PCI 4.0 goes into effect on March 31, 2024. 

What is PCI 4.0?

Version 4.0 is an evolution of the previous standard, 3.2.1, which was released as v. 3.0 in 2010, and was last updated in May of 2018. The new version (4.0) does not rewrite the existing standards, but rather accounts for technological and process advancements that have been made in information security in the 13 years since the release of version 3.0. 

Why should you prepare now?

This evolution of the standard may require more in-depth reviews that will not be answered the same way as in previous years, with a simple checked box or yes/no answer. To keep up with technological advances made since the original release of PCI DSS 3.0, this version had to update language significantly to bring highly prescriptive requirements up to date. After all, it’s been 13 years, and a lot changes in technology capabilities and norms with over a decade of development!

When should organizations work to become PCI 4.0 compliant? 

There are 63 new requirements in PCI 4.0, some of which must be met by March 31, 2024. The majority of the requirements, however, are considered “best practices” until 2025. Since the bulk of new requirements are future dated, organizations still have some time to comply with the remainder. 

Why start now?

Having passed your audits in previous years is not an indicator of how much work you may have to meet compliance with the new standard. With future-dating on the table, many organizations have opted to put off gap assessments against v4.0, assuming they will be able to deal with that later. Many of the new requirements, though, are likely to require significant changes to or investments in security programs that will not be easily achieved overnight. The wise approach will be to schedule your gap assessment as soon as possible and work with a QSA to begin planning the most impactful remediation steps.