To follow up on an earlier communication, PCI SSC is now targeting a Q1 2022 publication date for PCI DSS v4.0. This timeline supports the inclusion of an additional request for comments (RFC) for the community to provide feedback on the PCI DSS v4.0 draft validation documents.
Due to the significance of this revision, a preview of the draft standard will be provided to Participating Organizations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs) prior to being finalized for publication. The intent of the preview period is to allow stakeholders additional time to familiarize themselves with version 4.0 of the standard before it is officially launched.
The preview for Participating Organizations, QSAs, and ASVs is scheduled for January 2022 and will include PCI DSS v4.0 draft and a Summary of Changes document. The final versions of the standard, together with validation documents and the first phase of translations of the standard, are scheduled for formal release in March 2022.
The RFC Feedback Summaries from the two most recent RFCs—the PCI DSS v4.0 Draft v0.2 (2020) and the PCI DSS v4.0 Validation Documents (2021)—will also be available to RFC participants in March 2022.
Training for QSAs and ISAs to be able to support PCI DSS v4.0 is targeted for June 2022.
The updated timeline still includes a transition period for organizations to update from PCI DSS v3.2.1 to PCI DSS v4.0. To support this transition, PCI DSS v3.2.1 will remain active for 18 months once all PCI DSS v4.0 materials—that is, the standard, supporting documents (including SAQs, ROCs, and AOCs), training, and program updates—are released.
This transition period allows organizations time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements. Upon completion of the transition period, PCI DSS v3.2.1 will be retired and v4.0 will become the only active version of the standard.
In addition to the transition period when v3.2.1 and v4.0 will both be active, there will be an extra period of time defined for phasing in new requirements that are identified as “future-dated” in v4.0.
In PCI DSS, new requirements are sometimes designated with a future date to give organizations additional time to complete their implementations. Requirements that are future dated are considered as best practices until the future date is reached. During this time, organizations are not required to validate to future-dated requirements. While validation is not required, organizations that have implemented controls to meet the new requirements and are ready to have the controls assessed prior to the stated future date are encouraged to do so. Once the designated future date is reached, all future-dated requirements become effective and applicable.
We anticipate that PCI DSS v4.0 will contain a number of new requirements that may be future dated; however, we won’t know the exact number until the standard is finalized.
While the effective future date for these new requirements will not be confirmed until PCI DSS v4.0 is ready for publication, it will provide enough time for organizations to plan and implement new security controls and processes as needed to meet all the new requirements. The future date will be dependent on the overall impact that the new requirements will have on implementing controls in the standard. Based on the current draft, the future date is expected to extend beyond the planned transition period, with a possible future date being between 2½ – 3 years after PCI DSS v4.0 is published.