PCI DSS v4.0 | Executive Summary

The PCI DSS is a global standard of technical and operational requirements designed to protect payment data. The PCI Security Standards Council released PCI DSS version 4.0 on March 31, 2022 to replace version 3.2.1 that was issued in May of 2018.

PCI SSC has established a 2-year transition period for entities to adopt version 4.0. This means that version 3.2.1 is officially retired on March 31, 2024. It also means that until March 31, 2024, entities can select between version 3.2.1 or version 4.0 as the standard to demonstrate their PCI compliance status.

There are several new requirements in version 4.0 that become effective March 31, 2025, and in the interim, these are considered optional best practices. Version 4.0’s new enhancements to the structure and content of PCI DSS compliance reporting, in our opinion, make PCI a comprehensive and sustainable security framework for protecting cardholder data.

Version 4.0 also includes significant enhancements to the validation approach and report structure that will provide additional clarity and assurance to both entities subject to PCI requirements and the many third-party stakeholders who rely on the PCI DSS reporting of their business partners.

Aprio believes it is in the best interests of your company to migrate to 4.0 as soon as feasible regardless of whether you are new to PCI DSS or a long-time filer.

The PCI SSC has indicated that version 4.0 was designed to achieve four overarching goals.

1. To continue to meet the security needs of the payments industry
2. To promote security as a continuous process
3: To increase flexibility of the methods used to achieve security objectives
4: To enhance validation methods and procedures

Watch all the videos in our series to learn more about the purpose and intent of each goal and the changes represented in 4.0 to achieve these goals.