PCI DSS v4.0, together with the Summary of Changes from v3.2.1 to v4.0, is scheduled for publication at the end of March 2022. The Report on Compliance (ROC) Template and Attestations of Compliance (AOC) will also be released at this time, with the Self-Assessment Questionnaires following shortly thereafter.
PCI DSS v3.2.1 will remain active for two years after v4.0 is published. This transition period, from March 2022 until 31 March 2024, provides organizations with time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet updated requirements. As of 31 March 2024, PCI DSS v3.2.1 will be retired and v4.0 will become the only active version of the standard.
In addition to the transition period when v3.2.1 and v4.0 will both be active, organizations have until 31 March 2025 to phase in new requirements that are initially identified as best practices in v4.0. Prior to this date, organizations are not required to validate to these new requirements. However, organizations that have implemented controls to meet the new requirements and are ready to have the controls assessed prior to their effective date are encouraged to do so. After 31 March 2025, these new requirements are effective and must be fully considered as part of a PCI DSS assessment.