PCI DSS Version 4.0 – Updated Release Schedule

The Payment Card Industry Security Standards Council (PCI SSC) recently announced an updated release schedule for version 4.0 for the PCI Data Security Standard (PCI DSS):

  • Second quarter of 2021 – Participating Organizations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs) will have an opportunity to review and provide feedback on the draft validation documents, including the Report on Compliance (ROC) and Attestation of Compliance (AOC).
  • First quarter of 2022 – Participating Organizations, QSAs, and ASVs will be provided with an advanced preview of PCI DSS v.4.0.
  • March 2022 –PCI DSS v.4.0 will be publicly released.

History suggests that, after the public release of PCI DSS v.4.0, there will be a transition period of approximately 18 months. During this period, organizations will have the option of being assessed against either PCI DSS v.3.2.1 or v.4.0. This would make PCI DSS v4.0 required for all relevant organizations at some point early in the third quarter of 2023.

In addition to the transition period, it seems likely that new requirements will have deferred implementation dates, as such an approach has been common across all major updates to the PCI DSS over the years. If this turns out to be the case, organizations can likely expect that any future-dated requirements will not need to be fully implemented until sometime between September 2024 and March 2025. Until then, those requirements will be considered best practices. Of course, these estimates are only based on past experiences and may change as more information is released by the PCI SSC.

One last timing note is that QSAs and Internal Security Assessors (ISAs) will be required to take additional training before being able to assess organizations against PCI DSS v.4.0. The first planned training is set for June 2022.

As we continue to learn more about the next release of the PCI DSS, we will do our best to share what we are able to, so check back often. If you have any questions about the PCI DSS transition process, please reach out to our team.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author