Skip to content
Take a look at when PCI v3.2.1 retires, and PCI v4.0 goes into effect.

PCI v4.0 Will Disrupt Contact Center and BPO MFA in March 2024

In March 2022, the PCI Security Standards Council (PCI SSC) released version 4.0 of the PCI Data Security Standards (PCI DSS). Upon the release of the updated guidance, the PCI SSC also published an implementation timeline for when organizations are expected to transition to the new PCI v4.0 standards and when the new requirements will become mandatory.

 

There has been a lot of confusion about the timeline for changes since some requirements are future-dated. As a result, organizations often believe that they have until 2025 to get them in order. However, the majority of the changes in Requirement 8, the section dealing with identity security, will go into effect immediately. 

Artboard 5-1

Timeline based on a graph from PCI DSS v4.0 At-a-Glance, 2022 PCI SSC


March 31, 2024 -
PCI DSS version 3.2.1 retires


The PCI v3.2.1 standards will be retired on March 31, 2024.  

 

March 31, 2024 - PCI DSS version 4.0 takes effect

After that, PCI v4.0 takes full effect, except for a few specific requirements, which are future-dated to one year later. For example, requirements regarding MFA in secure facilities and multiple MFA challenges for network and CDE connections come into force immediately. Read more on these changes here. Organizations are encouraged to start using the PCI v4.0 standards immediately but are not required to follow the new standards until March 31, 2024.  


March 31, 2025
- Future dated requirements in PCI DSS v4.0 become mandatory

Future-dated requirements are prescribed as best practice until March 31, 2025. After March 31, 2025, all future-dated requirements will be mandatory and must be considered during a PCI DSS assessment. 

There will be difficulties around password complexity and password rotations, and BPOs will be responsible for enforcing these requirements with customers and partners, which you can read about here

Something to note is that while future-dated requirements are guidance until March 31, 2025, many customers and partners may demand it now and even more so after March 2024. It is in every organization's best interest to implement the new standards sooner rather than later.

It is important to note that organizations are not required to use the PCI v4.0 standard until March 31, 2024. Organizations may follow either the PCI v3.2.1 or the PCI v4.0 standards during the two-year transition period.

Until then, PCI Qualified Security Assessors can perform assessments using either the PCI v3.2.1 or PCI v4.0 standards if the QSA has already completed their PCI v4.0 transition training.

PCI compliance is complicated for many organizations, but BPO contact centers and their customers face unique challenges when implementing and maintaining compliance. For more detailed information on PCI v4.0 and MFA, subscribe to the Twosense blog or hit the bell on the top right corner of the Twosense Linkedin to get notified when the Twosense Blueprint to PCI DSS v4.0 Authentication arrives next week. 

More from the Blog

February 27, 2023

PCI 4.0: What You Need To Know About Requirement 8 & MFA In Contact Centers

It has been a year since PCI DSS v4.0 was officially announced, and its implementation date is just around the corner....
March 20, 2023

PCI 4.0: 3-Month Password Rotations

In contact centers, security is more important than ever before. Still, strict clean desk policies and the cost of hard...
May 24, 2023

Eliminate Helpdesk Tickets With Continuous Authentication

For any organization, helpdesk tickets are a pain. A necessary evil that often requires significant time and resources...

Sign Up for our Blog

We will never share your email address with third parties.