PCI DSS 4.0 for MSPs: How to Build a Card Data Compliance Service Line

Most of your clients who accept card payments are not PCI DSS 4.0 compliant. Many of them don’t know that version 4.0 is now fully in effect, or that several requirements they’ve never had to think about before became mandatory in March 2025. And most of them are relying on you — their MSP — to manage the infrastructure those payment systems run on.

That’s not a liability. That’s a service line.

This guide covers what PCI DSS 4.0 actually requires, which of your clients are in scope, and how to build a managed compliance offering that converts a one-time gap assessment into recurring revenue.

What Changed in PCI DSS 4.0

PCI DSS 4.0 replaced version 3.2.1 when it was retired in March 2024. The Council gave organisations until March 2025 to implement the new future-dated requirements, which means 2026 is the first full year where the complete 4.0 standard is in force.

The headline changes matter for MSPs:

Phishing-resistant MFA is now mandatory for all CDE access. That means hardware tokens or passkeys — not SMS one-time passwords, not standard authenticator apps. If your clients have any system in scope for PCI and you’re managing their access controls, this needs to be reviewed. SMS-based MFA is explicitly no longer sufficient for cardholder data environment access.

Targeted risk analysis replaces fixed timelines. Previously, PCI DSS told organisations exactly how frequently to do certain things — scan quarterly, patch within 30 days, review logs daily. Version 4.0 shifts some of these to a targeted risk analysis model: organisations must document their own risk-based rationale for the frequency they choose. This sounds like flexibility; it’s actually additional documentation work. MSPs who handle that documentation as part of a managed service create real value.

Authenticated vulnerability scanning is now required. Unauthenticated scans miss a significant proportion of vulnerabilities. PCI DSS 4.0 requires authenticated internal scanning — your scanning credentials need to be managed and your scan reports need to reflect what credentialed access actually found.

E-commerce payment page script integrity. If any of your clients have custom-built checkout pages or use third-party JavaScript in their payment flow, requirement 6.4.3 now mandates an inventory of all payment page scripts with justification for each one, and integrity monitoring to detect unauthorised changes. This is specifically aimed at Magecart-style attacks. If you manage web hosting for any e-commerce clients, this is in your scope.

These aren’t abstract regulatory changes. They map directly to work you should already be doing — or work you can start charging for.

Which of Your Clients Are in Scope

Any business that stores, processes, or transmits payment cardholder data is subject to PCI DSS. For a typical MSP client base, that includes:

• Retail clients with point-of-sale terminals or integrated POS systems
• Restaurants, hospitality businesses, hotels
• E-commerce operators with any payment processing beyond fully hosted checkout (even Stripe or Square clients may have residual scope)
• Professional services firms with card-on-file billing
• Any client using a virtual terminal to manually key in card payments

The key nuance: full outsourcing to a payment processor doesn’t eliminate PCI scope — it just reduces it. A retailer using Square on an iPad is probably an SAQ B-IP merchant. An e-commerce business with a hosted Stripe checkout page is likely an SAQ A merchant with a four-page self-assessment. Understanding these distinctions lets you right-size your service offer.

Start by auditing your RMM. Look for POS software, payment terminals under management, e-commerce hosting clients, and any workstations that run accounting or invoicing software with card-on-file features. You’ll likely find that 15–30% of your client base has some PCI exposure.

The Service Structure

PCI compliance for Level 3/4 merchants — which is almost everyone in an MSP client base — breaks cleanly into two phases.

Phase 1: Scoping and Gap Assessment

This is a fixed-fee engagement. You map the cardholder data environment, determine the correct SAQ type, document current controls, and produce a gap report with a remediation roadmap.

This isn’t a generic “here’s what PCI requires” document. It’s specific: here are the exact systems in scope, here are the controls you have today, here are the gaps against version 4.0, here is what needs to change and in what order. MSPs have a significant advantage here because you already know the network. You have the topology diagrams, the firewall configs, the endpoint inventory. The gap assessment mostly involves applying a compliance lens to information you already hold.

Typical scope for a Level 4 merchant: 3–5 days of work. Appropriate fee: $2,500–$6,000 depending on complexity.

Phase 2: Managed Compliance

This is the recurring revenue piece. After the gap assessment, the client has a remediation roadmap. Delivering against that roadmap — and maintaining compliance on an ongoing basis — is where managed services fit naturally.

