It’s been nearly six years since we had a major release of PCI DSS, and March 31, 2022 was the day that the final version of PCI DSS 4.0 released. For those that had access to the last discussion draft (released early this year), there are virtually no changes from that (with the exception of refining Requirement 9.4.1 and inserting But don’t go changing your assessment processes yet! PCI DSS 3.2.1 won’t sunset until March 31, 2024 (see page 36). This means, you have to START your last PCI DSS 3.2.1 assessment BEFORE March 31, 2024 (better if you complete by then), and then you have a year to prep for the base PCI DSS 4.0 until the extended requirements go into place after March 31, 2025. So you can really step your way in nicely!

Chip, by Declan Jewell

But that’s not all the news we have here, I’ve teamed up with James Adamson to write the 5th edition of PCI Compliance! We will be submitting our manuscript to the publisher in the coming months and will update timelines for you all once it is released. We’ve been working on refining the 4th edition and bringing in content from the two addendums for the last year, but now we’re really in the thick of writing. Any thoughts for what image should adorn the cover?

PCI DSS 4.0 represents a massive lift in reorganization, consolidation, and just smart changes. That’s not to say we’re going to see challenges, or the costs of assessments or programs increasing dramatically in some scenarios. The good news is you have a whole year (maybe 18 months) to really think about how you fit the new version into your existing GRC and security programs.

Of course, you could always take my advice and leverage tokenization or P2PE to solve 99% of your PCI-related problems.


While we are in this writing phase (with about 1/3 of the book revisions complete), please send us your questions! What do you want to see covered in the 5th edition that has not been well covered previously (hint, we’re definitely tackling K8s)?

This post originally appeared on

Possibly Related Posts: