The PCI Council published a blog on May 29th that provided an update on the progress of PCI DSS v4.0. We had originally expected this version to be released later this year, but understandably there have been some delays.

The current timeline is shown below:


As you may know, the initial PCI DSS v4.0 draft was provided to QSAs and Participating Organizations for the first RFC (request for comments) in Q4 of 2019. QSAs are clearly passionate about what we do because the Council received more than 3,000 RFC feedback items for the PCI DSS v4.0 draft!  After reviewing and incorporating  feedback, the Council scheduled a second RFC for the end of Q3 – Q4 2020 (instead of releasing the 4.0 standard at that time). Unless there is a change, PCI DSS v4.0 will then be finalized and released to the public in Q2 2021.

This leads us to two of the most-asked questions by
our clients:

1. When will v4.0 come out? 

2. When do we have to be compliant with PCI DSS v4.0?

The Council stated as follows:

“The PCI DSS v4.0 standard is scheduled for completion six months prior to the release of the supporting documentation, training, and program updates that are required to support the use of PCI DSS v4.0. The PCI DSS v4.0 standard will therefore be available for 2 years prior to the retirement of PCI DSS v3.2.1.”


The current transition timeline is shown below:



Assuming that v4.0 is released in Q2 2021, the current version v3.2.1 will be retired by Q2 2023. We expect that there will be new requirements associated with 4.0,  and anticipate that some of new requirements will be significant. 

As the standard is released to the public, we will share details with our clients, partners, and colleagues. The sooner we understand this version of the standard, the longer runway we will have to  address the updated requirements and meet the effective date of Q1 2024.

Keep in mind that while organizations can start being assessed against v4.0 of the standard by the end of Q4 2021, they will have the option to be assessed under PCI DSS v3.2.1 until Q2 2023.

Thus far, the PCI DSS has evolved in a manner that resonates with the times, taking cybersecurity to the next level, and we expect that version 4.0 will bring some welcome, albeit challenging changes. We will continue to share as much info as we can as it becomes available.

To be sure you don’t miss any future update on PCI 4.0, or other related security topics, subscribe to our Risk, Security and Privacy content!