PCI DSS 4.0, the most significant update to the Payment Card Industry Data Security Standard in over a decade, is now fully in effect. The March 2025 deadline for the final phase of requirements has passed, and organizations that have not completed their transition from version 3.2.1 are officially non-compliant. For sports betting payment processors, the changes are particularly impactful, affecting everything from how authentication is handled to how payment page scripts are managed. This article provides a comprehensive overview of what has changed, what it means for our industry, and how BetFlow has adapted.
Overview of PCI DSS 4.0
PCI DSS 4.0 was released in March 2022, replacing version 3.2.1 which had been the standard since 2018. The update reflects the PCI Security Standards Council's recognition that the threat landscape has evolved significantly, and that security standards need to be more flexible and outcome-focused rather than prescriptive. The new version introduces 64 new requirements, of which 51 were designated as “future-dated” at initial release, meaning they became mandatory on March 31, 2025.
The philosophical shift in 4.0 is as important as the specific technical changes. Previous versions prescribed specific security controls (for example, requiring passwords of at least 7 characters). Version 4.0 instead defines security objectives and allows organizations to meet them through either the “Defined Approach” (following specific prescribed controls, similar to previous versions) or the “Customized Approach” (implementing alternative controls that achieve the same security objective). This flexibility is particularly valuable for sports betting processors, whose transaction patterns and risk profiles differ significantly from traditional retail payment processing.
For the sports betting industry specifically, the updates that matter most fall into four categories: enhanced authentication requirements, payment page script management, targeted risk analysis, and expanded scope of monitoring and logging. Each of these areas has direct implications for how betting operators and their payment processors handle sensitive cardholder data.
Key Changes from PCI DSS 3.2.1
The most operationally significant change for payment processors is Requirement 6.4.3, which mandates that all scripts loaded on payment pages must be managed through a formal authorization and integrity-verification process. For sports betting operators, who typically embed payment forms within their betting applications, this means every third-party script running on a page that collects or processes card data must be inventoried, authorized, and monitored for changes. This includes analytics scripts, chat widgets, advertising trackers, and any other JavaScript that loads alongside the payment form.
In practice, this requirement has forced many operators to completely redesign their deposit flows. The most common approach is to isolate the payment form in an iframe served from the payment processor's domain, ensuring that operator-side scripts cannot access the payment page's DOM. BetFlow has offered iframe-based payment forms since 2024, and we saw adoption jump from 34% to 91% of our operators in the months leading up to the March 2025 deadline, specifically driven by this PCI DSS 4.0 requirement.
Requirement 8.3.6 introduces significantly strengthened authentication controls. Passwords must now be at least 12 characters (up from 7 in version 3.2.1), and multi-factor authentication (MFA) is required for all access to the cardholder data environment, not just remote access. For payment processors, this means that every developer, operations engineer, and support agent who can access systems that store, process, or transmit cardholder data must use MFA for every login, including from within the corporate network.
Critical Requirement: Requirement 6.4.3 (payment page script management) has been the single most challenging update for sports betting operators. The typical betting platform loads 15-25 third-party scripts on deposit pages, from analytics to responsible gambling tools. Each one must now be explicitly authorized and monitored. Our recommendation: use an isolated iframe for payment collection to dramatically simplify compliance.
Customized Approach vs. Defined Approach
One of the most significant additions in PCI DSS 4.0 is the Customized Approach, which allows organizations to implement security controls that differ from the prescribed requirements as long as they demonstrably achieve the same security objective. This is a major departure from the rigid compliance frameworks of previous versions, and it offers real advantages for sports betting payment processors whose security environments may not fit neatly into the standard's prescribed controls.
For example, under the Defined Approach, Requirement 8.3.6 mandates specific password complexity rules. Under the Customized Approach, an organization could instead implement a passwordless authentication system using hardware security keys and biometrics, which arguably provides stronger security than passwords of any length. The organization must document how its implementation meets the security objective (“authenticate users with strong credentials”), perform a targeted risk analysis, and have its approach validated by a Qualified Security Assessor (QSA).
At BetFlow, we use the Customized Approach for several requirements where our cloud-native architecture provides security controls that do not map cleanly to the Defined Approach's on-premises assumptions. For instance, our container-based infrastructure does not have “servers” in the traditional sense, and our network segmentation is achieved through Kubernetes network policies rather than physical or virtual firewalls. The Customized Approach allows us to document how these modern controls achieve the same or better security outcomes.
