Version 4.0 of the PCI DSS is currently in draft status, and has not yet been finalized. Because of this, nobody knows for sure exactly when the new standard will take effect, as it’s still subject to change.
What we do know is that when the final version of the new standard is released, it won’t take effect immediately. There will be a series of events between release of v4.0, and it becoming mandatory.
What’s the implementation timeline?
First, the new version will be released to the public for review. At this point, only v3.2.1 will actually be available for use during current assessments. Along with this, dates will be made public on which v4.0 may be used for assessments, and when v4.0 becomes mandatory.
Next, we will enter a transition period. PCI DSS v4.0 will be available for new assessments, alongside the existing v3.2.1 standard. At this time, v3.2.1 will remain available for use, but with a looming cutoff date. Companies will be able to choose which version of the standard to use for their current assessment, but everyone should be updating their policies and procedures to align with the v4.0 requirements.
Finally, we will pass the cutoff date for v3.2.1. As of this date, v3.2.1 will no longer be valid. Everyone must be operating to the v4.0 requirements, and all assessments must be based on the v4.0 templates.
When will v4.0 be mandatory?
That’s the $64,000 question. In practice, we are probably looking at late 2021 or early 2022 for v4.0 being mandatory. It’s likely that v4.0 won’t be released to the public until early 2021. From this point we can expect at least a 6 month transition period, to allow people to adapt to the new standard.
This post will be updated when concrete dates are announced.