Live Threats
[CVE-2026-1234]Windows CLFS Driver zero-day — active exploitation in the wild, patch immediately|
[CVE-2026-0891]Fortinet FortiOS auth bypass — unauthenticated RCE on SSL-VPN appliances|
[CVE-2026-2201]Palo Alto PAN-OS command injection — CVSS 9.8, firewall management interfaces exposed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed, 12 rated Critical|
[BREACH]Healthcare provider data breach exposes 2.3M patient records — HIPAA enforcement expected|
[CVE-2026-1887]Chrome V8 engine type confusion — remote code execution via malicious web pages|
[COMPLIANCE]PCI DSS 4.0.1 deadline approaching — multi-factor authentication now mandatory for all access|
[CVE-2026-3310]Cisco IOS XE privilege escalation — network devices running 17.x firmware at risk|
[RANSOMWARE]LockBit 4.0 variant targeting SMBs via exposed RDP — San Antonio businesses at elevated risk|
[ADVISORY]Adobe Acrobat Reader critical update — PDF-based phishing campaigns exploiting unpatched installs|
[CVE-2026-1234]Windows CLFS Driver zero-day — active exploitation in the wild, patch immediately|
[CVE-2026-0891]Fortinet FortiOS auth bypass — unauthenticated RCE on SSL-VPN appliances|
[CVE-2026-2201]Palo Alto PAN-OS command injection — CVSS 9.8, firewall management interfaces exposed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed, 12 rated Critical|
[BREACH]Healthcare provider data breach exposes 2.3M patient records — HIPAA enforcement expected|
[CVE-2026-1887]Chrome V8 engine type confusion — remote code execution via malicious web pages|
[COMPLIANCE]PCI DSS 4.0.1 deadline approaching — multi-factor authentication now mandatory for all access|
[CVE-2026-3310]Cisco IOS XE privilege escalation — network devices running 17.x firmware at risk|
[RANSOMWARE]LockBit 4.0 variant targeting SMBs via exposed RDP — San Antonio businesses at elevated risk|
[ADVISORY]Adobe Acrobat Reader critical update — PDF-based phishing campaigns exploiting unpatched installs|
View All
PCI DSS 4.0.1 — Are You Ready? Key Requirements Now Mandatory
Security News/Issue #16 — April 7 – April 13, 2026
COMPLIANCEHIGH

PCI DSS 4.0.1 — Are You Ready? Key Requirements Now Mandatory

April 10, 2026
6 min read
Source: PCI Security Standards Council
Executive Summary

As of March 31, 2025, all PCI DSS 4.0.1 requirements became mandatory. If you process, store, or transmit cardholder data and haven't completed your gap assessment, you're now out of compliance.

What Changed in PCI DSS 4.0.1

PCI DSS 4.0.1 introduced over 60 new or updated requirements compared to PCI DSS 3.2.1. The most significant changes include mandatory multi-factor authentication for all access to the Cardholder Data Environment (CDE), enhanced requirements for phishing-resistant authentication controls, updated penetration testing standards requiring more comprehensive testing, new requirements for web application security including web application firewalls, and enhanced logging and monitoring requirements. All of these requirements became mandatory on March 31, 2025.

Who Is Affected

PCI DSS applies to any organization that processes, stores, or transmits payment card data. This includes retailers, restaurants, healthcare providers, professional services firms, and any other business that accepts credit or debit card payments. It also applies to service providers who process card data on behalf of merchants. If your business accepts card payments — even through a third-party payment processor — you have PCI DSS obligations. The scope of your obligations depends on your transaction volume and how you handle card data.

Common Compliance Gaps We Are Seeing

In our work with San Antonio SMBs, the most common PCI DSS 4.0.1 gaps we are finding include: failure to implement MFA for all CDE access (many businesses still use single-factor authentication for point-of-sale systems and payment portals), outdated network segmentation that does not adequately isolate the CDE from other network segments, insufficient logging and log review processes, and penetration testing that does not meet the updated PCI DSS 4.0.1 requirements. Many businesses also lack a formal vulnerability management program that meets the new requirements.

Next Steps for Compliance

If you have not completed a PCI DSS 4.0.1 gap assessment, start there. Identify all systems that store, process, or transmit cardholder data and map your Cardholder Data Environment. Implement MFA for all CDE access immediately — this is the most commonly cited gap and one of the most important controls. Review your network segmentation to ensure the CDE is properly isolated. Update your penetration testing program to meet the new requirements. Document all of your compliance activities — documentation is a key part of demonstrating compliance during an assessment.

Key Takeaways & Action Items
  • All PCI DSS 4.0.1 requirements are now mandatory — self-assessment or QSA assessment required
  • MFA is now required for all access to the Cardholder Data Environment (CDE)
  • Phishing-resistant authentication controls are now required for all personnel with CDE access
  • Penetration testing requirements have been updated — ensure your testing meets new standards
  • Contact Segler.Net for a PCI DSS gap assessment if you haven't completed one

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #16: April 7 – April 13, 2026
PREVIOUS ARTICLE
Supply Chain Attack: 14 Malicious npm Packages Downloaded 2.3 Million Times
NEXT ARTICLE
Palo Alto PAN-OS CVE-2026-0984: Remote Code Execution Under Active Exploitation
Talk with Us