PCI DSS Version 4.0 Implementation Timeline
PCI DSS Version 4.0 Implementation Timeline
Implementation Timeline
On March 31, 2022, the PCI Security Standards Council (PCI SSC) published version 4.0 of the PCI Data Security Standards (PCI DSS). This is the first update to the security standards since version 3.2.1 was published in June of 2018.As with all previous version releases, the PCI SSC set an implementation timeline for when organizations are expected to transition to the new PCI v4.0 standards and when the new requirements are mandatory.
Implementation timeline based on graph from PCIDSS v4.0 At-a-Glance, 2022 PCI Security Standards Council LLC.Timeline At-a-glance
Here is a summary of the important implementation timeline dates for PCI v4.0:- PCI v4.0 was released on March 31, 2022.
- Transition period is from March 31, 2022, through March 31, 2024. The transition period is the period where an organization’s Cardholder Data Environment (CDE) can be assessed using PCI DSS v3.2.1 or v4.0.
- PCI v3.2.1 retires on March 31, 2024. After this date, v4.0 is mandatory.
- Future dated new requirements are mandatory after March 31, 2025.
Frequently Asked Questions
There are several questions organizations may have when considering the impact of the release of the PCI v4.0 standards:Which PCI version should my organization use?
Organizations are not required to use the PCI v4.0 standard until March 31, 2024. The PCI v3.2.1 standards will remain active until March 31, 2024. During this two-year transition period, organizations may follow either the PCI v3.2.1 or the PCI v4.0 standards.The transition period should allow your organization time to become familiar with the new PCI v4.0 standards, implement changes needed for the updated requirements, and update documentation.
During the transition period, PCI Qualified Security Assessors can perform assessments using either the PCI v3.2.1 or PCI v4.0 standards once they have completed their PCI v4.0 transition training.
SHARE