The PCI SSC has announced that PCI DSS version 4.0 is scheduled for publication at the end of March 2022. A number of our QSA clients have been longing for a peek at the draft version, however I’ve signed my life away under a non-disclosure agreement with the PCI SSC so I’m still obligated to keep that under wraps.
From the announcement, the intial release will be the Report on Compliance “RoC” template and the Attestation of Compliance “AoC” template at the end of March. The Self Assessment Questionnaires “SAQs” will follow shortly after, probably in June 2022 as part of the “Publicaiton of additional supporting documents” phase.
Training for QSAs will commence in June 2022, so it is important to note that nobody will be able to validate compliance under PCI DSS version 4.0 until assessors are qualified in the new version of the standard.
The transition period will be 2 years meaning that PCI DSS v3.2.1 will be deprecated on 31st March 2024. This provides a long window for merchants and service providers to transistion to the new version of the standard. I expect that merchants will continue with version 3.2.1 for as long as possible, whereas some service providers are likely to move to version 4.0 quickly so they have the latest and greatest compliance to present to their clients.
It should also be noted that the announcement states that there is a further year to phase in some of the new requirements which are initially identified as best practice under version 4.0. These time-barred requirements will not become mandatory until 31st March 2025.