Transitioning from PCI DSS v3.2.1 to PCI DSS v4.0

Development, Transition, and Implementation from old to new version

In this story, we will simply look at the development of new standard from PCI DSS v3.2.1 to v4.0. We have also tried to explain what’s required in March 2024 vs March 2025.

Timelines from PCI DSS

PCI Security Standard Council (SSC) has been working on the version 4 for a long time. From the below screenshot you can see the development timelines for request for comments (RFC) at various stages. Once all the materials related to PCI DSS v4.0 is released (standards, templates, training and programs), organization still has 24 months to transition from PCI DSS v3.2.1 to v4.0

PCI DSS v4.0 Development Timelines

From the below screenshot, you can see the transition period of 2 years from March 2022 until March 2024. This provides organizations with enough time to get familiarize with the changes and the old version PCI DSS v3.2.1 retires on March 31st 2024.

PCI DSS v4.0 Transition Timelines

Organizations must work with their QSA to understand their next annual assessment dates (RoC + AoC) and to verify if you can stay on old version v3.2.1 or need to be assessed on new version v4.0.

PCI DSS v4.0 Implementation Timelines

What required by March 2024

There are about 13 items that are required to be in place by 31st March 2024 as shown below in the screenshot.

Other Stories

Information Security Program Metrics

Key diagram types used in Information Security

Understanding SOC2 reporting structure

Cryptographic hashing in simple words

--

--

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.