What you’re delivering month-to-month:

• Quarterly internal and external vulnerability scanning (authenticated, as required by 4.0)
• Patch management specifically tracked against CDE systems
• Policy and procedure documentation maintained and version-controlled
• Evidence collection for the annual SAQ — scan reports, patch records, access review logs, security awareness training completion records
• Annual SAQ completion support
• Phishing-resistant MFA management for CDE access
• For e-commerce clients: payment page script inventory and integrity monitoring

Pricing this depends on the size of the CDE. For a simple SAQ B or SAQ A environment — a retailer with a couple of terminals or an e-commerce store with fully hosted checkout — $800–$1,200/month is reasonable. For SAQ C or SAQ D environments with more complex in-scope systems, $1,500–$2,500/month is typical. QSA-assisted engagements for Level 2 merchants sit above this.

If you’re already running managed security services for the client — EDR, patching, backup, monitoring — the incremental cost of wrapping PCI compliance around that is lower than it looks. You’re adding documentation and evidence management to work you’re already doing.

Connecting PCI to Your vCISO Practice

PCI compliance in isolation is a compliance project. PCI compliance as part of a vCISO engagement is security governance — and that’s a meaningfully different conversation.

When your vCISO retainer wraps PCI alongside broader risk management, you’re not just helping the client pass an audit. You’re connecting their payment security to their wider risk register, their business continuity planning, their cyber insurance requirements, and any other frameworks they’re subject to. HIPAA if they’re in healthcare. NIS2 if they have EU operations or European customers. SOC 2 if they’re SaaS-adjacent.

The crossover is real and significant. PCI DSS 4.0 has substantial overlap with ISO 27001, NIST CSF, and CIS Controls. If you’re tracking controls in a GRC platform that maps requirements across frameworks, a client who’s working toward PCI compliance is already building the foundation for other frameworks. That’s a natural expansion path.

The vCISO angle also changes the renewal conversation. A standalone PCI compliance service can feel transactional — the client completes their SAQ, gets their Attestation of Compliance, and moves on. A vCISO retainer that happens to include PCI compliance is an ongoing security partnership. The retention dynamics are very different.

See vCISO Services and Compliance Frameworks for how GetCybr structures this.

Selling PCI Compliance Services

Most Level 4 merchants don’t think about PCI compliance until something breaks — a failed QSA spot-check, a breach that triggers a forensic investigation, or a processor threatening to increase their transaction fees or terminate the relationship.

That’s not the conversation you want to be having. The better conversation happens proactively: “You accept card payments. You have a PCI obligation. Here’s where you currently stand, and here’s what we’d recommend.”

If you already have the managed services relationship, this is a warm conversation. You’re not cold-calling a compliance stranger — you’re telling an existing client something they need to know, and offering to handle it. Most clients will say yes.

The objection you’ll encounter: “We use Stripe/Square/PayPal, so we don’t have to worry about PCI.” This is partially true for very simple implementations and completely false for anything more complex. Be ready to explain that outsourcing payment processing reduces scope but doesn’t eliminate it, and that their responsibility depends on exactly how they’ve integrated their payment provider.

What GetCybr Does Here

Running PCI compliance across multiple clients in spreadsheets doesn’t scale. Evidence collection becomes a quarterly scramble, documentation drifts, and your team spends hours chasing down scan reports and access review logs that should have been filed continuously.

GetCybr gives MSPs a GRC platform with PCI DSS 4.0 mapped into the control library, automated evidence collection from your existing tools, and client-facing reporting that makes the annual SAQ a structured process rather than a fire drill. You can run multiple PCI-scoped engagements from a single dashboard, with alerts when controls drift — catching problems in March rather than in December when the client’s annual assessment is due.

The goal is to make compliance a byproduct of your managed security operations, not a separate workstream that pulls your team away from everything else.

The Window Is Now

PCI DSS 4.0 is fully in effect. The organisations that were going to upgrade their controls ahead of the March 2025 deadline mostly have. Everyone else is now running out of compliance in the standard that replaced the standard they were supposed to be complying with before.

That’s a large addressable market sitting in your existing client base. And the work involved — scoping, gap assessment, ongoing evidence management, annual SAQ support — maps directly onto what managed service providers do every day.

The MSPs who build this service line now will have it embedded before the next round of assessor scrutiny hits their clients. The ones who wait will be playing catch-up when a client calls with a compliance problem that should have been caught six months earlier.

Talk to GetCybr about building your PCI compliance practice.