PCI Data Security Standard (PCI DSS) released PCI DSS v4.0 on 31 March 2022, which is a major release. The current PCI DSS v3.2.1 is due to retire on March 2024. This means v3.2.1 will remain active until March 2024, and there will be two active versions until March 2024. This transition period provides organisations time to become familiar with the changes in v4.0, and during this period, some organisations may continue with v3.2.1, whereas others may move to v4.0.
PCI DSS v4.0 can only be certified by a Qualified Security Assessor (QSA) trained on v4.0. It is possible to check whether a QSA is certified for v4.0 via the PCI website.
Most of the new v4.0 requirements will be initially considered best practises, and there will be a further period after the retirement of v3.2.1 before those best practises become requirements. The effective date for those best practises to become requirements is March 2025.
The updated version of PCI DSS provides flexibility in how an organisation can comply with the standard. It focuses on outcomes and intent, not prescriptive ways of meeting the requirement.
Implementing changes to meet v4.0 requirements will require time, and although there is sufficient time to prepare, organisations should ideally start preparing now for a smooth transition into PCI DSS v4.0.
