PCI DSS v4 now mandatory

The previous version of PCI DSS v3.2.1 is now fully retired. As previously announced, PCI DSS v3.2.1 was retired on 31 March 2024.

Despite rumors, there has been no extension of the old v3.2.1 standard. Anyone undergoing a PCI DSS audit today will need to comply and be assessed against the v4 standard instead.

Most of the requirements for v4 are already in effect. But there are a few which are considered best practices until 31 March 2025, and which are known as the “future dated requirements”.

These future dated requirements include

  • Keyed hashing of PANs to prevent straightforward testing of guessed PANs
  • Encrypt SAD stored electronically prior to completion of authorization
  • Technical controls to prevent copying of PANs while using remote access technologies
  • Disk/partition level encryption only acceptable as sole form of encryption on removable media

You now have less than a year to make sure you have have those specific controls – and others! – in place. Good luck!