Transitioning from PCI DSS v3.2.1 to PCI DSS v4.0

Development, Transition, and Implementation from old to new version

In this story, we will simply look at the development of new standard from PCI DSS v3.2.1 to v4.0. We have also tried to explain what’s required in March 2024 vs March 2025.

Timelines from PCI DSS

PCI Security Standard Council (SSC) has been working on the version 4 for a long time. From the below screenshot you can see the development timelines for request for comments (RFC) at various stages. Once all the materials related to PCI DSS v4.0 is released (standards, templates, training and programs), organization still has 24 months to transition from PCI DSS v3.2.1 to v4.0

PCI DSS v4.0 Development Timelines

From the below screenshot, you can see the transition period of 2 years from March 2022 until March 2024. This provides organizations with enough time to get familiarize with the changes and the old version PCI DSS v3.2.1 retires on March 31st 2024.

PCI DSS v4.0 Transition Timelines

Organizations must work with their QSA to understand their next annual assessment dates (RoC + AoC) and to verify if you can stay on old version v3.2.1 or need to be assessed on new version v4.0.

--

--

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Written by Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.

No responses yet