If you searched for a PCI DSS v4.0 deadline, you probably want two answers: is it already in effect, and does it change anything for you. The short version is yes to the first, and it depends on where you are starting from for the second.
Here is the calm way to think about it. v4.0 is not a countdown anymore. The transition dates the PCI Security Standards Council set have already passed, so v4.0 is simply the standard now. That turns a stressful question, "how much time do I have," into a straightforward one: where do I stand against v4.0 today.
The dates that matter
There are only four dates worth committing to memory, and all four come from the PCI SSC itself.
-
March 2022PCI DSS v4.0 was published, the first major revision of the standard in several years.
-
March 31, 2024The prior version, v3.2.1, was retired. After this date, v4.0 became the only active version of the standard.
-
June 2024A limited revision, v4.0.1, was published, clarifying the v4.0 text. It is part of the v4.0 family, not a new major version.
-
March 31, 2025The new future-dated requirements became mandatory. Until this date they were treated as best practices; on this date they became part of any v4.0 assessment.
All four of those dates are in the past. There is no deadline still ahead of you to plan around. v4.0, as clarified by v4.0.1, is the version your assessment is measured against right now.
What actually changed in v4.0
Two things are worth understanding, and neither one requires you to be technical.
A more outcome-focused approach
v4.0 puts more weight on the outcome a control is meant to achieve, not only the exact way you achieve it. Alongside the traditional defined approach, where you meet a requirement the prescribed way, v4.0 recognizes a customized approach, where you meet the requirement’s objective a different way and show evidence that the objective is met. For most small and mid-size merchants the defined approach is still the practical path, but the standard is more flexible than it used to be.
New requirements that are now mandatory
v4.0 also introduced a number of new requirements. To give organizations time to adopt them, they were treated as best practices at first, then became mandatory on March 31, 2025. Because that date has passed, those requirements now apply as part of a v4.0 assessment rather than as something to plan for later. The practical takeaway is simple: what used to be optional to have in place is now expected.
The familiar structure did not change
The shape of the standard is the same one you may already know. v4.0 keeps the same twelve core requirements, grouped under six goals, from building and maintaining a secure network to maintaining an information security policy. What changed is the depth and the evidence expected under several of them, not the twelve-part outline. If you want the full walk-through, see our guide to the 12 PCI DSS v4.0 requirements.
v3.2.1, v4.0, v4.0.1: which one applies now
This is where most of the confusion lives, so here it is in one table.
| Version | Status today |
|---|---|
| v3.2.1 | Retired on March 31, 2024. No longer an active version of the standard. |
| v4.0 | Published March 2022. The active version after v3.2.1 retired. |
| v4.0.1 | A limited revision published June 2024. The current v4.0 document, part of the same version family. |
If you are validating today, you are validating against v4.0 as clarified by v4.0.1. There is no longer a v3.2.1 option to fall back on.
Not sure where v4.0 leaves you? See where you stand, free.
Before you worry about any requirement, it helps to know your SAQ type, the self-assessment that matches how you take cards. Answer a few questions and get your likely SAQ on screen, plus a read on five baseline controls, in about two minutes. No card, no account.
So where do you actually stand?
With the dates behind us, the useful question is just this: how does your business measure up against v4.0 as it reads today. That breaks into two steps.
- Know your SAQ. The right self-assessment depends on how you accept cards. Getting this wrong means answering the wrong questions, so it is worth confirming. Our guide to the SAQ types walks through each one.
- Check each requirement. Once you know your SAQ, the work is going control by control and marking where you are solid, where you are partway, and where there is a real gap, with the evidence to back each claim.
The free check names your likely SAQ and samples a handful of controls. When you want the full picture, the paid analysis takes it the rest of the way.
Map yourself against all 12 v4.0 requirements.
The PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with rationale, marks every one of the 12 v4.0 requirements as covered, partial, or gap, and hands you a prioritized 30/60/90-day remediation roadmap with the evidence an assessor will ask for. It is intake-based, with a PDF in your inbox within hours. One fixed price, no quote and no sales call.
Common questions
Is PCI DSS v3.2.1 still valid?
No. v3.2.1 was retired on March 31, 2024. Since that date, v4.0 has been the only active version of the standard.
When did PCI DSS v4.0 requirements become mandatory?
A set of new v4.0 requirements were treated as best practices until March 31, 2025, and became mandatory on March 31, 2025. That date has passed, so they now apply.
What is PCI DSS v4.0.1?
v4.0.1 is a limited revision of v4.0, published in June 2024. It clarifies the v4.0 text and is part of the v4.0 family, not a new major version.
When was PCI DSS v4.0 published?
PCI DSS v4.0 was published in March 2022. It replaced v3.2.1, which was retired on March 31, 2024.
This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. Confirm your SAQ and obligations with your acquiring bank or a Qualified Security Assessor.