Are We There Yet?

By Sherri Collis on January 31, 2022 (Last Updated on April 13, 2022 )

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Sherri Collis

Sherri Collis, our Director of PCI Services, is an over twenty year PCI veteran, where she began her PCI career obtaining PCI compliance for a data center hosting / managed services company to the Visa CISP in 2002/2003. She has spent over fifteen years performing global consulting. Sherri has written and presented on a variety of topics including PCI compliance (versions 1.1, 2.0, 3.0, and 4.0), ITIL, IT governance, and Sarbanes-Oxley security and compliance. Due to her passion for bringing females into the cybersecurity field, she jointly presents “You Can Get There from Here,” a presentation discussing steppingstones for transitioning skills into the cyberworld. In 2021, Sherri was nominated by her peers and selected/recognized by the PCI Council in their “Paving the Way: Inspiring Women in Payments” series.

How often have you heard the question, “Are we there yet?” while on a road trip with your families? Well, we aren’t there yet, but we are so much closer! The official launch of PCI DSS v4.0 is planned for March 2022. Because it’s getting so close, we want to share an update on what has been happening, what we know, and share some insights into what we are doing to get ready.

Are We There Yet

Release of PCI DSS v4.0


On January 20, 2022, the
PCI Security Standards Council released the stakeholder draft of the PCI v4.0 Standard and a Summary of Changes to Qualified Security Assessor Companies (QSACs), Approved Scanning Vendors (ASVs), and Participating Organizations (POs) for a sneak peek. Per the Development Timeline shown in Figure 1 below, we are on track and are still expecting the official release of the PCI DSS v4.0 in March 2022.

Figure 1. PCI DSS v4.0 Development Timeline



An update on what we know so far…

On January 26, 2021, Online published a blog titled “What is Happening With the new PCI 4.0 Standard?” Based on our review at that time, we stated that we expected some significant changes to be introduced with the 4.0 Standard, along with some iterative improvements. We stand by these earlier statements. The changes do range from minor tweaks (think oil changes) to significant overhauls (think water pump, timing belt, engine block).

There will be some future-dated requirements for some of the changes based on the timeline the council has publicly released, shown in Figure 2 below.

Figure 2. https://blog.pcisecuritystandards.org/updated-pci-dss-v4.0-timeline



What has been happening at Online

Team Online’s QSAs have been pouring over the PCI 4.0 Standard in excruciating detail and providing feedback to the PCI SSC since September 2020. We have discussed the changes internally, and we have developed a roadmap with some side road trips for our clients in some of the areas where we believe there will be a rockier, more winding path. Online is updating our toolbox and methodologies so that we are prepared when the Council officially releases v4.0. At the official launch, Online will have a resource center available to you containing webinars, blogs, OnlineTV episodes, and more. To stay in touch with what is happening, you can subscribe to our Risk, Security and Privacy blogs here where we will be publishing our updates.



Next pit stop?

There are several things you can do while you are waiting for March to get here. A great place to start includes:

  • Download our PCI 4.0 Road Trip Infographic that maps out the timeline and provides some guidance on how you can start to get ready too!


  • Register for an upcoming event that Online is hosting for our clients within 1 week of the Council publishing the Standard in March 2022. In this session, you can expect the following:

  • The session will begin with several of our senior Online team members who have been pouring over the v4.0 Standard and providing feedback to the PCI Council since September 2020 walking through some of the more major changes in the Standard.

  • After the major changes are discussed, there will be a one-hour period reserved for our guests to ask our panel of experts questions about the changes.


In the meantime, if you have any questions don't hesitate to reach out; we'd love to hear from you. 

Submit a Comment

Get latest articles directly in your inbox, stay up to date