Skip content

PCI DSS 4.0 migration for merchants and service providers

Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) was released at the end of March 2022. At the time of writing, we now have less than one year until the previous version, 3.2.1, is retired and can no longer be used for new assessments.

In this blog, we explore some of the options merchants and service providers have for migrating to version 4.0 between now and the end of March 2024.

What to do if you are not currently PCI DSS compliant

If you are not compliant with PCI DSS already, then it is best to go to version 4.0. Most Qualified Security Assessors (QSAs) have now completed training that allows for version 4.0 assessments to be completed and to provide consultancy services such as a gap analysis.

The benefits of proceeding directly to version 4.0 include:    

  • Enhanced security: Version 4.0 includes some additional requirements and improvements intended to provide better protection against emerging threats. This includes the use of new technologies and increased requirements for password complexity and risk assessments.
  • Futureproofing: Any investment of time and effort into achieving compliance with version 3.2.1 will have a limited shelf-life since it will be retired at the end of March 2024. If starting from scratch, putting your effort into the latest version will save you time later since you will not need to update your policies and procedures again in just a few months.

What to do if you’re already PCI DSS compliant but looking to be assessed against 4.0     

If an organisation is already compliant with version 3.2.1 and working to a yearly re-assessment cycle, there are options:

Option 1 – delay your transition: You could do a version 3.2.1 assessment as close as possible to the retirement day, for example, in January 2024, meaning you do not need a version 4.0 assessment until January 2025. It sounds like a reasonable plan at a high level, as it seems to delay the move, but it is not that simple and has high risks associated with it. 

Even if you assess against v3.2.1 in January 2024, the moment the 3.2.1 version of the standard is retired on 31st March 2024, version 4.0 is the only available standard, and so you need to have any new requirements in place. When your QSA assesses you in January 2025, they will be looking to see that version 4.0 requirements were in place from April 2024. 

This is a really important point to reiterate; version 4.0 requirements are applicable from 1st April 2024, regardless of when your subsequent assessment falls in the calendar.

Option 2 – move immediately to version 4.0:  If you can do this with minimal effort, there is every reason to follow this path. Conversely, if your v3.2.1 assessment is approaching and you have not started working on the transition, you might find it more appropriate to complete your next assessment and implement any new requirements soon after.

Option 3 – Move your assessment date: PCI DSS assessments are valid for one year, after which they expire, and you must be re-assessed. If your current annual assessment falls at an inconvenient time of year, for example, at year-end or during the peak holiday season, this could be an ideal opportunity to move it somewhere less intrusive. So, one option is to wait less than 12 months between assessments and plan for a version 4.0 assessment at a time of year that works for you.

Remember the future-dated requirements in PCI DSS 4.0 

One final factor to consider, whatever timeline you decide works best, is the future-dated requirements introduced in version 4.0. These are considered best practices until the end of March 2025, after which they immediately apply, regardless of when your next assessment is due.

You should evaluate which of the future-dated requirements apply to you and plan when to implement them. They do not all need to be completed simultaneously, and you do not have to wait until April 2025 to assess them. In fact, you can even choose to have some of them assessed in 2023, some more in 2024, and the remaining requirements assessed in 2025; they cannot cause a non-compliant outcome if not quite right.

A complete list of future dated requirements can be found in the Summary of Changes between v3.2.1 and v.4.0, available on the PCI SSC website.

What does PCI DSS 4.0 mean for service providers?

The changes in version 4.0 will likely have a greater impact on service providers compared to merchants. In addition to analysing specific changes in the standard that apply to them, service providers must consider the impact on downstream compliance. 

Since their customers will require evidence of a service provider’s own compliance in the form of an attestation of compliance (AOC), service providers need to be mindful of the fact that their clients will also be migrating to version 4.0, most likely at different times. 

They need to consider the practicalities of operating across two versions of the standard, such as updates to responsibility matrices since there are significant changes in how requirements are numbered between the two versions. Contracts between service providers and their clients may also contain specific wording around needing to comply with the latest versions of standards, which may force a move to version 4.0 sooner rather than later.

A key timeline for PCI DSS 4.0

A key takeaway from this timeline should be that organisations need to evaluate their options and see what works best for them. The temptation to delay as long as possible should be resisted, particularly if the new requirements that apply involve procuring or deploying technology.

Organisations should also look at this as a time to evaluate their scope and the way they interact with cardholder data. It is never a bad idea to periodically evaluate whether your scope can be simplified and identify ways of lowering risk, so if the introduction in version 4.0 has the potential to increase operational and technology costs, they may opt to look at ways to reduce scope through changes to processes or utilising third-party service providers.

Regardless of what you decide to do, key takeaways should be:

  1. PCI DSS version 3.2.1 will be retired at the end of March 2024.
  2. Version 4.0 applies immediately after, regardless of when the next assessment is due.
  3. Future-dated requirements, currently considered to be best practice, become effective from the end of March 2025.
  4. Organisations should evaluate their options immediately and create a plan that incorporates all the changes required by March 2025.

Selecting the best PCI DSS Assessor

LRQA has been a registered QSA company for over 10 years. Our Qualified Security Assessors have extensive experience working with clients across many sectors, from retail to construction, and from finance to transportation. We have already completed a number of assessments using version 4.0 and are using it with any organisations beginning their compliance journey.

We have a reputation with our clients for taking a pragmatic and realistic approach to PCI DSS, and our history of delivering PCI DSS assessments for some of the UK’s largest retailers and service providers means we have faced many of the challenges your organisation must overcome before. 

Learn more about our PCI DSS services here or contact us to discuss your PCI DSS requirements.