With PCI DSS v4.0 fast approaching, Lauren Holloway, Director, Data Security Standards, shares updates and reminders of what to expect in the coming months.
PCI DSS v4.0, together with the Summary of Changes from v3.2.1 to v4.0, is scheduled for publication at the end of March 2022. The Report on Compliance (ROC) Template and Attestations of Compliance (AOC) will also be released at this time, with the Self-Assessment Questionnaires following shortly thereafter.
Note that the PCI DSS v4.0 Draft for Stakeholder Preview, currently being provided under NDA to Participating Organizations, Qualified Security Assessors, and Approved Scanning Vendors, will remain available for viewing via the PCI SSC portal until the official version of PCI DSS v4.0 is published on the PCI SSC website.
The RFC Feedback Summaries from the two most recent RFCs—the PCI DSS v4.0 Draft (2020) and the PCI DSS v4.0 Draft Validation Documents (2021)—will also be available to RFC participants through the PCI SSC portal at the end of March 2022.
To support the adoption of PCI DSS around the globe, the standard and Summary of Changes will be translated into several languages. These translations will be published over the next few months, between March and June 2022.
Training for QSAs and ISAs to support PCI DSS v4.0 assessments is scheduled for June 2022. Publication of additional supporting documents are also planned for completion by the end of June.
PCI DSS v3.2.1 will remain active for two years after v4.0 is published. This transition period, from March 2022 until 31 March 2024, provides organizations with time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements. As of 31 March 2024, PCI DSS v3.2.1 will be retired and v4.0 will become the only active version of the standard.
In addition to the transition period when v3.2.1 and v4.0 will both be active, organizations have until 31 March 2025 to phase in new requirements that are initially identified as best practices in v4.0. Prior to this date, organizations are not required to validate to these new requirements. However, organizations that have implemented controls to meet the new requirements and are ready to have the controls assessed prior to their effective date are encouraged to do so. After 31 March 2025, these new requirements are effective and must be fully considered as part of a PCI DSS assessment.
The Council will provide additional information throughout the year to help the community understand the changes made to the standard. Subscribe to the PCI Perspectives blog for additional resources including podcasts, videos, and blog posts designed to help organizations navigate the transition to PCI DSS v4.0.