Prepping Your Organization for PCI DSS v4.0

The Payment Card Industry Security Standards Council (PCI SSC) has made public version 4.0 of the PCI Data Security Standard(PCI DSS). As part of the release of this new version, we wanted to provide you with a few data points to help you manage its implementation. Based on dates provided by the PCI SSC, the current release schedule for v4.0 is:

  • March 2022 – Public release of PCI DSS v4.0
  • March 2024 – Targeted date to sunset PCI DSS v3.2.1; v4.0 will become the new de facto standard
  • March 2025 – Targeted date to adhere to new v4.0 requirements

Sikich plans to hold several training sessions to discuss the deltas between versions 3.2.1 and 4.0. Where necessary, we will also hold sessions with your team to discuss the impact that these changes may have on your environment and compliance programs.

PCI DSS v4.0 Transition Plan

As part of the migration to version 4.0, your organization will be provided transition periods in which to implement new requirements and, in some cases, additional time is provided for net new controls.

In the coming weeks, we will take an opportunity to discuss changes to the PCI DSS with you to help you understand how it will impact your organization. To aid in the transition from PCI DSS v3.2.1. to v4.0, Sikich plans to propose the following audit schedule for all of its clients:

  • For the next assessment cycle to be completed after March 2022:
    • We will plan to assess the organization against v3.2.1, but will begin tracking gaps related to v4.0 and providing guidance on meeting any new requirements.
    • At the end of the assessment, we will provide a delta of the new requirements that will need to be met in order to comply with v4.0.
  • For organizations that have an additional assessment cycle to be completed before March 2024:
    • We will work with the organization to determine if we should continue to assess against v3.2.1 or switch to v4.0.
    • If we continue to assess against v3.2.1, we will still track adherence to v4.0 requirements and provide guidance on how to address any gaps.
  • For assessment cycles to be completed after March 2024:
    • We will assess against v4.0.
    • We will continue to assist organizations in working toward complying with any of the new requirements that will be considered best practices until March 2025.

Transition Support

To support you in this transition, Sikich plans to:

  1. Provide webinars for our Sikich community to discuss each new or altered requirement with guidance on its interpretation.
  2. Provide a listing of gaps identified in relation to v4.0 during remaining v3.2.1 assessments.
  3. Work with you and your team to address your specific compliance needs, if necessary or requested.

We will continue to work with the PCI SSC to understand any impacting changes and communicate this information as soon as we become aware of it. Should you or your team have any immediate questions, please do not hesitate to reach out to your Qualified Security Assessor (QSA) or myself.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author