We receive compensation from brands featured here, which may influence their ranking.Advertiser disclosure
Advertising Disclosure
This site is a free online resource that strives to offer helpful content and comparison features to its visitors. Please be advised that the operator of this site accepts advertising compensation from certain companies that appear on the site, and such compensation impacts the location and order in which the companies (and/or their products) are presented, and in some cases may also impact the scoring that is assigned to them. The scoring that appears on this site is determined by the site operator in its sole discretion, and should NOT be relied upon for accuracy purposes. In fact, Company/product listings on this page DO NOT imply endorsement by the site operator. Except as expressly set forth in our Terms of Use, all representations and warranties regarding the information presented on this page are disclaimed. The information which appears on this site is subject to change at any time. So how do we make money? Our partners compensate us. This may influence which products we review and write about, but it in no way affects our recommendations or advice. Our partners cannot pay us to guarantee favorable reviews of their products or services.
MerchantServicesUSA
Best Merchant Services Reviews
Home
Merchant Services
Merchant Services Credit Card Processing Payment Processing Merchant Services Credit Card Readers Payment Gateway
Reviews
Reviews Leaders Paysafe Stax Payment Depot Clover MerchantOne
Blog
Blog ACH vs. Cards: When to Use Each, Fees, Same‑Day ACH Limits & Risk Reg II Debit Routing (Durbin) for Merchants: What Changed for Online Payments PCI DSS v4.0 for Small Businesses: What’s Due by March 31, 2025 Surcharging vs. Dual Pricing vs. Cash Discount: What’s Legal in 2025? Credit Card Processing Fees Explained (2025): Real SMB Averages, By Method & Card

PCI DSS v4.0 for Small Businesses: What’s Due by March 31, 2025

Merchant Services USA Advisor
Staff Editor
PCI DSS v4.0 for Small Businesses: What’s Due by March 31, 2025

KEY TAKEAWAYS

  • PCI DSS v4.0 is live and future‑dated controls are now mandatory; scope includes even “hosted checkout” merchants.
  • Choose the correct SAQ (A, A‑EP, C‑VT, B‑IP, P2PE) for your setup and reduce scope with tokenization/P2PE.
  • Finish essentials: MFA for admins, logging/retention, script integrity for e‑commerce, patch cadence, and clear roles/diagrams.

Summary

PCI DSS v4.0 replaced v3.2.1 on March 31, 2024. Many of the 64 “new” requirements were labeled “future‑dated” and become mandatory after March 31, 2025. A limited‑revision v4.0.1 (June 2024) clarified language but did not add new requirements. If you store, process, or transmit card data—even via a hosted checkout—you’re in scope. 

What changed and when

  1. March 31, 2024: v3.2.1 retired; assessments now on v4.x. 
  2. March 31, 2025: 51 future‑dated v4.0 requirements move from “best practice” to mandatory (varies by merchant type/service provider). 
  3. v4.0.1 (June 2024): Clarifications/formatting; no additional or deleted requirements. 
  4. New SAQs for v4.0.1 were published (Oct 2024). 

What this means for SMBs (examples—not legal advice)

If you use a standalone IP‑connected EMV terminal with no storage, your SAQ may resemble B‑IP or P2PE (if using a validated P2PE solution). If you key via a web‑based virtual terminal, you’re likely in SAQ C‑VT. If you host parts of your e‑commerce payment page (scripts/iframes), you may be in SAQ A‑EP; fully‑outsourced hosted checkout can fit SAQ A. Confirm using the current SAQ guidance. 

