PCI DSS v4 is not a revolution. It is an evolution with a few sharp edges that catch small teams off guard.
What changed
The headline change is the shift from prescriptive controls to customized implementation. In v3.2.1, the standard told you exactly what to do. In v4, you can now argue that your implementation achieves the same intent through a different means — as long as you can demonstrate it.
For small teams, this sounds like freedom. In practice, it’s more work: you now have to document why your approach is equivalent, not just that you did the thing.
The network segmentation question
Every v4 audit I’ve seen in the last year has focused on network segmentation. The question is not “do you have a firewall?” — the question is “can you demonstrate that cardholder data cannot traverse to systems outside your CDE?”
VPC segmentation with security groups is not enough on its own. You need flow logs, you need alerts, and you need to be able to produce evidence of both on demand.