk Management

Chargeback Management: Strategies That Actually Work

Chargebacks don't have to kill your merchant account. Learn proven strategies to prevent and fight chargebacks.

Guides

High-Risk Payment Processing: Complete Guide for 2026

Everything you need to know about securing payment processing for high-risk businesses in 2026.

Related Industries

Explore payment processing solutions for related high-risk industries.

🎰Gaming

Online Gaming & iGaming

Cybin Enterprises specializes in payment processing for the online gaming & igaming industry. We connect gaming businesses with specialized high-risk merchant account providers who offer stable, long-term processing solutions. From compliance support to competitive rates, we understand the unique challenges your business faces and match you with the right payment partners.

🏈Gaming

Sports Betting & Wagering

Cybin Enterprises specializes in payment processing for the sports betting & wagering industry. We connect gaming businesses with specialized high-risk merchant account providers who offer stable, long-term processing solutions. From compliance support to competitive rates, we understand the unique challenges your business faces and match you with the right payment partners.

📱Healthcare

Telemedicine & Digital Health

Cybin Enterprises specializes in payment processing for the telemedicine & digital health industry. We connect healthcare businesses with specialized high-risk merchant account providers who offer stable, long-term processing solutions. From compliance support to competitive rates, we understand the unique challenges your business faces and match you with the right payment partners.

🧪Healthcare

Compounding Pharmacy

Cybin Enterprises specializes in payment processing for the compounding pharmacy industry. We connect healthcare businesses with specialized high-risk merchant account providers who offer stable, long-term processing solutions. From compliance support to competitive rates, we understand the unique challenges your business faces and match you with the right payment partners.

📈Financial Services

Credit Repair Services

Cybin Enterprises specializes in payment processing for the credit repair services industry. We connect financial services businesses with specialized high-risk merchant account providers who offer stable, long-term processing solutions. From compliance support to competitive rates, we understand the unique challenges your business faces and match you with the right payment partners.

💰Financial Services

Debt Settlement & Relief

Cybin Enterprises specializes in payment processing for the debt settlement & relief industry. We connect financial services businesses with specialized high-risk merchant account providers who offer stable, long-term processing solutions. From compliance support to competitive rates, we understand the unique challenges your business faces and match you with the right payment partners.