However, the Customized Approach comes with additional documentation and assessment burden. Each customized control requires a formal targeted risk analysis (TRA), and assessors spend significantly more time evaluating customized controls than prescribed ones. For most betting operators, we recommend using the Defined Approach wherever possible and reserving the Customized Approach for areas where the prescribed controls are genuinely impractical or where an alternative approach provides clearly superior security.
Timeline for Compliance
The PCI DSS 4.0 transition timeline has been a source of confusion for many in the industry, so it is worth clarifying the key dates. PCI DSS 3.2.1 was officially retired on March 31, 2024. From that date forward, all assessments must be conducted against version 4.0. However, the 51 future-dated requirements did not become mandatory until March 31, 2025, giving organizations an additional year to implement the most significant changes.
As of the publication of this article (December 2025), all PCI DSS 4.0 requirements are fully mandatory. Organizations undergoing their annual assessment are being evaluated against the complete 4.0 standard, including all previously future-dated requirements. There is no further grace period. Any organization that has not completed its transition is non-compliant and faces potential consequences including fines from card brands, increased transaction fees, and in extreme cases, loss of the ability to process card payments.
For sports betting operators who rely on a PCI-compliant payment processor like BetFlow, the good news is that many of the most complex requirements fall on the processor rather than the operator. However, operators still bear responsibility for requirements related to their own environment, including Requirement 6.4.3 (payment page script management), Requirement 12.3.1 (targeted risk analysis for PCI DSS scope), and any requirements related to systems that store, process, or transmit cardholder data outside the processor's domain.
Impact on Betting Operators
For betting operators, the most immediate impact of PCI DSS 4.0 is on how they integrate payment forms into their platforms. The combination of Requirement 6.4.3 (script management) and Requirement 11.6.1 (change and tamper detection for payment pages) effectively mandates that operators either use an isolated iframe-based payment form or invest heavily in script management infrastructure. The iframe approach is simpler, cheaper, and lower risk, which is why it has become the industry standard.
The expanded logging and monitoring requirements (Requirements 10.4.1.1 and 10.4.2.1) require automated mechanisms to detect and alert on security events. For operators, this means that any system in their environment that is in scope for PCI DSS must be covered by a security information and event management (SIEM) solution or equivalent monitoring tool. Given that many betting operators already operate sophisticated monitoring for operational purposes, extending this to cover PCI DSS requirements is typically an incremental rather than transformational effort.
Perhaps the most underappreciated impact is the new requirement for targeted risk analysis (Requirement 12.3.1). Organizations must perform a formal risk analysis for any requirement where they have flexibility in how it is implemented, including determining the frequency of log reviews, the scope of vulnerability scans, and the retention period for audit logs. These risk analyses must be documented, reviewed annually, and made available to assessors. For operators who previously relied on informal or ad-hoc risk assessment processes, formalizing this can be a significant undertaking.
BetFlow's Compliance Roadmap
BetFlow achieved full PCI DSS 4.0 compliance in January 2025, two months ahead of the final deadline. Our preparation began in Q2 2023, when we conducted a comprehensive gap analysis against the full 4.0 standard and identified 23 areas requiring changes to our infrastructure, processes, or documentation.
The largest engineering effort was implementing the payment page script management and integrity verification system required by 6.4.3 and 11.6.1. We built a Content Security Policy (CSP) framework that operators can configure through our dashboard, along with a real-time integrity monitoring system that alerts on any unauthorized script changes on payment pages. We also deployed Subresource Integrity (SRI) hashing for all scripts we serve, ensuring that any tampering with our JavaScript is detected and blocked at the browser level.
For authentication, we moved our entire cardholder data environment to passwordless authentication using FIDO2 hardware security keys, validated through the Customized Approach. We upgraded our logging infrastructure to capture the expanded set of events required by 4.0, including all changes to system configurations, all access to cryptographic key management systems, and all modifications to authentication mechanisms. Our SIEM now processes over 2 million security-relevant events per day with automated alerting on anomalous patterns.
For our operators, we have published a detailed integration guide that walks through the PCI DSS 4.0 requirements relevant to their environments and explains how BetFlow's platform helps them achieve compliance. Our solutions engineering team is available to conduct joint assessments with operators and their QSAs to ensure the responsibility matrix is clear and all shared requirements are properly addressed. PCI compliance is a shared responsibility, and we are committed to making our operators' side of that equation as straightforward as possible.