The Request for Comments on the PCI DSS v4.0.02 was completed November 13, and we wanted to give you an update on the status of PCI DSS v4.0 as the Payment Card Industry has been anxiously awaiting this next evolution of the standard.



The graph above illustrates the timeline for the v4.0 transition. Here are the highlights:

  • It is projected that the new standard will be published Q2 2021 (April)
  • The current version PCI DSS v3.2.1 will be retired Q2 2023
  • There will be some future-dated requirements for the more significant changes and these won’t become requirements until Q1 2024 (2.5 – 3 years after release of the standard)

According to the PCI Council’s Lauren Holloway, there will be numerous future-dated requirements although that number is not set in stone at this time.

We are still unable to discuss the changes associated with the 4.0 version of the standard as it is still a work in progress and therefore all QSA Companies are forbidden to share details at this time.

Is it indicative of the complexity of the new requirements that there will be 2.5 -3 years after the initial release of the standard for organizations to become compliant?  As soon as the 4.0 version of the PCI standard is released to the public, we will provide details as to what the changes mean and how to best strategize to address them.

Stay tuned!


For any information on PCI for your organization, contact our RSP Team today.