Ten focus items to complete before March 31, 2025

  1. Roles and responsibilities documented for each control family (v4 requirement).

  2. Annual scope confirmation and network diagrams including segmentation and CDE data flows.

  3. MFA for admin access and remote access; strengthen auth per v4.

  4. Harden scripts and e‑commerce pages (integrity controls, change detection).

  5. Build/patch cadence aligned to vulnerability management SLAs; authenticated internal scans.

  6. Logging and monitoring with tamper resistance and retention; review procedures.

  7. Incident response tabletop including third‑party PSP/gateway contacts.

  8. For e‑commerce, reduce scope via network tokenization and hosted fields when possible.

  9. If you rely on vendors (POS, gateways, MSPs), capture their AOC/attestations and versions.

  10. Use PCI’s Prioritized Approach Tool (v4.0.1) to stage work in business‑friendly tranches.

How your providers can help

Clover review — validated devices, semi‑integrated flows, P2PE options to shrink scope (still need policies, training, and SAQ).
Leaders Merchant Services review — PCI portal, SAQ help, and gateway settings (tokenization, 3‑D Secure) for CNP.
Stax review — e‑commerce tools, tokenized vault, and recurring billing with PCI‑aware workflows.
Payment Depot review — interchange‑plus pricing plus PCI support; confirm SAQ fit by environment.
Merchant One review — small‑business onboarding and PCI program; check SAQ mapping and scan requirements.
Worldpay review — enterprise‑grade tokenization, recurring, and fraud tools with documented PCI materials.
Swipe4Free review — ensure surcharging/dual‑pricing apps maintain EMV/P2PE posture and do not break SAQ assumptions.

Sources

PCI SSC announcement on v3.2.1 retirement and v4 timing. 

PCI SSC blog: 51 future‑dated requirements due March 31, 2025; v4.0.1 context. 

PCI Document Library (v4.0.1, Quick Reference Guide, Prioritized Approach). 

SAQs for v4.0.1 bulletin (Oct 2024). 

Related reading
Swipe4Free review Leaders review MerchantOne review Stax review WorldPay review Payment Depot review Clover review Paysafe review
Related articles
ACH vs. Cards: When to Use Each, Fees, Same‑Day ACH Limits & Risk Credit Card Processing Fees Explained (2025): Real SMB Averages, By Method & Card Surcharging vs. Dual Pricing vs. Cash Discount: What’s Legal in 2025? Reg II Debit Routing (Durbin) for Merchants: What Changed for Online Payments Go to blog
Featured Partners
1. Swipe4Free
Swipe4Free Read Review 1-888-499-7317
Free Trial No
Offer The original zero-fee credit card processing solution
Pricing 0% (surcharge model)
Contract Month-to-month
Funding Same Day
Best For Small biz saving on fees
2. Leaders
Leaders Read Review 888-714-3515
Free Trial No
Offer Transparent pricing with powerful POS solutions for small businesses
Pricing Rates as low as 0.15%
Contract Typically 3 years
Funding Same/Next Day
Best For Approval Rates & Low Fees
3. MerchantOne
MerchantOne Read Review 844 420-0158
Free Trial No
Offer Get a $500 gift card if we can’t beat your rate
Pricing Interchange-plus, low monthly fees
Contract Flexible
Funding Next Day
Best For Startups & small businesses
4. Stax
Stax Read Review 855-600-2877
Free Trial 1 Month
Offer Save 40% on fees with 0% markup processing
Pricing $99/mo + $0.07–$0.15 + interchange
Contract Month-to-month
Funding Next Day
Best For High-volume merchants
5. WorldPay
WorldPay Read Review
Free Trial No
Offer Unlock up to $650 back or score a free commerce360 POS
Pricing Custom, global multi-currency support
Contract 2–3 years
Funding 1–2 Days
Best For Large/global enterprises
6. Payment Depot
Payment Depot Read Review 8666058078
Free Trial 1 Month
Offer Lock in lowest-cost, no-markup processing with zero exit penalties
Pricing $99/mo + $0.07–$0.15 + interchange
Contract Month-to-month
Funding Next Day
Best For Affordable Credit Card Processing
7. Clover
Clover Read Review 877-916-9654
Free Trial No
Offer New Clover users: Get a $450 statement credit
Pricing Flat-rate, POS included
Contract Month-to-month
Funding Next Day
Best For Retail & restaurants
8. Paysafe
Paysafe Read Review 866-960-6259
Free Trial
Offer Secure global payments for high-risk businesses.
Pricing
Contract
Funding
Best For Globally Payments
Leaders