PCI DSS v4.0 · What changed · The dates

PCI DSS v4.0: what changed, and the dates that matter

v4.0 is now the only active version of the PCI DSS, and its future-dated requirements are already in effect. Here is a plain-language look at what changed, the dates the PCI SSC set, and how to tell where you stand today.

Plain language · Only the PCI SSC’s own dates · No jargon

If you searched for a PCI DSS v4.0 deadline, you probably want two answers: is it already in effect, and does it change anything for you. The short version is yes to the first, and it depends on where you are starting from for the second.

Here is the calm way to think about it. v4.0 is not a countdown anymore. The transition dates the PCI Security Standards Council set have already passed, so v4.0 is simply the standard now. That turns a stressful question, "how much time do I have," into a straightforward one: where do I stand against v4.0 today.

The dates that matter

There are only four dates worth committing to memory, and all four come from the PCI SSC itself.

All four of those dates are in the past. There is no deadline still ahead of you to plan around. v4.0, as clarified by v4.0.1, is the version your assessment is measured against right now.

What actually changed in v4.0

Two things are worth understanding, and neither one requires you to be technical.

A more outcome-focused approach

v4.0 puts more weight on the outcome a control is meant to achieve, not only the exact way you achieve it. Alongside the traditional defined approach, where you meet a requirement the prescribed way, v4.0 recognizes a customized approach, where you meet the requirement’s objective a different way and show evidence that the objective is met. For most small and mid-size merchants the defined approach is still the practical path, but the standard is more flexible than it used to be.

New requirements that are now mandatory

v4.0 also introduced a number of new requirements. To give organizations time to adopt them, they were treated as best practices at first, then became mandatory on March 31, 2025. Because that date has passed, those requirements now apply as part of a v4.0 assessment rather than as something to plan for later. The practical takeaway is simple: what used to be optional to have in place is now expected.

The familiar structure did not change

The shape of the standard is the same one you may already know. v4.0 keeps the same twelve core requirements, grouped under six goals, from building and maintaining a secure network to maintaining an information security policy. What changed is the depth and the evidence expected under several of them, not the twelve-part outline. If you want the full walk-through, see our guide to the 12 PCI DSS v4.0 requirements.

v3.2.1, v4.0, v4.0.1: which one applies now

This is where most of the confusion lives, so here it is in one table.

VersionStatus today
v3.2.1Retired on March 31, 2024. No longer an active version of the standard.
v4.0Published March 2022. The active version after v3.2.1 retired.
v4.0.1A limited revision published June 2024. The current v4.0 document, part of the same version family.

If you are validating today, you are validating against v4.0 as clarified by v4.0.1. There is no longer a v3.2.1 option to fall back on.

Not sure where v4.0 leaves you? See where you stand, free.

Before you worry about any requirement, it helps to know your SAQ type, the self-assessment that matches how you take cards. Answer a few questions and get your likely SAQ on screen, plus a read on five baseline controls, in about two minutes. No card, no account.

So where do you actually stand?

With the dates behind us, the useful question is just this: how does your business measure up against v4.0 as it reads today. That breaks into two steps.

The free check names your likely SAQ and samples a handful of controls. When you want the full picture, the paid analysis takes it the rest of the way.

Map yourself against all 12 v4.0 requirements.

The PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with rationale, marks every one of the 12 v4.0 requirements as covered, partial, or gap, and hands you a prioritized 30/60/90-day remediation roadmap with the evidence an assessor will ask for. It is intake-based, with a PDF in your inbox within hours. One fixed price, no quote and no sales call.

Common questions

Is PCI DSS v3.2.1 still valid?

No. v3.2.1 was retired on March 31, 2024. Since that date, v4.0 has been the only active version of the standard.

When did PCI DSS v4.0 requirements become mandatory?

A set of new v4.0 requirements were treated as best practices until March 31, 2025, and became mandatory on March 31, 2025. That date has passed, so they now apply.

What is PCI DSS v4.0.1?

v4.0.1 is a limited revision of v4.0, published in June 2024. It clarifies the v4.0 text and is part of the v4.0 family, not a new major version.

When was PCI DSS v4.0 published?

PCI DSS v4.0 was published in March 2022. It replaced v3.2.1, which was retired on March 31, 2024.

This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. Confirm your SAQ and obligations with your acquiring bank or a Qualified Security Assessor.