Understanding the full scope of when PCI 4.0 is required means comprehending:
- When the PCI DSS 4.0 release date was and how the transition to 4.0 started
- When PCI DSS 3.2.1 will be fully retired and replaced by PCI DSS v4.0
- When PCI DSS 4.0’s future-dated requirements come into effect
- When and how you should start preparing for PCI compliance
March 31, 2022: When The PCI 4.0 Transition Period Began
The Payment Card Industry (PCI) Security Standards Council (SSC) published 4.0 of the Data Security Standard (DSS) on March 31, 2022. As of that date, it became active alongside its predecessor, version 3.2.1. The official publication happened after an extensive period of review, during which PCI stakeholders’ input was taken into consideration to balance the PCI DSS Requirements’ rigidity with accessibility features like the new customized approach.
Alongside the publication of PCI DSS 4.0, the SSC also published supplementary materials like training and supporting documents, along with an official guide to the changes between 3.2.1 and 4.0. These materials are available for free download at the SSC document library.
The publication of all these new materials is framed as a transitional period into a new era of PCI compliance, during which PCI DSS v3.2.1 will remain active until it is officially retired.
March 31, 2024: When PCI DSS v3.2.1 Will Be Officially Retired
The first future date to keep in mind is March 31, 2024. That is when the previous DSS will be retired officially and thus no longer active for assessment purposes. Before then, organizations may become certified using a combination of specifications in v3.2.1 and 4.0. After that data, assessments will leverage the new framework exclusively. However, this does not necessarily mean that organizations need to have all PCI DSS v4.0 requirements in place at that time.
According to the Summary of Changes document, there are a total of 13 Requirements that are effective immediately in all v4.0 assessments. That means, irrespective of v3.2.1’s retirement status, organizations seeking certification right now need to have these v4.0 controls in place. However, these requirements are identical or exceedingly similar to their counterparts in v3.2.1.
And, sooner rather than later, all of the new v4.0 requirements will be active.
March 31, 2025: When Future Dated Requirements Come into Effect
The final piece of the puzzle is when the future-dated new requirements of PCI DSS 4.0 come into effect. These include controls that are completely new to v4.0, with little or no precedent in earlier versions of the DSS. Per the Summary of Changes document, there are a total of 51 Requirement specifications that come into effect on March 31, 2025. That means that the majority of PCI DSS v4.0 controls (64 in total) are not effective until that date.
In other words, the ultimate answer to when is PCI 4.0 required is: March 31, 2025.
However, organizations that wait too long to get controls installed, or lock down an assessment partner, may struggle to achieve compliance by that date. Getting started much earlier by conducting a gap assessment as soon as possible is advisable for most organizations.
Today: When to Start Preparing for PCI DSS 4.0 Compliance
Organizations should start preparing for PCI 4.0 compliance, including future-dated controls, as soon as possible. Achieving and maintaining compliance is an arduous task, whether it’s your first time being audited or your 15th. That difficulty begins with the controls you need to implement, including 12 Requirements and over 60 sub-requirements and specifications.
Then, you’ll need to ensure those implemented controls’ efficacy with a formal assessment. If you process a low volume of transactions, you may qualify for a Self Assessment Questionnaire (SAQ). But if you process many transactions—a lot of CHD—you will likely need to fill out an Attestation of Compliance (AOC) or Report on Compliance (ROC). Both often necessitate working with a third-party assessor to verify your findings, and the ROC always does.
Implementations and assessments can both be long, complicated processes. If any gaps become apparent, you’ll need to pause and re-assess before your compliance is validated.
In short, the best time to start preparing for PCI 4.0 compliance (if you haven’t already) is now.
Streamline Your PCI DSS 4.0 Compliance Today
So, when does PCI 4.0 go into effect? In a practical sense, March 31, 2024 and March 31, 2025 are the two dates most organizations need to worry about. A portion of the requirements will be mandatory by the former, and all will need to be in place by the latter. But in a way, v4.0 went into effect as soon as it was published, as that was the ideal time to start preparing for an audit.
RSI Security has helped countless organizations achieve, and maintain PCI compliance, dating back to long before v4.0 debuted. We’re committed to serving organizations like yours, installing robust controls to keep CHD—and your customers—secure. The right way is the only way.
For merchants and service providers, the real question is less when is PCI 4.0 required, and more when should I start preparing for compliance? To get started now, contact RSI Security today!