The PCI SSC established the 31 March 2024 as the deadline for withdrawal of PCI DSS version 3.2.1. From 1 April 2024 The only active and official version of PCI DSS will be 4.0. But what about compliance assessments done before and after those dates?

When the standard PCI DSS v4.0 was published, the Payment Card Industry Security Standards Council (PCI SSC) defined a transition period 24 months (2 years) between these two versions, in order to allow institutions analyze and implement new and updated controls. In this way, the following dates were established:

  • Publication of the PCI DSS v4.0 standard: 31 March 2022
  • Withdrawal of PCI DSS v3.2.1 standard: 31 March 2024
  • Entry into force of future PCI DSS v4.0 controls: 31 March 2025

Given these dates, it is important to clarify what will happen to the compliance assessments performed prior to the withdrawal of PCI DSS v3.2.1:

What if my entity is performing a compliance assessment and a new version of the standard is published?

For PCI DSS v4.0, the PCI SSC established a 24-month grace period (from 31 March 2022 to 31 March 2024) for the implementation of the new controls. During this period, evaluations are allowed using either version: 3.2.1 or 4.0.

Example: An entity wants to be assessed in PCI DSS by 31 March 2024. In this case, you can choose between performing the evaluation using version 3.2.1 or version 4.0 of this standard.

More information: FAQ 1266 – If an entity is in the middle of a PCI DSS assessment when a new version of the standard is released – should the assessment be started again using the new version? y FAQ 1328 – Which version of PCI DSS should an entity use?

What happens to the validity of my PCI DSS evaluation if the standard changes version?

In the event of a version change of the standard, any compliance report (Report on Compliance / Attestation of Compliance) of an evaluation carried out BEFORE the date of entry into force of the new version will remain valid for the period stipulated by the payment marks (12 months for PCI DSS).

Example: If a PCI DSS compliance assessment is performed using version 3.2.1 and the date of the final reports (RoC/AoC) is 30 March 2024 (one day before the entry into force of PCI DSS v4.0 and still within the overlap period of both versions), those reports will remain valid until 30 March 2025 regardless of whether the version of the standard has changed.

More information: FAQ 1565 – Does an entity’s PCI DSS assessment result expire when the standard against which the entity was designated is settled?

Additional note: Mastercard announced in its Q3 2023 PCI Quarterly Newsletter which will grant an additional grace period until 30 June 2024 to accept compliance validations performed in PCI DSS v3.2.1 provided that those validations have been satisfactorily completed by 31 March 2024. This grace period is established to facilitate processes of Quality Assurance (QA) and other closing processes.

What if an evaluation performed with PCI DSS v3.2.1 is not fully completed by 31 March 2024?

In such cases, the entity concerned shall contact the payment brands for additional instructions.

More information: FAQ 1563 – What should an entity do if its PCI DSS v3.2.1 assessment will not be completed prior to that standard’s retirement date of 31 March 2024?

What about future controls during a PCI DSS v4.0 compliance assessment?

PCI DSS 4.0 includes a number of specific controls that, due to their complexity, may require more time to implement. These controls are called ‘future controls’ (future-dated controls) and are explicitly identified as such in the standard with the following applicability note, which states that such controls shall be treated as ‘best practices’ until 31 March 2025:

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

During a PCI DSS v4.0 compliance assessment performed by 31 March 2025, the institution may choose whether or not to include the result of that control in the Report on Compliance. In the case where compliance with a future control depends on a third party, the same criterion applies.

However, as of 31 March 2025, these controls will be fully assessed regardless of whether their implementation depends on the institution or a third party.

More information: FAQ 1564 – How does an entity report the results of a PCI DSS assessment for new requirements that are listed in PCI DSS as best practices until a future date?

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

All Posts Website

Leave to Reply