Due to the complexity of its implementation, the PCI DSS v4 standard established a grace period for the implementation of certain security controls. That period expired on 31 March 2025. What's next after this date?
31 March 2025 was the date set by the PCI SCC for all controls of the PCI DSS standard to enter into force. This date was announced in 2021, Therefore, it is expected that the entities concerned have had sufficient time to proceed with the correct implementation of all these controls.

Key dates in compliance with PCI DSS v4 – Source: https://blog.pcisecuritystandards.org
To support this task, in PCI Hispano we published a spreadsheet that contained the list of all future , controls that can be downloaded here.

As of 1 April 2025, the following changes will enter into force:
- All controls of the PCI DSS standard will be in force. This means that the entities must have correctly implemented all controls, including those that were classified as "future controls" (future-dated controls).
- All standard controls will be considered in the next iteration of the entity's PCI DSS compliance assessment.
- Outside the institution’s annual PCI DSS compliance assessment date, ‘future controls’ shall be in place. You do not have to wait for the compliance assessment to have everything ready, the entity must ensure that from 1 April 2025 the "future controls" will be implemented and their corresponding evidence must be available for review.
- The entry into force of future controls does not imply that it is necessary for a QSA advisor to review them out of time. Linked to the previous point, the entry into force of this subset of controls does not imply that an additional assessment is necessary to validate its status. The QSA advisor will review them as part of their tasks on the stipulated evaluation date. Of course, it will be verified that these controls are active and fully functional from 1 April 2025.
- Reviewing these controls will involve more time and more effort from QSA advisors, therefore, it is possible that both the costs and the duration of compliance assessments will increase.
On the other hand, it is very likely that the PCI SSC will publish a minor version change of the PCI DSS standard to remove references to "future controls" and other controls that became obsolete after that date, such as controls 6.4.1 (WAF), 8.3.10 (passwords in service providers) and 10.7.1 (failure management in security control systems).

We'll keep you posted. Do not forget to subscribe to our newsletter so you don't miss any updates.