• Cycore Insights
  • Posts
  • Why Fintech Companies Are Failing PCI DSS 4.0 Audits (And How to Fix It Before Your Next Assessment)

Why Fintech Companies Are Failing PCI DSS 4.0 Audits (And How to Fix It Before Your Next Assessment)

PCI DSS 4.0 went live in March 2024. One year later, payment processors and fintech companies are hitting their first 4.0 recertification—and most aren’t ready. Here’s what’s actually tripping up teams, and how to close gaps before your QSA shows up.

Author

Kevin Barona
March 05, 2026

Happy Thursday!

Welcome to Cycoresecure.com, your go-to partner for transforming security and compliance into effortless processes. Whether you're a startup or a growing tech company, we provide services to tackle your biggest security challenges, freeing you to focus on scaling your business with confidence. Let's secure your future together!

Make sure to follow our Cycore LinkedIn page and subscribe to receive updates on current events, trends, and industry news that matter to you

In Today's Rundown

Let’s dive right in.

You're reading the Cycore Insights newsletter.

Get exclusive coverage of cybersecurity and privacy delivered once a week.

Why Fintech Companies Are Failing PCI DSS 4.0 Audits (And How to Fix It Before Your Next Assessment)

PCI DSS 4.0 went live in March 2024. Companies certified under 3.2.1 had a grace period. That period is over.

Right now, fintech companies are entering their first full 4.0 recertification cycle. And a consistent pattern is emerging: teams that assumed their existing controls would carry over are finding material gaps, often with 60 to 90 days until their QSA arrives.

PCI DSS 4.0 isn’t just an update. It’s a shift from a checklist mentality to a risk-driven, continuously validated approach. The companies that understand that shift are passing. The ones that don’t are failing.

The 5 Requirements Tripping Up Fintech Teams

1. Customized Approach Documentation

What changed: PCI DSS 4.0 allows organizations to implement controls differently as long as they document why the security objective is still met. That evidence burden is significant.

Common mistake: Opting into the customized approach without building documentation scaffolding. QSAs want control descriptions, testing procedures, and risk analysis for every deviation, not a verbal explanation.

2. Targeted Risk Analysis (TRA)

What changed: Several requirements now let you adjust activity frequency, but only if you’ve completed and documented a Targeted Risk Analysis justifying that choice.

Common mistake: Adjusting frequencies without the required TRA on file. Auditors want to see the analysis, not just the activity log.

3. MFA Everywhere in the CDE

What changed: MFA is no longer limited to remote access. It’s now required for all access into the cardholder data environment, including administrative access from inside the network.

Common mistake: Internal admin accounts that bypass MFA because they’re “inside the network.” Legacy systems not built for MFA compatibility create the same risk.

4. Phishing-Resistant Authentication

What changed: Requirement 8.4.2 mandates phishing-resistant MFA for all non-console administrative CDE access. SMS-based OTP may not satisfy this depending on your risk profile.

Common mistake: Assuming any MFA satisfies this requirement. QSAs are now scrutinizing the specific mechanism, not just whether MFA is enabled.

5. Enhanced Penetration Testing Protocols

What changed: Pen tests must now explicitly validate segmentation controls. Network-layer testing must prove the CDE is isolated, not just describe it.

Common mistake: Pen test scope that doesn’t include segmentation validation. A generic report won’t satisfy this requirement. Auditors want to see that your tester explicitly attempted to cross network segments and documented the results.

How Embedded Finance Companies Are Getting Caught

Embedded finance companies often assume their PCI obligations end at the handoff to their payment provider. That assumption is partly true and partly how companies fail audits.

Your provider handles processing, storage, and transmission on their infrastructure. You still own how card data flows through your systems before it gets there, the security of integration points, and any environment that touches the payment flow.

PCI DSS 4.0 increases scrutiny at these boundaries. If your application collects card data before passing it to a processor, or if your infrastructure touches the payment flow in any way, you have a CDE that needs to be scoped, documented, and secured accordingly.

Why buyers care: Enterprise buyers and partners are asking harder questions about payment data handling. Unclear scope answers slow deals or kills them.

What to Do in the Next 90 Days

Days 1-30: Scope and Gap Assessment

  • Map cardholder data flows to verify CDE scope. Confirm what’s in scope and what isn’t.

  • Run a gap assessment against PCI DSS 4.0. Focus on requirements that changed from 3.2.1.

  • Inventory all accounts with CDE access. Flag any lacking MFA or using non-phishing-resistant methods for privileged access.

  • Identify every requirement where you’ve adjusted frequency. Confirm TRAs exist and are documented.

Days 31-60: Remediation and Documentation

  • Close MFA gaps and document compensating controls for any legacy systems that can’t support it natively.

  • Complete missing Targeted Risk Analyses and update policies to reflect 4.0 requirements.

  • Update your pen test scope to explicitly include segmentation validation. Schedule or reschedule as needed.

Days 61–90: Audit Readiness

  • Organize your evidence package by requirement. Well-organized evidence reduces audit duration and last-minute surprises.

  • Run an internal walkthrough. Gaps in your narrative are easier to find before fieldwork than during it.

  • Brief anyone who will be interviewed by your QSA. Make sure they can speak accurately about their area without relying on you.

Ready to close your PCI DSS 4.0 gaps before your next assessment? Contact Cycore.

Security Insights

  • Only 32% of Organizations Met All PCI DSS Requirements in 2022, and it’s Getting Harder (Help Net Security, Dec 2025). A new study published in December 2025 found that only about 32% of organizations met all PCI DSS requirements in 2022, a figure that declined steadily after 2020. Researchers attribute the gap in part to enforcement: PCI DSS penalties amount to a fraction of a percent of revenue for large organizations, compared to GDPR fines that can reach 4% of global turnover. The rollout of PCI DSS 4.0 has raised the bar further, with new requirements around continuous monitoring, MFA, and risk analysis that many organizations are still working to implement. https://www.helpnetsecurity.com/2025/12/23/pci-dss-adoption-enforcement-study/

  • PCI DSS 4.0.1 Enforcement Now Fully in Effect - Prompt Action Required (McDermott Will & Emery, July 2025)As of April 1, 2025, all merchants and third-party service providers must fully comply with PCI DSS 4.0.1. McDermott Will & Emery’s July 2025 client advisory highlights that organizations yet to achieve compliance face immediate exposure to fines, penalties, and assessments. Key outstanding requirements include annual scope definition, control of payment page scripts, and documentation of targeted risk analysis areas where many companies remain unprepared.

    https://www.mwe.com/insights/check-pci-dss-compliance/

Let's Build Trust

Work with us or follow along:

  1. Cycore, builds enterprise-grade security, privacy and compliance programs for the modern organization. Partner with us.

  2. Follow us on LinkedIn for security, privacy & compliance updates!

  3. How else can we help? Feedback? Have a question? Reply to this email.

  4. Know someone who would like this email? Forward it to a friend...

Your security & compliance ally,
Cycore Team