Probably one of the most frequent questions we get at the moment is around when Version 4 of the PCI DSS will be released. It’s the question that’s on everyone’s mind because a new version of the Standard usually means changes to the requirements that people need to address.
While there’s not a lot that we can say about Version 4 at the moment, there are a few things that we can talk about because they have been made public by the PCI SSC.
When Will Version 4 Come Out?
The PCI SSC announced in May 2020 that Version 4 is expected to be completed (and hopefully released) in Quarter 2 of 2021.
Update: In February 2021, the PCI SSC announced that there would be a third RFC (request for comments) focusing on the supporting documents including the Report on Compliance (ROC) template, Self-Assessment Questionnaires (SAQs), and Attestation of Compliance (AoC) documents. They are targeting a Q4 completion date for PCI DSS v4.0. Further updates will be provided when available.
When Do I Have to Use Version 4?
You can start using Version 4 as soon as it’s released if you’d like. Reasons why you might want to start using Version 4 before it’s required may include:
- Taking advantage of new requirements that may better match your organisational processes.
- Taking early steps to ensure that by the time Version 4 is enforced for reporting that you’re not left unprepared and facing an extended period of remediation.
- Working to meet requirements early and improving your overall security posture.
There may be other reasons why you want to start using Version 4 earlier too.
But of course, if you want to wait until the last minute, the PCI SSC expects to retire Version 3.2.1 in Q2 of 2023 (pretty much two whole years after Version 4 is released).
With previous versions of PCI, we saw that there was usually a one-year transition period. But what this two-year transition period should tell you is that you should be expecting some major changes. In early PCI SSC posts, they indicated that there will be new requirements and a change to objectives-based reporting.
Can I Avoid Changing Passwords If I Use Version 4?
We will have to wait and see, but the PCI SSC did say that there are “proposed revisions to requirements on passwords to accommodate different authentication options”. So we will just have to wait and see what’s in the final version of the Standard that is released.
Do I Have to Meet Every PCI Requirement Once Version 4 is Required for Reporting?
There are likely to be additional requirements which don’t immediately come into full force at the same time that Version 4 is released. In fact, the PCI SSC has said that certain new v4 requirements will not become effective until Q1 2024. So that’s nearly four years from when this post was originally written.
So, What Do I Do Now?
For now, we are all just waiting to see what is in the final version of the Standard. Even though as a QSA Company we are able to review the drafts and provide feedback, it’s not something that we can discuss publicly. And any early drafts may change by the time the final version of the Standard is released. So for now, we can all just wait to see.
As more information is made public we will post about it here, and once Version 4 is released, you can expect posts about the new requirements and how they might be able to be addressed in New Zealand. But just because Version 4 is around the corner, that doesn’t mean you should delay looking at your PCI compliance. Confide can help you with your compliance journey. Contact us to find out more.