PCI DSS Version 4.0 Implementation Timeline

November 09, 2022

Implementation Timeline

On March 31, 2022, the PCI Security Standards Council (PCI SSC) published version 4.0 of the PCI Data Security Standards (PCI DSS).  This is the first update to the security standards since version 3.2.1 was published in June of 2018.

As with all previous version releases, the PCI SSC set an implementation timeline for when organizations are expected to transition to the new PCI v4.0 standards and when the new requirements are mandatory.

Implementation timeline based on graph from PCIDSS v4.0 At-a-Glance, 2022 PCI Security Standards Council LLC.
 
 

Timeline At-a-glance

Here is a summary of the important implementation timeline dates for PCI v4.0:
  • PCI v4.0 was released on March 31, 2022.
  • Transition period is from March 31, 2022, through March 31, 2024. The transition period is the period where an organization’s Cardholder Data Environment (CDE) can be assessed using PCI DSS v3.2.1 or v4.0.       
  • PCI v3.2.1 retires on March 31, 2024. After this date, v4.0 is mandatory.
  • Future dated new requirements are mandatory after March 31, 2025.
 

Frequently Asked Questions

There are several questions organizations may have when considering the impact of the release of the PCI v4.0 standards:
 

Which PCI version should my organization use?

Organizations are not required to use the PCI v4.0 standard until March 31, 2024.  The PCI v3.2.1 standards will remain active until March 31, 2024.  During this two-year transition period, organizations may follow either the PCI v3.2.1 or the PCI v4.0 standards.

The transition period should allow your organization time to become familiar with the new PCI v4.0 standards, implement changes needed for the updated requirements, and update documentation.

During the transition period, PCI Qualified Security Assessors can perform assessments using either the PCI v3.2.1 or PCI v4.0 standards once they have completed their PCI v4.0 transition training.
 

When does my organization need to start using PCI v4.0?

Organizations are free to start using the PCI v4.0 standards immediately but are not required to follow the new standards until March 31, 2024.  The PCI v3.2.1 standards will be retired on March 31, 2024, and PCI v4.0 will become the only active version of the standard.
 

When do the future dated new requirements in PCI v4.0 become mandatory?

PCI v4.0 includes future dated new requirements and testing procedures.  These future dated new requirements are designated as best practice until March 31, 2025, and organizations don’t have to implement them immediately.  After March 31, 2025, the future dated new requirements are mandatory and must be considered during a PCI DSS assessment.

 

BDO Digital Can Help

As a Qualified Security Assessor Company (QSAC), BDO Digital has experienced QSAs who can assist your organization in understanding and transitioning to the new PCI v4.0 standards.