PCI DSS is retiring its current version on March 31: What you need to do next

Bruce Edwards is Thoropass’s Senior Manager of PCI Assurance. He has over 14 years of experience.

PCI DSS’s (Payment Card Industry Data Security Standard) current version, v 3.2.1, will be retired on March 31, 2024. Organizations seeking to maintain PCI DSS compliance will have from April 1, 2024, to renewal (or March 31, 2025, whichever comes first) to upgrade to v 4.0. The latest version features new requirements and updates to keep pace with the rapidly evolving digital payment ecosystem.

What does this mean for your organization? And what, if anything, do you need to do to remain compliant in the coming year?

First, as Thoropass says: “Relax. We fixed audits.” We’ve previously covered this announcement, and have many support documents to help you through the process regardless if you’re new to PCI or hoping to continue with full compliance. 

Second, there are specific things that you need to know, and to do, ahead of the deadline. I’m listing them here, but also encourage you to visit PCI’s webpage on the changes to ensure that you and your organization are fully aware of the pending changes.

What to know about the v 4.0 change

The latest version of PCI DSS was announced two years ago, in 2022. And while the sunsetting of v 3.2.1 has been ongoing since then, the March 31st deadline simply marks the last time when this previous version will be available. From April 1st onward, only v 4.0 will be available, and previous users will have up to a year–until March 31, 2025–to implement the latest version. However, if your organization is up for renewal before then (for example, July 1), you will be pushed to update with the latest version.

At its heart, v 4.0 brings with it two significant changes: 64 new requirements, and a more customizable approach to applying PCI to an organization’s unique usage needs. The net result is a more up to date and more robust approach to ensuring digital payment safety, especially as mobile and online payments continue their rise in prominence.

In terms of specific updates in the latest version, PCI v 4.0 addresses:

• New requirements including the encryption of SAD and the masking of PAN as needed
• Clearer guidance on all requirements, including specific handling of SAD, PAN, cardholder data, etc.
• Newly defined roles and responsibilities within an organization
• Updated need to define scoping
• Requirements for documenting shared responsibilities with third-party providers

While there are dozens of changes throughout the new version, nearly all of them are designed to streamline adoption and maintenance while also providing additional protection for companies.

What to do for the v 4.0 change

What you need to do about v 4.0 depends on whether or not your organization is already on v 3.2.1. However, regardless of an organization’s current PCI DSS compliance, the following steps are a good place to start:

1. Educate yourself and your company about the changes between v 3.2.1 and v 4.0. That’s the point of this piece, but for further information, all interested parties should consult the PCI webpage referenced above.
2. Conduct a gap analysis between the requirements involved in both versions. Many of them will roll over even if the language behind them has changed. However, some will move and/or evolve, and there are some that are new. Getting to know these gaps sooner rather than later means an easier transition.
3. Implement the v 4.0 changes for 2024 to ensure that all new requirements are met. For those new to PCI, this will be fairly straightforward as all audits post March 31st will be done in the latest version.
4. Plan ahead for a 2025 audit by ensuring 2024 compliance and enacting changes to remain compliant. Currently, less than half of companies seeking PCI are fully compliant; use this upgrade as a reminder that this is not a one-time fix: remaining compliant means regularly auditing full compliance.

As a QSAC, Thoropass can walk both current and new PCI DSS users through the upgrade process, from scoping to auditing and maintaining. The easiest way to ensure compliance is by talking with a compliance expert, and the best time to do this is ahead of the March 31st deadline so that you can be sure to be up to date ahead of the changes ahead.