Skip to content
Take a look at when PCI v3.2.1 retires, and PCI v4.0 goes into effect.

Understanding the PCI DSS v4.0 Timeline

Read the updated PCI 4 Timeline: 2025 Future-Dated Requirements blog here:

In March 2022, the PCI Security Standards Council (PCI SSC) released version 4.0 of the PCI Data Security Standards (PCI DSS). Upon the release of the updated guidance, the PCI SSC also published an implementation timeline for when organizations are expected to transition to the new PCI v4.0 standards and when the new requirements will become mandatory.

There has been a lot of confusion about the timeline for changes since some requirements are future-dated. Most changes specific to Requirement 8 will go into effect on March 31, 2025. However, due to the complexity of the new MFA requirements, organizations should not wait until the last minute to ensure their identity security systems and policies are up to PCI DSS v4.0 standards.

Artboard 5-1

Timeline based on a graph from PCI DSS v4.0 At-a-Glance, 2022 PCI SSC

March 31, 2024 -
PCI DSS version 3.2.1 retires

The PCI v3.2.1 standards will be retired on March 31, 2024.  


March 31, 2024 - PCI DSS version 4.0 takes effect

After that, PCI v4.0 takes full effect, except for a few specific requirements, which are future-dated to one year later. Organizations are encouraged to start using the PCI v4.0 standards immediately but are not required to follow the new standards until March 31, 2024.  

March 31, 2025
- Future dated requirements in PCI DSS v4.0 become mandatory

Future-dated requirements are prescribed as best practice until March 31, 2025. After March 31, 2025, all future-dated requirements will be mandatory and must be considered during a PCI DSS assessment. 

There will be difficulties around password complexity and password rotations, and BPOs will be responsible for enforcing these requirements with customers and partners, which you can read about here

Something to note is that while future-dated requirements are guidance until March 31, 2025, many customers and partners may demand it now and even more so after March 2024. It is in every organization's best interest to implement the new standards sooner rather than later.

Sign Up For Full Access To The Blueprint To PCI DSS v4.0 Multi-Factor Authentication.


It is important to note that organizations are not required to use the PCI v4.0 standard until March 31, 2024. Organizations may follow either the PCI v3.2.1 or the PCI v4.0 standards during the two-year transition period.

Until then, PCI Qualified Security Assessors can perform assessments using either the PCI v3.2.1 or PCI v4.0 standards if the QSA has already completed their PCI v4.0 transition training.

PCI compliance is complicated for many organizations, but BPO contact centers and their customers face unique challenges when implementing and maintaining compliance. For more detailed information on PCI v4.0 and MFA, subscribe to the Twosense blog or hit the bell on the top right corner of the Twosense Linkedin to get notified when the Twosense Blueprint to PCI DSS v4.0 Authentication arrives next week. 

** This blog has been updated to provide clarity regarding PCI DSS v4.0 implementation timeline

More from the Blog

March 20, 2023

PCI 4.0: 3-Month Password Rotations

In contact centers, security is more important than ever before. Still, strict clean desk policies and the cost of hard...
April 16, 2024

PCI 4 Timeline: 2025 Future-Dated Requirements

The wait is over; PCI 4 is officially here. As of March 31st, 3.2.1 has been retired, and anyone undergoing...
June 15, 2022

If Audited Today, Would Your Security Measure Up To PCI DSS Requirements? 

Necessary Evil Maintaining cardholder data security is one of the top priorities in a call center environment. It is...

Sign Up for our Blog

We will never share your email address with third parties.