PCI DSS 4.0 Is Here: When Does My Company Need To Be Ready?

April 5, 2022

  • PCI-DSS 4.0 has been released, with version 3.2.1 to be retired.
  • When should companies prepare to migrate to 4.0?
  • How should companies properly plan and prepare?



PCI DSS version 4.0, originally conceived in 2019 and having processed through two unprecedented Requests for Comment (RFCs), is finally being released in March 2022. Many companies may be unsure about when to migrate to the new version. Even though it’s available, does your company need to validate under version 4.0 now, or are you still allowed to use version 3.2.1?



The Timeline

Historically, the PCI Security Standards Council (SSC) used a three-year lifecycle between versions. This allowed industry changes and feedback from council membership to be vetted and then integrated into each major release. The SSC also conducted interim updates (for example, from version 3.2 to 3.2.1) to address critical changes in the industry. Given the recent business adoption of technologies such as cloud and serverless computing, PCI DSS 4.0 has been developed to allow the standard and its requirements to evolve with current technology trends.


With each new version introduced, the SSC kept the previous version valid for 18 months prior to retirement. With version 4.0’s introduction, the existing version 3.2.1 will be valid, but is scheduled to sunset on March 31, 2024. Until that date, either PCI DSS version 3.2.1 or 4.0 can be used for assessments. With a two-year gap between release and mandatory assessment with 4.0, when does your company need to be ready? There’s plenty of time, right?



The Answer Is: It Depends

With the release of version 4.0, the standard has expanded to include new requirements for evolving technologies, with many existing requirements being updated, reworded or consolidated. Overall, the standard is adopting a new focus on strengthening security and maintaining compliance as an ongoing process. While many enterprises have adequate security controls in place to meet PCI DSS version 3.2.1, v4.0 may alter control requirements. Additional capital or operational expenditures may be required; CTOs and CISOs will need to forecast their budgets, address any additional overhead to cover these expenditures and begin planning for adoption in 2022.


Some enterprises may have sufficient risk and cybersecurity program maturity to be early 4.0 adopters. These organizations will have a robust security approach and incorporate PCI DSS controls into their technology initiatives, management and operations teams and risk and incident response (IR) programs. This maturity would allow these businesses to quickly adjust their environments to meet version 4.0.


Other enterprises manage PCI DSS controls sufficiently, but may lack the budget or personnel to quickly modify the environment to version 4.0. Budgeting, overhead, new technologies and process changes take sufficient planning and time. The need to fully understand these business challenges is the reason for the 18-month extension of the previous version. Businesses can carefully plan and incorporate the new PCI DSS requirements with minimal impact to production operations.



How Can My Company Start Planning?

The first step is to obtain a copy of the PCI DSS 4.0 standard, along with the PCI DSS v4.0 Summary of Changes. The summary maps the differences between version 3.2.1 and 4.0, and covers changes to the structure or format, clarifications, guidance, evolving requirements and new requirements. New requirements are labeled for easy identification and are described in detail within the PCI DSS 4.0 standard document. This allows executive management, information security and product teams to begin analyzing how the new requirements will impact their environment. If a qualified security assessor (QSA) is used for annual PCI assessments, reach out to them for explanation of the changes in PCI DSS version 4.0 and the impacts to current credit card handling operations.


Planning challenges include not only the budgetary requirements for new technologies and their implementation, but also focus on updated control standards, policies and procedures. The focus should also include adequate staffing, skillsets and training to address these additional challenges. These should be included in any budgetary forecasts. Internal security teams should examine and test existing security solutions, measuring them against the version 4.0 requirements and identifying any potential gaps. These teams should also consider the new version 4.0 requirements for any new planned technology initiatives, such as platform migration to the cloud or expanding use of encryption for handling cardholder data.


Early planning should illustrate the cybersecurity strengths and maturity and will provide a roadmap for version 4.0 adoption. From there, we can gauge on early adoption or eventual migration prior to March 2024.

Brett Perry
Senior Consultant II | Optiv
Brett Perry brings nearly 25 years of experience in consulting and systems engineering. He has provided critical IT security guidance to clients ranging from small businesses to Fortune 500 corporations across a multitude of industries. His extensive experience as a subject matter expert in the Payment Card Industry - Data Security Standard (PCI-DSS) has allowed him to work across a wide range of business types, including retail operations, service providers, ecommerce and card brands, helping them to secure and protect their cardholder data.

Prior to joining Optiv, Brett was a senior security consultant for a PCI qualified assessment company (QSAC), where he spent 15 years conducting both onsite assessments as a QSA and performing quality assurance reviews on peer Reports on Compliance. Brett also brings IT security experience as a former senior systems engineer and Microsoft solutions network implementer.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Related Insights



PCI DSS Compliance Services


We provide a comprehensive suite of Payment Card Industry Data Security Standard services that help you plan, build and run your compliance program.



What is PCI and PCI DSS -The Payment Card Industry Data Security Standard?


PCI compliance, usually refers to the PCI Data Security Standard (DSS) which is an information security standard for organizations that handle branded credit cards from the major card companies.



PCI Executive Workshop


Our PCI Executive Workshop addresses payment card industry standards, applicable PCI obligations, business processes and data handling.