In March 2022, the PCI Security Standards Council (PCI SSC) released version 4.0 of the PCI Data Security Standards (PCI DSS). Upon the release of the updated guidance, the PCI SSC also published an implementation timeline for when organizations are expected to transition to the new PCI v4.0 standards and when the new requirements will become mandatory.
There has been a lot of confusion about the timeline for changes since some requirements are future-dated. As a result, organizations often believe that they have until 2025 to get them in order. However, the majority of the changes in Requirement 8, the section dealing with identity security, will go into effect immediately.
Timeline based on a graph from PCI DSS v4.0 At-a-Glance, 2022 PCI SSC
March 31, 2024 -PCI DSS version 3.2.1 retires
The PCI v3.2.1 standards will be retired on March 31, 2024.
March 31, 2024 - PCI DSS version 4.0 takes effect
After that, PCI v4.0 takes full effect, except for a few specific requirements, which are future-dated to one year later. For example, requirements regarding MFA in secure facilities and multiple MFA challenges for network and CDE connections come into force immediately. Read more on these changes here. Organizations are encouraged to start using the PCI v4.0 standards immediately but are not required to follow the new standards until March 31, 2024.
March 31, 2025 - Future dated requirements in PCI DSS v4.0 become mandatory
Future-dated requirements are prescribed as best practice until March 31, 2025. After March 31, 2025, all future-dated requirements will be mandatory and must be considered during a PCI DSS assessment.
There will be difficulties around password complexity and password rotations, and BPOs will be responsible for enforcing these requirements with customers and partners, which you can read about here.
Something to note is that while future-dated requirements are guidance until March 31, 2025, many customers and partners may demand it now and even more so after March 2024. It is in every organization's best interest to implement the new standards sooner rather than later.
It is important to note that organizations are not required to use the PCI v4.0 standard until March 31, 2024. Organizations may follow either the PCI v3.2.1 or the PCI v4.0 standards during the two-year transition period.
Until then, PCI Qualified Security Assessors can perform assessments using either the PCI v3.2.1 or PCI v4.0 standards if the QSA has already completed their PCI v4.0 transition training.
PCI compliance is complicated for many organizations, but BPO contact centers and their customers face unique challenges when implementing and maintaining compliance. For more detailed information on PCI v4.0 and MFA, subscribe to the Twosense blog or hit the bell on the top right corner of the Twosense Linkedin to get notified when the Twosense Blueprint to PCI DSS v4.0 Authentication arrives next week.