PCI DSS v3.2.1 retires on 31 March 2024. From that date, QSA assessments, self-assessment questionnaires, and all PCI DSS compliance processes will be conducted against v4.0 only. Organisations that have not yet completed their transition have six months — and based on conversations in the industry, a significant proportion of affected organisations have not started in earnest.
If you are in that category, this post gives you a realistic assessment of what the transition requires and a practical checklist for the next six months.
What “Transition” Actually Means
Transitioning to PCI DSS v4.0 is not simply updating your compliance documentation to reference the new version number. v4.0 introduces new requirements that were not present in v3.2.1, changes the framing of existing requirements, and introduces the customised implementation pathway. Your compliance programme needs to reflect these changes in practice, not just on paper.
The specific areas where v4.0 introduces new requirements that require operational changes — not just documentation updates — include:
Multi-factor authentication for all access into the CDE (not just remote or administrative access) is now required under Requirement 8.4.2. If you have personnel accessing CDE systems from within the network perimeter without MFA, that is a gap to close.
E-commerce payment page protections under Requirements 6.4.3 and 11.6.1 require that all scripts loaded in payment page browsers are inventoried, authorised, and integrity-checked, and that a mechanism detects unauthorised changes to payment pages. These are net-new controls with no direct v3.2.1 equivalent.
Targeted risk analyses for requirements where you set your own frequency are now a formal documentation requirement, not just a conceptual allowance.
Your Six-Month Transition Checklist
By end of October 2023: Complete your gap analysis. Map your current v3.2.1 controls against v4.0 requirements — either using the PCI SSC’s published summary of changes or with external support. Identify every requirement where your current implementation does not meet v4.0. Prioritise gaps by effort to close and proximity to your next assessment.
By end of November 2023: Complete remediation of high-effort gaps. MFA deployment expansions, e-commerce script inventory and management processes, and authentication management changes for service accounts are the most common high-effort items. These need enough lead time to implement, test, and document before your assessment window.
By end of January 2024: Update all policy and procedure documentation to reference v4.0 requirements. This includes your information security policy, your CDE network documentation, your vulnerability management procedures, your user access management procedures, and your incident response plan — wherever v4.0 changes the requirements, your documentation should reflect them.
By end of February 2024: Engage your QSA. If your annual assessment is due in the first half of 2024, your QSA needs to know that you are transitioning to v4.0 and needs to scope the assessment accordingly. QSA availability in Q1 2024 will be constrained — organisations that have not booked their assessor will face delays.
By end of March 2024: Ensure all evidence is collected, documentation is current, and your compliance programme reflects v4.0 operations. From 1 April 2024, there is no v3.2.1 to fall back on.
The Future-Dated Requirements: Plan Now, Implement by March 2025
Twelve of v4.0’s requirements are “future-dated” — they appear in v4.0 but are not required to be in place until 31 March 2025. These include the updated password length requirements (12 characters minimum), additional phishing-resistant authentication requirements, and expanded logging requirements.
The transition to v4.0 by March 2024 is urgent. But the future-dated requirements should be in your planning horizon now — not left until Q1 2025. The organisations that plan for them as part of their v4.0 transition programme will have a significantly easier experience than those approaching them as a separate exercise 18 months from now.
At Bitsecura, we are currently running v3.2.1 to v4.0 transition programmes for clients across retail, financial services, and hospitality — the industries where PCI DSS compliance obligations are most concentrated. If you need to move quickly, we can conduct a gap assessment and build a transition plan within weeks. Reach out here.
Bitsecura provides PCI DSS compliance support, gap assessment, and QSA readiness services. Learn more about our PCI DSS services.