Preparing for PCI DSS v4.0



We already have clients asking if they will be assessed against the new standard in 2021, and what to expect when the Payment Card Industry Data Security Standard (PCI DSS) v4.0 is released. That’s no surprise, since this is the first major revision to the standard since v3.0 was released in 2013. When proposing the new version of this standard, the PCI Security Standards Council (SSC) established several goals:

  1. Keep the standard current and ensure it meets the needs of the payment industry
  2. Add flexibility to support different approaches to security
  3. Focus on security as a continuous process
  4. Enhance the methods and procedures for validating compliance

Where We Currently Stand

The SSC provided QSA companies with a draft version of the standard during the 2nd half of 2020 with a Request for Comment (RFC) against this version. This RFC phase was closed in the last few weeks with the SSC currently reviewing the feedback received from QSA companies and other stakeholders. The SSC is currently reviewing this feedback and compiling a list of the final actions that will be taken based on this feedback.

We expect to receive the updated version of the standard, incorporating this feedback, within Q1 of 2021. Supporting material and the full version of the standard will then be published as the official version of the standard sometime in Q4 of 2021.

What to Expect Going Forward

Once the v4.0 supporting documents, training, and program updates are released, organizations will have an extended transition period of 18-months to update from PCI DSS v3.2.1 to PCI DSS v4.0. This extended period will allow both the QSA companies and the assessed organizations time to become familiar with the changes in v4.0. This will require an overhaul that includes updating reporting templates and forms, and planning the implementation changes to meet updated requirements.

PCI DSS v4.0 requirements become effective in the first quarter of 2024, under the current timetable.

In addition to an 18-month period when both versions will be be active, organizations will be given additional time to complete their implementations for any new “future-dated” requirements in v4.0. Unfortunately, we won’t know how many new requirements there will be until the standard is finalized next year. However, based on the current draft, future-dated requirements are expected to extend between 2.5 to 3 years after v4.0 is published.


The overall take-aways are that the PCI Council is providing organizations 2.5 years before any of the new requirements will have to be implemented. Based on the current timetable, v4.0 won’t be released until late 2021. With that, organizations concerned that these changes might impact their compliance should consider a PCI DSS v4.0 gap assessment of their current control framework.

For more information on the PCI DSS, see our guide to Getting Started with the PCI DSS.

Written by:


CompliancePoint on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.